NIS 2 status in Ireland
What the Directive requires, where Ireland stands on transposition, and who carries supervision in the interim.
Overview
The NIS 2 Directive sits at the EU level. It binds every Member State, Ireland included, to a single floor of obligations for essential and important entities. Ireland has to translate that floor into Irish law and stand up supervision under it.
Ireland missed the transposition deadline of 17 October 2024. The General Scheme of the National Cyber Security Bill 2024 was published in September 2024 by the lead department. At the time of writing, the bill itself has not been enacted by the Oireachtas. Until the Act is in force, Ireland's NIS 1 transposition (the European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018, S.I. No. 360/2018) continues to apply.
The National Cyber Security Centre (NCSC-IE) is the national CSIRT and is set to be the competent authority and single point of contact for NIS 2. The lead ministry is the former Department of the Environment, Climate and Communications, now the Department of Climate, Energy and the Environment. Sectoral regulators stay in their lanes, notably ComReg for electronic communications and the Central Bank of Ireland for financial services, where DORA applies as lex specialis.
EU Directive
Directive (EU) 2022/2555 (NIS 2)
The EU cybersecurity directive. It sets the obligations every Member State must transpose, including the size and sector test for essential and important entities. It applies to Ireland regardless of the state of national transposition.
EU implementing act
Implementing Regulation (EU) 2024/2690
Technical and methodological measures for digital infrastructure providers. Directly applicable in Ireland, no national transposition needed.
Irish transposition
General Scheme of the National Cyber Security Bill 2024 (draft); until enactment: S.I. No. 360/2018 (NIS 1)
The General Scheme was published in September 2024 and is undergoing pre-legislative scrutiny. The bill itself and the secondary regulations that follow will carry the operational detail. Until then, the NIS 1 transposition remains in force, supplemented by NCSC-IE guidance.
National Cyber Security Bill
Will bring NIS 2 obligations into Irish law, define essential and important entities, set out supervisory and enforcement powers and anchor incident reporting. Operational detail will be filled in by secondary regulations and NCSC-IE guidance. Today: Heads of Bill published, final text not yet enacted.
NCSC-IE as competent authority
The National Cyber Security Centre is the national CSIRT (CSIRT-IE) and will be designated competent authority and single point of contact for NIS 2. It already publishes preparatory guidance, including the draft Risk Management Measures guidance from June 2025, and references the Belgian CyFun framework as a practical baseline.
Registration and reporting
The Directive requires entities to be identifiable to Member States from 17 April 2025. In Ireland, the registration portal and incident reporting portal are not yet live. Significant incidents will follow the Directive once the Act is in force: early warning within 24 hours, incident notification within 72 hours, final report within one month.
On Irish territory, Irish law applies
Activity on Irish territory follows the Irish transposition. A German managing director with an Irish subsidiary reads the upcoming National Cyber Security Act for that subsidiary, and the 2018 NIS 1 Regulations in the meantime, not the German BSIG. The directive obligations are identical. Procedures, portals and penalties live in Irish law.
Ireland cannot fall below the EU floor
The Directive is minimum harmonisation. Ireland may go stricter. Ireland cannot fall below the Directive, not on the duties of essential and important entities, not on reporting deadlines, not on management body accountability. A late transposition does not relieve an in-scope company of the directive's logic.
NCSC-IE
National Cyber Security Centre. National CSIRT (CSIRT-IE) and designated competent authority and single point of contact for NIS 2. Publishes preparatory guidance, is preparing the registration and reporting portals, and coordinates with ENISA and other Member States.
Department of Climate, Energy and the Environment
Lead ministry for the transposition. Previously the Department of the Environment, Climate and Communications (DECC), renamed after a government reshuffle. Published the General Scheme of the National Cyber Security Bill 2024 and is steering the bill through the Oireachtas.
ENISA
The EU cybersecurity agency. Publishes guidance, operates the European vulnerability database and coordinates across borders. Not a supervisor for Irish entities. That role sits with NCSC-IE and, where applicable, with sectoral regulators.
Until Ireland transposes, German rules apply, because our parent sits in Germany.
No. NIS 2 follows the establishment principle. An Irish subsidiary is regulated in Ireland, a German one in Germany. The German parent may support the Irish subsidiary internally, the legal duty to register, report and supervise sits with the Irish entity and runs to NCSC-IE once the Act is in force. Until then, NIS 1 (S.I. No. 360/2018) governs for the sectors already covered.
As long as the portal is not live, I do not have to do anything.
Even without a live registration portal, preparation runs in parallel. The Directive does not wait for the portal. In-scope entities should run the applicability test now, stand up risk management, the incident process, supply chain clauses and management body training, and keep the evidence ready. Once the Act is in force and NCSC-IE opens the portal, the registration window will be short.
Only the old NIS 1 OES are caught by NIS 2.
No. NIS 2 widens the sector and size catalogue substantially. Operators of Essential Services under NIS 1 are usually still caught under NIS 2, but the perimeter is broader and now distinguishes between essential and important entities. Medium and large entities listed in Annexes I and II of the Directive are in scope, as are some small providers with a particular role, plus parts of the public administration.
Most of the Irish mid-market operators we meet still treat NIS 2 like a postponed deadline and wait for the National Cyber Security Bill to be enacted. The Directive does not wait. Procurement teams, insurers and parent companies already reference it in contracts. Waiting does not delay the duty, it only delays your preparation.
The practical step is the same as everywhere in the EU: run the applicability test against the Directive, use the NCSC-IE preparatory guidance (the draft Risk Management Measures, CyFun) as orientation, set up the four continuous duties (keep registration data current, incident reporting, supply chain risk, supervision by the management body) and document the minimum. Once the Act is in force, the remaining work is mostly plugging the finished documentation into the Irish procedures.
We build the NIS 2 obligation register at the EU level, not on top of any single national transposition. The same checklist works for an Irish subsidiary under the upcoming National Cyber Security Act, a German parent under BSIG and a Dutch sister under the Cyberbeveiligingswet. Article references change per country, the substance of the obligations does not.
For the Irish scope you start with the applicability test, then incident cadence, supply chain clauses and management body sign-off. Where NCSC-IE publishes sectoral guidance, we link to it. We do not copy it.
- Directive (EU) 2022/2555 (NIS 2) — EUR-Lex
- Implementing Regulation (EU) 2024/2690
- General Scheme of the National Cyber Security Bill 2024 — Department of Climate, Energy and the Environment (gov.ie)
- European Union (Measures for a High Common Level of Security of Network and Information Systems) Regulations 2018 (S.I. No. 360/2018) — Irish Statute Book
- NCSC-IE — National Cyber Security Centre, NIS 2 status and guidance (ncsc.gov.ie)
- NCSC-IE — Draft Risk Management Measures Guidance (June 2025)
- ComReg — sectoral oversight for electronic communications
- Central Bank of Ireland — competent authority for DORA in the financial sector