NIS2 Compliance: What Irish and EU SMEs Need to Do Now
The NIS2 Directive is now transposed into national law across EU member states — and the consequences of non-compliance are significant. Fines of up to €10 million or 2% of global annual turnover apply to organisations that fail to meet their obligations. Management can be held personally liable.
If your business operates in a sector covered by NIS2, you cannot afford to treat this as a future problem. ShieldIQ gives SMEs and mid-market organisations a fast, practical path to NIS2 compliance — without the cost of a full-time compliance team.
Start your free NIS2 assessment →
What Is the NIS2 Directive?
NIS2 replaces the original Network and Information Security (NIS) Directive, significantly expanding both its scope and its enforcement teeth. It applies to organisations across a much wider range of sectors than its predecessor, covering both essential entities and important entities.
Essential entities include organisations in sectors such as:
- Energy (electricity, oil, gas, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health sector and critical medical device manufacturers
- Drinking water and wastewater
- Digital infrastructure (DNS, TLDs, data centres, cloud providers, CDNs)
- ICT service management
- Public administration
Important entities extend NIS2's reach to:
- Postal and courier services
- Waste management
- Chemical manufacture and distribution
- Food production and distribution
- General manufacturing (medical devices, electronics, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research organisations
If your organisation meets the size threshold (50+ employees or €10M+ annual turnover) and operates in any of these sectors, NIS2 applies to you. And if you are a supplier or service provider to organisations in these sectors, their NIS2 supply chain security requirements will flow down to you.
NIS2 Compliance Requirements: The Eight Domains
ShieldIQ structures NIS2 compliance across eight domains covering 25 requirements:
1. Governance Senior management must approve cybersecurity risk management measures, oversee implementation, and be accountable for compliance. Management liability is explicit under NIS2 — this is not something you can delegate entirely to IT.
2. Risk Management You need documented processes to identify, assess, and address cybersecurity risks. This includes a risk register, regular risk reviews, and evidence of how identified risks are being treated.
3. Incident Handling NIS2 mandates a strict incident reporting timeline. Significant incidents must be reported to the relevant national authority within 24 hours of detection, with a more detailed report within 72 hours and a final report within one month. Your incident response plan needs to be documented and tested.
4. Business Continuity You must have plans and capabilities to maintain or rapidly restore operations after a cyber incident. This covers backup management, disaster recovery, and crisis management procedures.
5. Supply Chain Security NIS2 explicitly requires you to manage cybersecurity risks in your supply chain. You need to assess the security practices of your vendors and ICT service providers, and include security requirements in your contracts.
6. Security Measures Technical and organisational measures must address: network and information systems security, access control, encryption, secure communications, multi-factor authentication, and vulnerability handling.
7. Training and Awareness All staff must receive cybersecurity awareness training. Senior management must complete specific cybersecurity training to understand the risks and management responsibilities under NIS2.
8. Reporting Beyond incident reporting, NIS2 includes obligations to report significant threats, near-misses, and in some cases to provide information to national authorities and sector-specific bodies on request.
Why NIS2 Is Particularly Urgent for Irish Businesses
The Irish transposition of NIS2 — the National Cyber Security Centre (NCSC) is the primary competent authority for most sectors in Ireland — brings NIS2 obligations into domestic law. The Data Protection Commission (DPC) has enforcement responsibility in some areas.
Irish SMEs operating in covered sectors are already subject to these requirements. Many are unaware of their obligations or have underestimated the scope of work needed to meet them. ShieldIQ was built by Dr Matt Lemon, a CISO with 25+ years of experience working with Irish SMEs and regulated entities, specifically to close this gap.
How ShieldIQ Helps You Achieve NIS2 Compliance
ShieldIQ covers all eight NIS2 domains with practical tools, not just documentation templates:
- NIS2 gap assessment — complete in around 15 minutes, with AI-scored results across all 25 requirements
- Risk management module — build and maintain your risk register with NIS2-aligned categories
- Incident management — log, track, and report incidents with built-in NIS2 reporting timelines
- Policy library — editable policy templates that satisfy NIS2 governance and security measure requirements
- Vendor management — assess and track your supply chain security obligations
- Asset management — maintain an inventory of the systems and assets that fall under NIS2 scope
- Training tracking — record and evidence staff awareness training completion
- Executive reports — generate board-ready reports that demonstrate NIS2 compliance progress
Whether you are just beginning your NIS2 journey or you need to close specific gaps before an audit, ShieldIQ gives you the structure and the tools to get there.
Start free — no card required →
Also Relevant to Your NIS2 Obligations
NIS2 compliance works hand-in-hand with other frameworks ShieldIQ supports:
- GDPR compliance — data protection remains a core requirement under NIS2
- ISO 27001 compliance — ISO 27001 certification can significantly accelerate NIS2 compliance
- DORA compliance — for financial sector entities, DORA and NIS2 obligations overlap substantially
- NIST CSF compliance — NIST CSF 2.0 maps cleanly onto NIS2 requirements
Frequently Asked Questions
Does NIS2 apply to my SME if we are not in a critical infrastructure sector?
NIS2 directly applies to entities in covered sectors with 50+ employees or €10M+ turnover. However, even if your business is not directly in scope, your enterprise clients and public sector customers may require you to meet NIS2-aligned security standards as a supply chain requirement. Demonstrating NIS2 compliance is increasingly a commercial necessity, not just a legal one.
What happens if we have a cyber incident and haven't reported it within 24 hours?
Failure to report a significant incident within the required timeframe is a separate compliance violation under NIS2, on top of any liability related to the incident itself. Fines for reporting failures can reach €10 million or 2% of global turnover for essential entities. ShieldIQ's incident management module includes NIS2 reporting deadline tracking to help you avoid this.
Can we achieve NIS2 compliance without external consultants?
Yes. ShieldIQ is designed specifically for organisations that do not have a full-time compliance team. The platform guides you through each requirement, provides the templates and tools you need, and produces the documentation to demonstrate compliance. For organisations with more complex needs, ShieldIQ's reports and evidence packs also make any external consultant engagement significantly more efficient.
How long does it take to become NIS2 compliant?
This depends on your starting point. Organisations with some existing cybersecurity controls and documentation can often close NIS2 gaps within a few months. Organisations starting from scratch should budget six to twelve months for a thorough implementation. ShieldIQ gives you a prioritised action plan from your first assessment so you can focus on the highest-risk gaps first.
Is NIS2 compliance a one-time project or an ongoing obligation?
Ongoing. NIS2 requires continuous risk management, regular training, incident reporting as events occur, and periodic review of your security measures and supply chain. ShieldIQ is built for ongoing compliance management, not just a one-time audit preparation exercise.