Understanding the NIS2 Directive: Strengthening Cybersecurity Across the EU

What is NIS2?

NIS2 (Network and Information Security Directive) is part of the EU’s broader strategy to bolster cybersecurity across critical sectors such as financial services, healthcare, energy, transport, and digital infrastructure. The goal is to improve resilience against cyber threats by enforcing stronger risk management practices and response capabilities.

Key changes introduced by NIS2 include:

• Expanded scope: It now covers more sectors, including digital service providers like cloud computing, B2B ICT services, and public administration. Sectors are divided into "high criticality" and "critical" based on their importance to society.

• Stricter security obligations: Entities must adopt robust cybersecurity risk management practices, including regular vulnerability assessments and incident response plans.
• Incident reporting: Organisations are required to report significant cybersecurity incidents to national authorities within 24 hours of detection and provide a final report within one month..
• Governance: The board of management of "essential" and "important" entities is responsible for cybersecurity, and can be held personally liable for breaches.
• Penalties: Non-compliance can result in severe penalties, entities can be fined up to €10 million or 2% of global turnover, whichever is higher.

Key Dates to Know

• January 2023: NIS2 entered into force across the EU.
• October 2024: Deadline for EU Member States, including Ireland, to transpose NIS2 into national law.
• October 2024 onwards: Entities must be fully compliant with the new rules.

What Does This Mean for Businesses in Ireland?

Ireland is currently transposing NIS2 into national law through the National Cyber Security Bill, which will formalise the role of the National Cyber Security Centre (NCSC) as the lead authority for sectors like public administration, while regulators like the Central Bank of Ireland will oversee compliance in financial services.

Businesses operating in essential and important sectors must prepare by implementing:

• Comprehensive risk management frameworks,
• Regular cybersecurity training for staff,
• Enhanced incident detection and reporting mechanisms.

Learn More About NIS2

To explore NIS2 in more detail, including the full scope of obligations and compliance requirements, visit the National Cyber Security Centre's official NIS2 page

By proactively preparing for NIS2, businesses in Ireland can strengthen their cybersecurity resilience and mitigate the risks of cyber incidents, ensuring compliance with this critical regulation.