ARTICLE
12 August 2025

NIS2, Ireland And Draft Guidance

WF
William Fry

Contributor

William Fry logo
William Fry is a leading corporate law firm in Ireland, with over 350 legal and tax professionals and more than 500 staff. The firm's client-focused service combines technical excellence with commercial awareness and a practical, constructive approach to business issues. The firm advices leading domestic and international corporations, financial institutions and government organisations. It regularly acts on complex, multi-jurisdictional transactions and commercial disputes.
Explore Firm Details
The second Network and Information Security Directive (EU) 2022/2555 (NIS2) took effect on 17 October 2024 across the EU. It represents a significant step forward in the EU's efforts to strengthen...
Ireland Technology
Rachel Hayes,Leo Moore, and Aoife Keenan
Your Author LinkedIn Connections

NIS2 in Ireland: Latest Developments

The second Network and Information Security Directive (EU) 2022/2555 (NIS2) took effect on 17 October 2024 across the EU. It represents a significant step forward in the EU's efforts to strengthen the overall level of cybersecurity across Member States. It introduces several new obligations for in-scope entities and can be broken down into three pillars: (1) cybersecurity risk management; (2) incident reporting and handling; and (3) supervision and enforcement. For more general information about NIS2, see here.

The National Cyber Security Centre of Ireland (NCSC) will be Ireland's lead competent authority to supervise and enforce NIS2 (building on its role under the NIS Directive). Despite delays with the introduction of legislation transposing NIS2 into Irish law (see here), the NCSC has sought to be proactive in preparing for its imminent and expanded role under NIS2, as recently demonstrated by the following developments:

  • Draft RMMs Guidance: The NCSC published draft guidance setting out detailed Risk Management Measures (RMMs) to help organisations adhere to their obligations under NIS2. The draft RMM guidance is most welcome for in-scope entities as a readiness tool, particularly those outside the scope of Commission Implementing Regulation 2024/2690 (CIR), which applies to entities in the digital infrastructure and digital services sectors.
  • CyFun: The NCSC also announced its participation as a scheme co-owner in the Cyber Fundamentals Framework (CyFun). CyFun is a voluntary framework which will further support in-scope entities to implement NIS2 requirements (and eventually achieve certification, if desired). CyFun will help in-scope entities assess their cybersecurity risk through a structured assessment framework to demonstrate cybersecurity maturity.

1. RMMs Guidance: substance to NIS2's cybersecurity risk management measures

The draft RMM guidance provides substance to the cybersecurity risk management measures prescribed by Articles 3, 20, 21 and 23 NIS2. It aligns with the CIR, laying out the minimum, baseline cybersecurity measures in-scope entities must implement (and maintain) for compliance with Article 21 NIS2.

Under Article 21(1) NIS2, organisations must implement appropriate and proportionate technical, organisational and operational measures to manage the risks posed to the systems underlying their services on an 'all-hazards' basis to protect their network and information systems and the physical environment of those systems. This includes, at a minimum, ten measures listed in Article 21(2) NIS2 (see our previous article here). Under Article 21(3) NIS2, each Member State must determine the RMMs applicable to in-scope entities under national law, provided they meet the requirements of Article 21(2) NIS2.

According to the NCSC, there are fifteen (draft) RMMs (listed below), each of which is divided into two categories – foundational actions and supporting actions – identifying the measures in-scope entities must implement:

RMMs Foundational Actions
(minimum, baseline measures)		 Supporting Actions
(additional measures, if necessary)
(1) Registration;

(2) Governance - management/board commitment and accountability;

(3) Network and information security policy;

(4) Continuous improvement - assess effectiveness and improve cybersecurity risk management measures;

(5) Basic cyber hygiene practices and security training;

(6) Asset management;

(7) Human resources security;

(8) Access controls;

(9) Environmental and physical security;

(10) Cryptography, encryption and authentication;

(11) Supply chain policy;

(12) Security in network and information systems acquisition, development and maintenance;

(13) Incident handling;

(14) Incident reporting; and

(15) Business continuity and crisis management.		 These are controls detailed for each RRM, which are the minimum, baseline measures to meet NIS2 cybersecurity risk management requirements. These additional controls detailed for each RMM may be required depending on specific risks identified to meet NIS2 cybersecurity risk management requirements.

In terms of in-scope entities benchmarking the RMMs, the guidance sets out a step plan that can be followed to assess and mitigate cybersecurity risk management measures. These steps are:

  1. identifying risks relevant to the organisation;
  2. assessing the likelihood and impact of those risks;
  3. implementing measures to mitigate against the risks identified;
  4. continuously monitoring and reviewing risk controls and their efficacy; and
  5. tracking whether the organisation is adhering to risk management policies.

All in-scope entities are expected to implement the foundational actions (as detailed in the guidance) at a minimum. It is at the discretion of each organisation to determine whether supporting actions are also required, considering factors such as:

  • the exposure to risks;
  • the size of the organisation;
  • the likelihood and severity of incidents;
  • the societal and economic impacts; and
  • the cost of implementing measures.

The draft RMM guidance does not prescribe how organisations must implement the RMMs (or NIS2), allowing organisations to take a proportionate, risk-based approach according to their risk assessments

2. CyFun: NIS2 readiness tool

To address how organisations can implement NIS2 cybersecurity risk management requirements, the NCSC announced its participation, as a joint co-owner, in CyFun – a voluntary framework developed by the NCSC's Belgian counterpart (the Centre for Cybersecurity, Belgium), which can be used as a tool for in-scope entities to assess their cybersecurity risk and implement NIS2 requirements. Adhering to and applying CyFun is not a mechanism to demonstrate NIS2 compliance; however, it can be used to support evidence of cybersecurity maturity.

The CyFun aligns with the international standard 'NIST Cybersecurity Framework v2.0'. It is a tiered framework (small, basic, important, and essential) that aligns with NIS2 and will help organisations understand the measures they need to adopt based on the level of risk.

While CyFun is a voluntary framework, the NCSC highly recommends that in-scope entities use it because it offers a practical and effective way to benchmark NIS2 requirements (including compliance) based on the risks identified to network and information systems (including, the operational resilience of such systems).

Ireland's Certification Scheme

The NCSC also confirmed that CyFun will form the basis of Ireland's national cybersecurity certification scheme (once operational, pending NIS2's transposition into Irish law). Although the full details must be confirmed, this national certification will enable in-scope entities to demonstrate compliance with NIS2, including their cybersecurity maturity in a comprehensive and externally verified manner.

The NCSC sees the certification scheme as a tool for clarity, assurance and trust across sectors and in-scope entities. It will also give third parties confidence that an organisation is serious about cybersecurity. The NCSC plans to develop the national certification scheme over the next 18-24 months.

Next Steps

The draft RMM guidance and CyFun are interim and welcome developments for in-scope entities, particularly given Ireland's late transposition of NIS2. These measures should be utilised by in-scope entities to benchmark and implement NIS2 readiness. The NCSC has confirmed that the draft RMM guidance will be updated over time (as appropriate) and its content finalised once NIS2 is transposed into Irish law – the timing of which is not confirmed but is expected to be late 2025 (or early 2026). The NCSC appears eager to support in-scope entities and is ready for NIS2 to 'go live' in Ireland. While not open for public consultation, the NCSC welcomes comments on the draft RMM guidance.

Status of NIS2 transposing legislation in Ireland

At the time of this publication, NIS2 is legally binding in the European Union (since 17 October 2024). However, NIS2 has yet to be transposed into Irish law, and Ireland is subject to infringement proceedings due to late transposition by the European Commission. The General Scheme for the National Cybersecurity Bill is the proposed draft legislation to transpose NIS2 into Irish law. Please visit our website for relevant updates regarding the transposition of NIS2.

Contributed by: Caroline Keaveny

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Rachel Hayes
Rachel Hayes
Photo of Leo Moore
Leo Moore
Photo of Aoife Keenan
Aoife Keenan
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More