What Is NIS2 and Why Is Everyone Talking About It?
If you’ve been hearing the term NIS2 lately and wondering whether it’s something your business needs to worry about, you’re not alone. Over the past year it has become one of the most-asked questions we get from Irish business owners. The short answer is: it depends on your size and sector — but even if you’re not directly in scope, there are very good reasons to take it seriously now.
NIS2 — the Network and Information Security Directive 2 — is the EU’s updated framework for cybersecurity regulation across member states. It replaces the original NIS Directive from 2016 and significantly expands both the number of organisations covered and the obligations placed on them. The deadline for EU member states to transpose NIS2 into national law passed in October 2024. Ireland is still working through that process — a National Cybersecurity Bill is expected in 2025 or 2026 — but the direction of travel is clear and the requirements are already known.
Who Does NIS2 Directly Apply To?
NIS2 divides organisations into two tiers: essential entities and important entities. The directive applies directly to medium and large organisations — generally those with 50 or more employees or annual turnover above €10 million — operating in specific sectors.
Essential entity sectors include:
- Energy (electricity, gas, oil, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health — hospitals, labs, pharmaceutical manufacturers
- Drinking water and wastewater
- Digital infrastructure — data centres, cloud providers, internet exchange points
- ICT service management — managed service providers
- Public administration
- Space
Important entity sectors include manufacturing, postal and courier services, waste management, chemicals, food production, and digital providers such as online marketplaces and search engines.
If your business is a small firm outside these sectors — say, a 12-person accountancy practice, a construction company, or a retail business — you are not directly in scope for NIS2 compliance obligations.
Why Irish SMEs Should Pay Attention Anyway
Here is where it gets important for businesses of every size.
1. Supply chain obligations reach down to you. NIS2 requires essential and important entities to assess and manage the cybersecurity risk in their supply chains. That means if you supply services — IT, accounting, legal, logistics, facilities management — to a covered entity, they are required to evaluate your security posture. If you can’t demonstrate adequate controls, you risk losing the contract. Procurement questionnaires asking about MFA, backups, incident response plans, and security training are already becoming standard practice.
2. NIS2 is setting the market standard. Regulated industries and larger businesses will increasingly expect their suppliers and partners to meet a baseline security standard. The framework NIS2 establishes around risk management, access control, backup, and incident response is simply good practice for any business. Waiting until it becomes a formal requirement before acting is the most expensive approach.
3. Ireland’s National Cybersecurity Bill is coming. When Ireland transposes NIS2 — expected soon — the legal landscape for Irish businesses will shift. Staying ahead of that means you won’t be scrambling to meet requirements when clients, insurers, or regulators start asking questions.
What NIS2 Actually Requires
For organisations directly in scope, NIS2 mandates a risk-based approach to cybersecurity across ten core areas. Even for SMEs not formally in scope, these requirements represent the clearest available statement of what modern cybersecurity looks like in practice.
- Risk analysis and information system security policies — a documented understanding of your risks and how you manage them
- Incident handling — a defined process for detecting, reporting, and responding to security incidents
- Business continuity — backup management, disaster recovery, and crisis management procedures
- Supply chain security — assessing the security practices of your vendors and partners
- Cybersecurity hygiene and training — staff awareness and basic security practices across the organisation
- Human resources security, access control, and asset management — who has access to what, and why
- Multi-factor authentication and secure communication — MFA enforced across all key systems
- Cryptography and encryption — protection of data in transit and at rest
- Effectiveness of cybersecurity risk management measures — policies, procedures, and regular testing
- Security in network and information systems acquisition — security built into how you buy and deploy technology
Read that list and you’ll notice something important: none of these are exotic or enterprise-only requirements. They are the building blocks of a well-run security posture for any business, regardless of size.
Practical Steps Any Irish SME Can Take Right Now
You don’t need to wait for Ireland to pass its cybersecurity bill to start building a defensible security posture. Here are the concrete steps that address the spirit of NIS2 and reduce your real-world risk at the same time.
- Enable MFA everywhere — Microsoft 365, email, any cloud application with access to business data. This single control blocks the majority of credential-based attacks.
- Test your backups — Having a backup is not the same as having a working restore. Run a test restore quarterly and document it. Insurers and clients will ask.
- Document your risks — A simple one-page risk register covering your key systems, data, and third-party dependencies is more valuable than most businesses realise. It’s also the starting point for any compliance conversation.
- Review access rights — Who in your business has admin access? Former employees? Contractors? Conduct an access audit and remove anything that shouldn’t be there.
- Deploy endpoint detection, not just antivirus — Legacy antivirus doesn’t catch modern threats. Endpoint detection and response (EDR) tools give you real visibility into what’s happening on your devices.
- Run a staff security awareness session — Human error remains the leading cause of security incidents. A 90-minute annual session covering phishing, password hygiene, and incident reporting pays for itself quickly.
- Know your supply chain — Make a list of every third-party service that has access to your data or systems. Review their security practices. Ask the right questions.
Where to Start: The Framework Approach
The challenge most SME owners face isn’t motivation — it’s knowing where to start and what ‘good’ looks like. That’s why we put together Secured: The Cybersecurity Survival Guide for Protecting Your Business, a practical e-book written specifically for Irish SME owners and business leaders. It walks through the same framework-based approach underpinning NIS2, in plain language, without the legal jargon.
NIS2 compliance isn’t something that happens overnight. But the businesses that will handle it best — and avoid the scramble when Ireland’s legislation lands — are the ones treating security as a structured habit rather than a once-a-year checkbox.
If you’re unsure where your business currently stands, or you want a clear picture of what gaps you have before NIS2 becomes a procurement or regulatory issue, we offer a free 30-minute Security Framework Review. No sales pitch — just an honest assessment of where you are and a prioritised list of what to tackle first.
Get in touch with the team at host-it.ie to book your free Security Framework Review — or download the Secured e-book and start working through the framework at your own pace.
