Ireland's NIS2 Law Is Coming: What EU Suppliers Need to Know

Ireland missed its NIS2 deadline by more than 18 months. That's not a footnote — it's a problem you inherit the moment one of your clients depends on an Irish supplier.
If you run an MSP or advise European organisations on compliance, Ireland matters more than its size suggests. It hosts the EU headquarters of Microsoft, Google, Meta, AWS, and a large share of the continent's data centre capacity. When Ireland's NIS2 law finally lands, a huge amount of critical digital infrastructure moves into scope at once — and your clients' supply chains run straight through it.
Here's what's actually happening, and what you should do before the Bill passes.
Ireland is the last big EU economy still without a NIS2 law on the books
NIS2 had to be transposed into national law by 17 October 2024. Ireland blew past that date. As of mid-2026, the National Cyber Security Bill is still working its way through the Oireachtas, and Ireland is one of only a handful of member states — alongside France, Luxembourg, the Netherlands, and Spain — where transposing legislation is not yet in force.
The delay is partly political. The 2024 general election interrupted the legislative calendar, and the Bill slipped. But the European Commission has run out of patience. Ireland received a formal notice, then a reasoned opinion, and the Commission has signalled it will refer non-transposing states to the Court of Justice.
The practical takeaway: the direction is fixed. The Bill will pass. The only open question is timing, and "we're waiting for the law" is not a defence you want a client relying on.
NIS2 Implementation Status by Country (2025–2026)
Fully in force
BelgiumCroatiaHungaryLithuaniaLatviaItaly6 countriesAdopted — late 2025
GermanyCzech RepublicFinland3 countriesIn progress — expected 2026
NetherlandsFranceSpainPolandAustriaSwedenIreland7 countries
The Bill turns the NCSC into Ireland's cyber regulator
Ireland's National Cyber Security Centre (NCSC) becomes the Lead Competent Authority and the Single Point of Contact under the new law. That's a significant expansion of a body that, until now, has been mostly advisory.
But Ireland is not running a single-regulator model. Sector-specific regulators keep enforcement authority within their domains — so an energy operator answers to its sector regulator, a health provider to another, and so on, with the NCSC coordinating on top. For consultants, that means "who supervises this client" is a real question with more than one possible answer. Don't assume the NCSC is the enforcing body for every entity.
The NCSC has already moved ahead of the legislation. In June 2025 it published draft Risk Management Measures guidance and launched Ireland's version of the CyberFundamentals (CyFun) framework. So even without a law in force, there is a documented set of expectations you can start aligning clients to today.
Work out which of your clients — and their suppliers — are in scope
NIS2 in Ireland follows the standard essential/important split across the usual sectors: energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration, space, plus the "important" tier covering postal services, waste management, chemicals, food, manufacturing, digital providers, and research.
Two things trip people up.
First, size. The default rule is that medium and large entities in a covered sector are in scope — roughly 50+ staff or €10M+ turnover — but there are override cases where small entities still qualify because of the criticality of what they do. A tiny DNS provider or a sole national registry does not get a pass.
Second, supply chain. Even if your client is not itself a regulated entity, an Irish essential or important entity that depends on them will push NIS2-grade obligations down through contracts. That's Article 21's supply chain requirement doing exactly what it was designed to do. Read our supplier contracts guide for how those clauses tend to land.
Does NIS2 Apply to Your Organisation?
1Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼No▼2Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗NIS2 does not directly apply to your organisation.
Yes▼No▼✓NIS2 applies to your organisation as an Essential or Important Entity.
3Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼!NIS2 may apply to your organisation — seek legal advice to confirm your status.
1Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →2Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →3Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →✗NIS2 does not directly apply to your organisation.
✓NIS2 applies to your organisation as an Essential or Important Entity.
!NIS2 may apply to your organisation — seek legal advice to confirm your status.
AppliesPossibly appliesDoes not apply
The fines are real — and they don't stop at the company
The Irish General Scheme mirrors the NIS2 ceilings. Essential entities face administrative fines of up to €10 million or 2% of worldwide group turnover, whichever is higher. Important entities face up to €7 million or 1.4% of turnover.
The number that gets a board's attention is the turnover multiplier, not the flat cap. For a mid-sized group, 2% of global revenue is a far larger figure than €10 million, and it is calculated on the whole group — not the Irish subsidiary in isolation.
But the fine is only the first layer. NIS2 also reaches management personally: senior leaders can be held liable for failures in oversight, and competent authorities can impose temporary bans on individuals holding management roles in essential entities. On top of that sit the operational consequences — suspension of authorisations, mandatory remediation, public disclosure of breaches. The reputational hit and the lost contracts usually cost more than the penalty itself.
NIS2 Penalty Escalation — Beyond the Fine
!Trigger event
Non-Compliance Detected or Incident Occurs
A supervisory authority identifies a compliance gap or an organisation fails to meet NIS2 requirements
Authorities can impose▼Non-Monetary Penalties1Compliance orders with binding deadlines
2Mandatory security audits at your expense
3Public disclosure of violations
4Binding instructions on specific security measures
Escalates to▼Operational & Personal Consequences1Suspension of certifications or operating licences
2Temporary ban on management functions for individuals
3Public naming of responsible natural persons
TriggerNon-monetaryOperational / personal
This is why board liability is not a scare tactic — it's written into the framework. If you advise Irish entities or their parent groups, the conversation about who is personally accountable needs to happen before an incident, not after.
CyFun is Ireland's recommended path, not the only one
The NCSC has named CyberFundamentals as its preferred route to demonstrating NIS2 alignment. CyFun is a tiered, standards-based framework built on the NIST Cybersecurity Framework, with maturity levels you can map a client to based on their risk profile. It's the same framework Belgium has used to make NIS2 concrete, so there's real precedent for how it works in practice.
Crucially, CyFun is recommended, not mandated. The NCSC has confirmed that ISO 27001, IEC 62443, COBIT, and NIST standards remain acceptable ways to evidence compliance. If your client already runs an ISO 27001-certified ISMS, you are not throwing that away — you are mapping it to Ireland's expectations and closing the deltas. Our NIS2 vs ISO 27001 breakdown shows where the gaps usually sit.
For most MSPs, the pragmatic move is to pick one control framework, align every Irish client to it, and avoid maintaining a different approach per customer. Consistency is what makes a portfolio auditable.
What to do now, before the law is live
Waiting for the Bill to pass is the wrong instinct. The obligations are known, the NCSC's expectations are published, and the audit clock starts the day the law commences — not the day you get around to reading it.
Start with three moves. Map which clients and which of their key suppliers touch an Irish essential or important entity. Pick a control framework — CyFun or ISO 27001 — and standardise on it. Then run a gap analysis against Article 21's ten measures so you know the actual distance to compliant, not the assumed one. Our step-by-step gap analysis guide walks through the sequence.
If you want a fast read on where a specific client stands, run them through the NIS2 Quick Scan. It takes minutes and gives you a defensible starting point for the compliance conversation — which is a far better position than telling a client you were both waiting for Dublin.
