NIS 2 Status Irland

NIS 2 status in Ireland

What the Directive requires, where Ireland stands on transposition, and who carries supervision in the interim.

Simon OrzelSimon Orzel·

Overview

The NIS 2 Directive sits at the EU level. It binds every Member State, Ireland included, to a single floor of obligations for essential and important entities. Ireland has to translate that floor into Irish law and stand up supervision under it.

Ireland missed the transposition deadline of 17 October 2024. The General Scheme of the National Cyber Security Bill 2024 was published in September 2024 by the lead department. At the time of writing, the bill itself has not been enacted by the Oireachtas. Until the Act is in force, Ireland's NIS 1 transposition (the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018, S.I. No. 360/2018) continues to apply.

The National Cyber Security Centre (NCSC-IE) is the national CSIRT and is set to be the competent authority and single point of contact for NIS 2. The lead ministry is the former Department of the Environment, Climate and Communications, now the Department of Climate, Energy and the Environment. Sectoral regulators stay in their lanes, notably ComReg for electronic communications and the Central Bank of Ireland for financial services, where DORA applies as lex specialis.

Where the rules live
Three layers anyone reading the Irish NIS 2 picture has to keep separate.

EU Directive

Directive (EU) 2022/2555 (NIS 2)

The EU cybersecurity directive. It sets the obligations every Member State must transpose, including the size and sector test for essential and important entities. It applies to Ireland regardless of the state of national transposition.

EU implementing act

Implementing Regulation (EU) 2024/2690

Technical and methodological measures for digital infrastructure providers. Directly applicable in Ireland, no national transposition needed.

Irish transposition

General Scheme of the National Cyber Security Bill 2024 (draft); until enactment: S.I. No. 360/2018 (NIS 1)

The General Scheme was published in September 2024 and is undergoing pre-legislative scrutiny. The bill itself and the secondary regulations that follow will carry the operational detail. Until then, the NIS 1 transposition remains in force, supplemented by NCSC-IE guidance.

Three points you have to know
What changes for entities operating in Ireland once the Act is in place.
Transposition

National Cyber Security Bill

Will bring NIS 2 obligations into Irish law, define essential and important entities, set out supervisory and enforcement powers and anchor incident reporting. Operational detail will be filled in by secondary regulations and NCSC-IE guidance. Today: Heads of Bill published, final text not yet enacted.

Supervision

NCSC-IE as competent authority

The National Cyber Security Centre is the national CSIRT (CSIRT-IE) and will be designated competent authority and single point of contact for NIS 2. It already publishes preparatory guidance, including the draft Risk Management Measures guidance from June 2025, and references the Belgian CyFun framework as a practical baseline.

Deadlines

Registration and reporting

The Directive requires entities to be identifiable to Member States from 17 April 2025. In Ireland, the registration portal and incident reporting portal are not yet live. Significant incidents will follow the Directive once the Act is in force: early warning within 24 hours, incident notification within 72 hours, final report within one month.

Two principles that resolve every edge case
Read before any Irish commentary on NIS 2.

On Irish territory, Irish law applies

Activity on Irish territory follows the Irish transposition. A German managing director with an Irish subsidiary reads the upcoming National Cyber Security Act for that subsidiary, and the 2018 NIS 1 Regulations in the meantime, not the German BSIG. The directive obligations are identical. Procedures, portals and penalties live in Irish law.

Ireland cannot fall below the EU floor

The Directive is minimum harmonisation. Ireland may go stricter. Ireland cannot fall below the Directive, not on the duties of essential and important entities, not on reporting deadlines, not on management body accountability. A late transposition does not relieve an in-scope company of the directive's logic.

Who does what in Ireland
Three institutions that show up in almost every NIS 2 question.
IE

NCSC-IE

National Cyber Security Centre. National CSIRT (CSIRT-IE) and designated competent authority and single point of contact for NIS 2. Publishes preparatory guidance, is preparing the registration and reporting portals, and coordinates with ENISA and other Member States.

IE

Department of Climate, Energy and the Environment

Lead ministry for the transposition. Previously the Department of the Environment, Climate and Communications (DECC), renamed after a government reshuffle. Published the General Scheme of the National Cyber Security Bill 2024 and is steering the bill through the Oireachtas.

EU

ENISA

The EU cybersecurity agency. Publishes guidance, operates the European vulnerability database and coordinates across borders. Not a supervisor for Irish entities. That role sits with NCSC-IE and, where applicable, with sectoral regulators.

Pitfalls
Mistakes we see when Irish entities first read NIS 2.

  • Until Ireland transposes, German rules apply, because our parent sits in Germany.

    No. NIS 2 follows the establishment principle. An Irish subsidiary is regulated in Ireland, a German one in Germany. The German parent may support the Irish subsidiary internally, the legal duty to register, report and supervise sits with the Irish entity and runs to NCSC-IE once the Act is in force. Until then, NIS 1 (S.I. No. 360/2018) governs for the sectors already covered.

  • As long as the portal is not live, I do not have to do anything.

    Even without a live registration portal, preparation runs in parallel. The Directive does not wait for the portal. In-scope entities should run the applicability test now, stand up risk management, the incident process, supply chain clauses and management body training, and keep the evidence ready. Once the Act is in force and NCSC-IE opens the portal, the registration window will be short.

  • Only the old NIS 1 OES are caught by NIS 2.

    No. NIS 2 widens the sector and size catalogue substantially. Operators of Essential Services under NIS 1 are usually still caught under NIS 2, but the perimeter is broader and now distinguishes between essential and important entities. Medium and large entities listed in Annexes I and II of the Directive are in scope, as are some small providers with a particular role, plus parts of the public administration.

From practice

Most of the Irish mid-market operators we meet still treat NIS 2 like a postponed deadline and wait for the National Cyber Security Bill to be enacted. The Directive does not wait. Procurement teams, insurers and parent companies already reference it in contracts. Waiting does not delay the duty, it only delays your preparation.

The practical step is the same as everywhere in the EU: run the applicability test against the Directive, use the NCSC-IE preparatory guidance (the draft Risk Management Measures, CyFun) as orientation, set up the four continuous duties (keep registration data current, incident reporting, supply chain risk, supervision by the management body) and document the minimum. Once the Act is in force, the remaining work is mostly plugging the finished documentation into the Irish procedures.

What the platform provides

We build the NIS 2 obligation register at the EU level, not on top of any single national transposition. The same checklist works for an Irish subsidiary under the upcoming National Cyber Security Act, a German parent under BSIG and a Dutch sister under the Cyberbeveiligingswet. Article references change per country, the substance of the obligations does not.

For the Irish scope you start with the applicability test, then incident cadence, supply chain clauses and management body sign-off. Where NCSC-IE publishes sectoral guidance, we link to it. We do not copy it.

Sources
  • Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
  • Implementing Regulation (EU) 2024/2690
  • General Scheme of the National Cyber Security Bill 2024 — Department of Climate, Energy and the Environment (gov.ie)
  • European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (S.I. No. 360/2018) — Irish Statute Book
  • NCSC-IE — National Cyber Security Centre, NIS 2 status and guidance (ncsc.gov.ie)
  • NCSC-IE — Draft Risk Management Measures Guidance (June 2025)
  • ComReg — sectoral oversight for electronic communications
  • Central Bank of Ireland — competent authority for DORA in the financial sector
Clarify Irish scope in under five minutes
The applicability check applies the Directive's size and sector test. If the Irish subsidiary is in scope, the next steps are internal preparation and registration with NCSC-IE once the Act is in force.
Start applicability check