NIS2 Country Guide

NIS2 Ireland: National Cyber Security Bill 2024

Understand how Ireland is preparing to transpose the NIS2 Directive through the National Cyber Security Bill 2024, the central role of the National Cyber Security Centre (NCSC) as lead competent authority, and what essential and important entities operating in Ireland should do now, even before full transposition.

Get Ready Checklist Get Consultation
Ireland NIS2 transposition: in progress Lead authority: NCSC

Introduction: NIS2 Directive & the Irish context

Ireland implemented the original NIS Directive (NIS1) through the 2018 NIS Regulations (S.I. 360/2018), covering a relatively small number of operators of essential services and certain digital service providers.

NIS2 significantly widens the scope and raises the bar for cybersecurity risk management, incident reporting and governance. Ireland has chosen to implement NIS2 through a new National Cyber Security Bill 2024, which will overhaul the existing regime, place the National Cyber Security Centre (NCSC) on a statutory footing and introduce a federated supervisory model.

Quick link: New to NIS2? Start with our general guides “What is NIS2?” and “NIS vs NIS2”.

NIS2 implementation in Ireland

Ireland did not meet the EU deadline of 17 October 2024 for transposing NIS2. The NCSC has confirmed that the deadline was missed and that the earlier NIS1 regulations remain in force until the new legislation is enacted.

On 24 July 2024, the Government approved the priority drafting of the National Cyber Security Bill 2024, and the General Scheme of the Bill was published on 30 August 2024 as the legislative vehicle for NIS2 transposition.

As of late 2025, the Bill has not yet been fully enacted. The European Commission issued a reasoned opinion to Ireland in May 2025 for failure to notify full transposition, and parliamentary debates in 2025 continue to refer to NIS2 implementation as being in progress.

Status

NIS2 has not yet been transposed into Irish law. The National Cyber Security Bill 2024 is at draft/legislative scrutiny stage and will replace the 2018 NIS Regulations once enacted.

Legal structure (planned)

The National Cyber Security Bill 2024 will transpose NIS2, establish the NCSC on a statutory basis, and define the supervisory and enforcement regime, including a federated model of competent authorities.

Interim position

Until the Bill is enacted, organisations should rely on NIS2 itself, existing NIS1 regulations and draft guidance published by the NCSC, such as draft Risk Management Measures (RMMs).

NIS2 Ireland: what you need to know about compliance

Even before full transposition, Irish organisations in NIS2-relevant sectors should assume that the EU Directive’s core obligations will apply and start preparing. The future Bill is expected to closely follow the NIS2 model of essential and important entities.

Who is likely in scope?

  • Entities in NIS2 Annex I sectors (energy, transport, health, drinking water, digital infrastructure, public administration, etc.).
  • Entities in Annex II sectors (postal and courier services, waste management, food, manufacturing of critical products, research, etc.).
  • Medium and large organisations meeting NIS2 staff/turnover thresholds.
  • Entities covered regardless of size: DNS, TLD registries, trust service providers, major cloud and data-centre operators.

Core NIS2 obligations (expected)

  • Implement risk-management measures for networks and information systems (policies, controls, governance).
  • Adopt procedures for incident detection, response, recovery and reporting.
  • Notify significant incidents and certain cyber threats within strict NIS2 timelines.
  • Manage supply-chain risk, including contractual security requirements for key ICT and service providers.
  • Ensure management bodies oversee cybersecurity and receive regular training.

Draft Risk Management Measures

The NCSC has published draft Risk Management Measures (RMMs) under Article 21 NIS2, giving practical guidance on expected controls. While not yet binding, they provide a useful roadmap for Irish entities preparing for the new law.

Key message: Although Ireland’s NIS2 Act is not yet in force, regulators and advisors consistently recommend early preparation rather than waiting for the final legislation.

Competent authorities & CSIRTs

Ireland has opted for a federated regulatory regime under NIS2, with the NCSC acting as lead competent authority and coordinator, and sectoral bodies supervising specific domains.

Role Authority Notes
Lead competent authority & Single Point of Contact National Cyber Security Centre (NCSC) Acts as lead NIS2 authority and central coordinator; responsible for guidance, EU-level coordination and oversight of the overall framework.
National CSIRT NCSC / National Cyber Security Centre (CSIRT function) Receives incident reports, issues alerts and advisories, and coordinates technical response at national level.
Sectoral competent authorities Regulators designated under the future Bill (e.g. ComReg and others) Will supervise NIS2 compliance in specific sectors (communications, energy, transport, etc.) under a federated model, in coordination with the NCSC.

NIS2 timeline & key dates (Ireland)

2018 — NIS1 implemented via S.I. 360/2018, establishing the first Irish NIS regime.
17 October 2024 — EU deadline for NIS2 transposition; Ireland does not meet the deadline.
30 August 2024 — General Scheme of the National Cyber Security Bill 2024 published as NIS2 vehicle.
7 May 2025 — European Commission issues reasoned opinion to Ireland for failure to notify full NIS2 transposition.
2025–2026 — Parliamentary scrutiny and expected enactment of the National Cyber Security Bill; transition period for entities to reach full compliance.

Sector-specific notes for Ireland

  • Energy: electricity and gas network operators and critical energy providers are likely to be classified as essential entities.
  • Digital infrastructure: data centres, cloud providers and major communications networks are a key focus given Ireland’s role as a European digital hub.
  • Finance & tech: large financial institutions and technology service providers will fall under NIS2, often alongside other EU regimes (e.g. DORA).
  • Public administration: central government and selected public bodies will be in scope to protect critical public services.
  • Health & critical services: hospitals and key healthcare providers will face strengthened resilience and reporting requirements.

Penalties for non-compliance

The National Cyber Security Bill 2024 is expected to implement a penalty and enforcement regime aligned with NIS2, including substantial administrative fines, corrective measures and management accountability.

  • Turnover-based fines for serious or repeated breaches of cybersecurity and reporting obligations.
  • Corrective orders and mandatory remediation plans imposed by competent authorities.
  • Enhanced supervision and follow-up in case of systemic deficiencies.
  • Potential consequences for management where governance and oversight obligations are not met.

How to prepare for NIS2 in Ireland

  1. Assess likely scope: map your services and size against NIS2 Annex I & II sectors and Irish guidance.
  2. Monitor the Bill: follow updates on the National Cyber Security Bill 2024 and related NCSC publications.
  3. Use draft RMMs: review the NCSC’s draft Risk Management Measures as a baseline for your controls.
  4. Run a gap assessment: compare your current posture against NIS2 requirements (governance, technical controls, processes, documentation).
  5. Strengthen incident management: build monitoring, escalation and reporting capabilities compatible with NIS2 timelines.
  6. Review supply-chain dependencies: identify critical suppliers and integrate cybersecurity clauses and notification duties into contracts.
  7. Align with recognised frameworks: adopt or strengthen an ISMS aligned with ISO/IEC 27001 or similar to structure compliance.
  8. Train leadership and staff: ensure management and key teams understand forthcoming NIS2 roles and responsibilities.
Run Eligibility Check Start Readiness Test

Official links & resources

🇮🇪 NCSC Ireland — NIS2 information page
📊 European Commission — NIS2 implementation in Ireland
📄 Guide: What is NIS2? · NIS vs NIS2

FAQ: NIS2 in Ireland

Has Ireland fully transposed NIS2?
No. As of late 2025, NIS2 has not yet been fully transposed into Irish law. The National Cyber Security Bill 2024 is the planned transposition vehicle and is still going through the legislative process.
Who will be the main NIS2 authority in Ireland?
The National Cyber Security Centre (NCSC) will act as lead competent authority, central coordinator and national CSIRT under the new regime, working with designated sectoral regulators.
Should we wait until the Bill is enacted to start preparing?
No. Organisations in likely in-scope sectors are strongly encouraged to start preparing now by following NIS2 requirements and NCSC draft guidance, rather than waiting for the last legislative step.
Will ISO 27001 certification be mandatory?
ISO/IEC 27001 will not be mandatory by name, but alignment with recognised standards will be a strong indicator of robust NIS2 compliance and good practice in Ireland.
Information provided for general guidance; always consult the future Irish NIS2 legislation, NCSC publications and legal counsel for definitive NIS2 compliance requirements.