NIS2 Enforcement Is Here. Is Your Organisation Already Behind?

The EU's most significant cybersecurity regulation is no longer on the horizon, it's at your door. What Irish business leaders need to know right now.

Most organisations think they have more time. They don't. NIS2 is not approaching — it is here. The EU transposition deadline passed in October 2024, and Irish organisations are now expected to demonstrate readiness. Enforcement is the next step.

If your board hasn't discussed NIS2, if your incident response plan hasn't been tested, and if your supply chain hasn't been assessed — this article is for you. The good news: there is a clear, proven path to compliance. The challenging news: the window to act without regulatory exposure is narrowing fast.

What Is NIS2 — and Why Does It Change Everything?

The Network and Information Security Directive 2 (NIS2) is the EU's landmark cybersecurity regulation, designed to raise the baseline of cyber resilience across critical and important sectors. Unlike its predecessor, NIS2 dramatically expands scope, stiffens penalties, and — most significantly — introduces direct personal accountability for senior leadership.

This is not an IT team problem. This is a boardroom problem.

 Under NIS2, senior management can be held personally liable for cybersecurity failures. Approval, oversight, and understanding of cyber risk exposure are now legal obligations — not optional best practices. 

Does NIS2 Apply to Your Organisation?

NIS2 applies to medium and large organisations across two tiers of regulated sectors. If you operate in any of the following areas, you are almost certainly in scope.

NIS2 Regulated Sectors — Essential vs Important

Even if you believe your organisation falls outside these categories, consider your supply chain. If you supply or support an entity in scope, their NIS2 obligations flow directly to you through supplier security requirements.

The Financial Stakes Are Real

The penalty regime under NIS2 is designed to compel action. Fines are not symbolic — they are calculated to hurt at the scale they apply to:

• Essential Entities: up to €10 million or 2% of global annual turnover
• Important Entities: up to €7 million or 1.4% of global annual turnover

Financial penalties, however, are only part of the exposure. Regulatory investigations, mandatory remediation orders, reputational damage, and loss of client trust are outcomes that no fine calculation fully captures.

Incident Reporting: You Have Less Time Than You Think

NIS2 mandates a structured, time-bound incident reporting process. Organisations that are unprepared — or who discover they have no documented process — will struggle to comply under pressure.

Mandatory NIS2 Incident Reporting Timeline

This is not a reporting process you can build in the middle of a crisis. It must exist, be tested, and be owned — before an incident occurs.

The ISO 27001 Advantage

Here is where many organisations discover a significant shortcut. ISO 27001 — the internationally recognised Information Security Management System (ISMS) standard — was built to address exactly the governance, risk management, and control requirements that NIS2 demands. An organisation with a mature ISO 27001 implementation has already done much of the heavy lifting.

How ISO 27001 Maps to NIS2 Requirements

ISO 27001 is not a silver bullet — NIS2 has sector-specific and regulatory requirements that go beyond the standard. But for most organisations, it provides the framework and the evidence of governance that regulators will want to see.

Your Next Step: Find Out Where You Stand

The Irish regulatory approach is progressive — guidance, then remediation, then escalation, then financial penalties. The organisations that will face the sharpest enforcement scrutiny are those that have done nothing, documented nothing, and demonstrated nothing.

You don't need to have solved NIS2 by next week. But you do need to have started — and to be able to show that you have.

To learn more about how CG Business Consulting can help your organisation speak with a member of our team: 

Visit: Reach Out to Ireland's Top Information Security Consultants

💬 Contact us now to begin your journey