Ireland

(a) What is the NIS2 implementation status?

The deadline for implementing Directive 2022/2555 (NIS2), set for 17 October 2024, was not met. The first draft of the National Cyber Security Bill 2024 (the Bill) transposing NIS2 in Ireland was published in August 2024 (for the draft Heads of Bill (see here)) but has not been finalised yet. The Bill is currently at an advanced stage and it was included in the Irish government’s ‘Government Legislation Programme, Summer 2025’ (see here)) as legislation which was considered a “priority” for publication in the Summer session. The Bill was also included in the Irish government’s ‘Government Legislation Programme, Autumn 2025’ (see here) again as a “priority” for publication. The Bill is still undergoing the pre-legislative scrutiny phase in Ireland, and as such, proposed amendments may still be put forward. Recently, the Minister for Justice, Home Affairs and Migration, in a Dáil Eireann debate (see here), stated that his officials had engaged with a Joint Oireachtas Committee on Justice, Home Affairs, and Migration on the drafting of the Bill and are currently awaiting the Committee’s decision on how they wish to proceed.

(b) What is the envisaged NIS2 implementation timeline?

Since the Bill is still in the process of being drafted, it is not yet possible to specify an implementation date. However, it is expected that the Bill will be approved during the course of early 2026. In the meantime, there is no obligation for entities to register under NIS2 until the Bill is passed and new registration dates are announced. The registration and reporting portals will remain inactive until NIS2 is fully transposed. After the Bill is implemented, both the NIS2 registration portal and the NIS2 incident reporting portal will be accessible. Meanwhile, the previous version of NIS2 (NIS1) remains in effect and continues to apply to the Operators of Essential Services (OESs) already designated within the State.

(c) What does the NIS2 mean for other national cybersecurity legislation?

NIS2 is expected to largely bolster the cybersecurity capabilities and resilience of entities covered but its full effects on national cybersecurity legislation still remains unclear because the updated cybersecurity legislation is still to be finalised.

Several key components will be included in the national legislation either already established or nearing completion, such as:

• The creation of a national competent authority (NCA) forum and the appointment of competent authorities for different sectors;
• Comprehensive guidance on the risk management and incident reporting measures required for entities within scope;
• The further enhancement of the national cyber security incident response team (CSIRT);
• The release of a national cyber security strategy; and
• The publication of a national cyber emergency plan.

(d) Who will be the supervisory authority and how are they preparing the market?

The lead competent authority will be the National Cyber Security Centre (NCSC) in Ireland. The Bill confirms that the NCSC will be designated as the Computer Security Incident Response Team (CSIRT) and the competent authority for certain entities and for the management of large-scale cyber security incidents and crises in Ireland. Besides designating the NCSC as the lead competent authority, the Bill has also designates a number of other regulators as competent authorities for certain other sectors (e.g. the Commission for the Regulation of Utilities for energy, drinking water and waste water, the Commission for Communications Regulation for digital infrastructure, ICT service management, space and digital providers, the Central Bank of Ireland for banking and financial market, etc). The Bill mirrors the definitions for essential and important entities set out in NIS2; however, it also proposes that the competent Minister may make regulations designating an entity as an essential or important entity.

The NCSC has taken several steps to prepare organisations for compliance and resilience, including:

• Releasing draft risk management measures required under NIS2 (see here);
• Joining the ‘Cyber Fundamentals Framework’, a cybersecurity framework designed to help organisations comply with NIS2;
• Publishing the NIS2 FAQ ( see here) in which focus on NIS2 compliance and key requirements; and
• Forming the sectoral cybersecurity information sharing network through the Cyber-CORE (CO-ordination and REsponse) program.

(e) What should you be doing/on the lookout for?

NIS2 is a game changer as it affects a broader scope of entities and includes more stringent requirements compared to those under NIS 1, aimed at bolstering cybersecurity in key industries. It covers both important (eg waste management, food production, digital providers) and essential entities (eg certain entities in the sectors of energy, transport, health, etc.), subjecting the latter category to a higher level of cybersecurity risk management and reporting obligations.

NIS2 specifies different measures to be taken by the entities to which NIS2 applies, such as risk management procedures and policies, as well as encryption techniques. NIS2 also places direct obligations on management bodies and requires executives to gain a deeper understanding of cybersecurity requirements. NIS2 further raises penalties and includes stringent incident reporting requirements with an initial notification within 24 hours. NIS2 also supports cooperation between supervisory authorities requiring a broader understanding of different risk categories, functions, data sets and relevant laws from entities covered by this legislation.

Based on the above, clients should especially consider and be on the lookout for the following:

• Entities covered: consider whether they are covered by NIS2 as an essential or important entity.
• Cybersecurity compliance: review internal policies and procedures with a focus on cybersecurity measures implemented, reporting channels, as well as relevant internal policies and functions.
• Training programs: review cybersecurity training programs and guidelines with a deeper involvement of managers filling in key functions.
• Data security and breach management: review data security measures and personal data breach management practices and policies with a focus on managing different types of incidents and data breaches.
• Contractual relations: review and update contractual arrangements and templates with contractors, partners, and employees by putting more focus on the security measures to be implemented and followed by the parties, as well as cooperation and supervision in respect of cybersecurity and data security.
• Liability and insurance: explore and consider different insurance schemes and policies with respect to the relevant industry and risk factors.