- with readers working within the Media & Information industries
- within Transport, International Law, Media, Telecoms, IT and Entertainment topic(s)
- in United States
Legal expert Ricky Kelly from RDJ explains the current cyber regulatory landscape and what businesses can do to stay up to date.
The EU's cybersecurity rules are evolving fast, and Irish organisations need to understand how these changes will affect them, sooner rather than later.
The EU has introduced several major cybersecurity laws in recent years aimed at strengthening the EU's collective cyber resilience, improving incident response and setting common standards across member states.
The NIS2 Directive (EU) 2022/2555 is a central pillar of this framework, sitting alongside the Cyber Resilience Act (mandating security by design for digital products), the EU Cybersecurity Act (establishing an ICT certification framework), and GDPR (covering data protection and breach notification).
NIS2 expands the scope of the original NIS Directive to cover more sectors, with stricter supervisory and enforcement measures. It targets operational resilience and incident response capabilities for critical infrastructure and digital service providers.
What's different about NIS2?
At the heart of NIS2 is a shift to legally binding obligations. In Ireland, the directive is being transposed through the National Cyber Security Bill, currently at drafting stage. Once enacted, it will give the National Cyber Security Centre (NCSC) new statutory powers, including the ability to proactively scan organisations' systems for vulnerabilities and to direct them to take corrective action.
To support this, the NCSC has outlined 13 core risk management measures (RMMs) that entities must implement. These include board-level accountability, access controls, employee training, patch management, supply chain security, and more. The RMMs are aligned with international standards such as ISO/IEC 27001 and the NIST Cybersecurity Framework.
NIS2 goes a step further requiring that each organisation not only implements these measures but can demonstrate and document their effectiveness during audits or investigations.
The expectations are broad, but the principle is simple: organisations must show that they are actively and consistently managing cybersecurity risks, in a way that is proportionate to their size, sector and threat landscape.
Who is impacted?
NIS2 applies to two main categories: 'essential entities' and 'important entities'.
'Essential entities' operate in sectors such as energy, healthcare, banking, digital infrastructure, water and public administration. 'Important entities' include sectors such as food production, manufacturing, postal services, waste management, chemicals and certain digital providers.
Size is not the only factor. NIS2 also applies to any organisation, regardless of size, whose disruption could seriously impact public health, safety or national security. This means that even smaller businesses may be within scope if they provide critical goods or services.
Organisations must assess whether they fall under either category and, if so, begin preparing to meet the new obligations. This includes businesses headquartered outside the EU but offering services within the Union.
What will this look like in practice?
Consider a mid-sized logistics business (50-249 employees or more than €10m revenue) based in Ireland whose systems are hit with ransomware. As an 'important entity', in addition to their obligations under data protection law, under NIS2, they must now also notify the NCSC within 24 hours of becoming aware of the incident, provide follow-up reports as the situation develops, and submit a full final report within a month, detailing its severity and impact, the type of threat or root cause, mitigation measures and any cross-border impact.
Similarly, an IT managed services provider or a business involved in the wholesale production and processing of food, with greater than 50 employees will come within the definition of an 'important entity' and subject to the same rules.
This process isn't optional. It's a legal obligation, and the NCSC will have authority to investigate, request documentation and enforce penalties where appropriate.
The bar for compliance will be tailored to each organisation's size, sector and threat exposure. But every business within scope will be expected to put clear structures in place, backed by written policies, training records, technical safeguards and internal accountability.
What's at stake?
The potential costs for non-compliance are substantial. NIS2 allows for financial penalties of up to €10m or 2pc of global annual turnover for 'essential entities', and €7m or 1.4pc for 'important entities'.
Reputational risks are harder to quantify and potentially longer lasting. Consequences include public disclosure of non-compliance, potentially damaging an organisation's reputation, suspension of certifications or authorisations in severe cases and personal liability where senior management can be held accountable for failures in governance or oversight.
These consequences reinforce the message that cybersecurity can no longer be seen as a back-office issue, it's now a board-level priority.
Cyber fundamentals framework
To help Irish businesses prepare, the NCSC has launched Cyber Fundamentals (CyFun), a practical framework that aligns with NIS2's core principles. CyFun offers a step-by-step approach for assessing your current cybersecurity posture and developing an implementation roadmap. While version 2.0 of the framework is due this quarter, aligned with the latest international standards (such as NIST 2.0), the current version already provides a solid foundation for organisations starting the process.
For businesses without in-house cybersecurity teams, CyFun will be particularly valuable. It provides practical guidance and templates that can help structure policies, assign responsibilities and prepare for audit or inspection.
The message for Irish organisations
NIS2 marks a step change in how cybersecurity is regulated in Europe. In Ireland, the combination of a new statutory NCSC, clearer national powers and the structured guidance of CyFun means the legal and operational expectations are now explicit.
For any organisation it is important to consider if their services are in scope and if so, the time to act is now. Governance, incident response, proactive scanning and continuous improvement are no longer optional. The cost of falling short will be measured not just monetarily, but also in reputation and trust.
Originally published by Silicon Republic
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
