NIS2Ireland
Complete Compliance Guide

NIS2 Requirements for Irish Organisations

Everything Irish CIOs, CISOs, and security teams need to know about NIS2 compliance, from technical requirements to reporting timelines.

What is NIS2?

The NIS2 Directive (EU Directive 2022/2555) is the European Union's updated framework for cybersecurity across essential and important entities. It replaces the original NIS Directive and significantly expands the scope of organisations covered, introduces stricter security requirements, and establishes harmonised penalties across member states.

For Irish organisations, NIS2 introduces management accountability for cybersecurity, with administrative fines of up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% for important entities.

Technical Requirements (Article 21)

NIS2 Article 21 mandates "appropriate and proportionate" security measures across these areas:

Risk Analysis & Policies

Continuous risk assessment and security policy frameworks

Incident Handling

Detection, response, and recovery procedures

Business Continuity

Backup management, disaster recovery, crisis management

Supply Chain Security

Third-party risk assessment and access controls

Network Security

Acquisition, development, and maintenance of secure systems

Vulnerability Management

Disclosure and handling of security vulnerabilities

Cyber Hygiene

Training, awareness, and basic security practices

Cryptography

Policies and procedures for encryption use

Access Control

Human resources security and asset management

Authentication

Multi-factor authentication and secure communications

Incident Reporting Timelines

NIS2 establishes strict incident reporting requirements. Failure to report within these timelines may result in additional penalties.

24 Hours

Early Warning

Initial notification to competent authority of significant incident

72 Hours

Incident Notification

Updated assessment including severity and impact details

1 Month

Final Report

Comprehensive report with root cause and remediation measures

What Auditors Will Ask For

Based on NIS2 requirements, auditors and regulators will expect documentation and evidence of:

1
Complete asset inventory with continuous updates
2
Vulnerability scan results and remediation timelines
3
Centralised log archives with defined retention periods
4
File integrity monitoring records
5
Incident response procedures with test results
6
Supplier access logs and segmentation evidence
7
Business continuity and disaster recovery test records
8
Security awareness training completion records
9
Risk assessment documentation and treatment plans
10
Evidence of management oversight and accountability

Official Sources

Ready to Assess Your Compliance?

Take our 60-second scorecard to understand your NIS2 readiness level and identify key gaps.

Get NIS2 Readiness ScoreBook Executive Briefing