top of page

What Is NIS2 and Does Your Irish Business Need to Comply?

  • Jul 7
  • 4 min read

The NIS2 Directive, the EU's updated Network and Information Security regulation, came into force across member states in October 2024 and significantly expands the scope of mandatory cyber security obligations for businesses operating in Ireland and across the EU. Many Irish businesses that were not affected by the original NIS Directive now fall within scope of NIS2, and the compliance requirements are materially more demanding than anything previously required outside of regulated sectors.


Person with glasses works on a laptop in a green-lit server room, focused amid glowing cables and equipment.

What NIS2 Replaces and Why It Matters More

The original NIS Directive, transposed into Irish law in 2018, applied to a relatively narrow set of critical infrastructure operators, energy, transport, health, water, and digital infrastructure providers above certain thresholds. NIS2 substantially broadens this scope and introduces stricter requirements around risk management, incident reporting, and supply chain security.


The expansion reflects how the threat landscape has evolved. Cyber attacks on supply chains, mid-sized businesses, and public sector bodies have demonstrated that the original scope was too narrow. NIS2 addresses this by bringing a much wider range of sectors and organisations into the regulatory framework.


Which Irish Businesses Are Affected

NIS2 applies to organisations in a wide range of sectors that meet certain size thresholds. Essential entities, which face stricter requirements, include operators in energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, and public administration.


Important entities, subject to slightly lighter requirements but still in scope, include postal and courier services, waste management, chemicals, food production, manufacturing, and various digital service providers.


The general threshold is organisations with 50 or more employees or annual turnover above €10 million, though some sectors have no size threshold. Organisations in scope need to assess their classification and understand their obligations under the Irish transposition of NIS2.


What NIS2 Requires

NIS2 mandates that in-scope organisations implement appropriate and proportionate technical, operational, and organisational measures to manage cyber security risk. Specifically, this includes risk analysis and information system security policies, incident handling procedures, business continuity and crisis management, supply chain security, policies on the use of cryptography, human resources security and access control policies, and the use of multi-factor authentication.


Critically, NIS2 introduces personal liability for senior management. Directors and C-suite executives can be held personally accountable for compliance failures, and can face temporary bans from management roles in serious cases. This is a significant escalation from previous frameworks and changes how boards should engage with cyber security governance.


The Incident Reporting Requirements

NIS2 introduces a tiered incident notification requirement. A significant incident must be reported to the relevant national authority within 24 hours of becoming aware of it, followed by a more detailed notification within 72 hours, and a full report within one month.


Meeting the 24-hour early warning requirement demands that organisations have incident detection capability that identifies significant incidents quickly, and an established process for escalating and reporting them. Businesses without adequate monitoring or incident response procedures will struggle to meet this timeline.


How Savenet Supports NIS2 Compliance

Many of the technical controls required under NIS2 align closely with the security baseline Savenet implements for all managed IT clients: MFA enforcement, endpoint detection and response, vulnerability management, backup and disaster recovery, and incident detection and response capability.


For clients pursuing formal compliance, Savenet can support the full NIS2 readiness assessment, gap analysis, technical control implementation, documentation, and ongoing compliance maintenance.


What is the NIS2 Directive?

NIS2 is the EU's updated Network and Information Security Directive, which came into force across member states in October 2024. It significantly expands the scope of mandatory cyber security obligations beyond the original NIS Directive, bringing a much wider range of sectors and organisations into the regulatory framework and introducing stricter requirements around risk management, incident reporting, and supply chain security.

Does NIS2 apply to my business?

NIS2 applies to organisations in a broad range of sectors that meet certain size thresholds. The general threshold is organisations with 50 or more employees or annual turnover above 10 million euro, though some sectors have no size threshold. Sectors covered include energy, transport, banking, health, digital infrastructure, postal services, waste management, food production, manufacturing, and others. If you are unsure whether your business falls within scope, a compliance assessment is the fastest way to establish your position.

What does NIS2 require businesses to implement?

NIS2 requires in-scope organisations to implement appropriate technical, operational, and organisational measures to manage cyber security risk. This includes risk analysis and information system security policies, incident handling procedures, business continuity and crisis management, supply chain security measures, access control and MFA, encryption policies, and human resources security measures.

What are the penalties for non-compliance with NIS2?

NIS2 introduces significant financial penalties for non-compliance. Essential entities can face fines of up to 10 million euro or 2% of global annual turnover, whichever is higher. Important entities face fines of up to 7 million euro or 1.4% of global annual turnover. Importantly, NIS2 also introduces personal liability for senior management, meaning directors and executives can be held individually accountable for compliance failures.

What is the difference between essential and important entities under NIS2?

Essential entities are organisations in sectors considered most critical to society and the economy, including energy, transport, banking, health, and digital infrastructure. They face stricter requirements and higher penalties. Important entities are organisations in sectors considered significant but less critical, including postal services, waste management, food production, and certain manufacturers. Both categories have meaningful obligations, but essential entities are subject to more intensive supervision.

How does NIS2 relate to GDPR?

NIS2 and GDPR are separate but complementary regulatory frameworks. GDPR governs the protection of personal data, while NIS2 governs the security of network and information systems more broadly. Many of the technical controls required under NIS2 overlap with the security measures that also support GDPR compliance, so organisations addressing one framework will often make progress on the other simultaneously.

How can Savenet help with NIS2 compliance?

Many of the technical controls required under NIS2 align directly with the security baseline Savenet implements for all managed IT clients, including MFA enforcement, endpoint detection and response, vulnerability management, backup and disaster recovery, and incident detection and response capability. For clients pursuing formal NIS2 compliance, Savenet can support the full readiness assessment, gap analysis, control implementation, documentation, and ongoing compliance maintenance.

Not sure if your business is in scope for NIS2 or what it requires?

Book a free IT review and talk to our team

bottom of page