Our latest survey has revealed that four in ten Irish businesses (38%) will not be prepared for NIS2 compliance by 17 October. The same number have not yet updated their cybersecurity polices, leaving many organisations potentially exposed under the EU’s new regulatory regime.
17 October is the date the Government was due to transpose NIS2 into Irish law. However, due to the complexity of the legislation, the Government has indicated that this deadline will not be met.
NIS2, which builds on the existing Network and Information Security (NIS) Directive, dramatically broadens the scope of regulated sectors and introduces tougher cybersecurity standards across the EU. With Ireland playing a central role in enforcement, the financial and reputational consequences for non-compliance could be severe.
Julie Austin, Privacy & Data Security Partner, commented: "NIS2 is not just about adding more compliance checklists - it demands a complete overhaul of how organisations approach cybersecurity. The new directive puts leadership accountability at its core. We are working intensively with clients to review policies, update governance structures, and ensure senior leadership is fully engaged.”
Complexity emerged as the primary concern for implementing NIS2, with more than two-thirds (67%) of respondents highlighting it as their biggest challenge.
Michael Madden, Commercial Partner, said: "While the complexity of NIS2 is daunting, it presents an opportunity for Irish businesses to lead by example in cybersecurity best practices, potentially influencing the broader European landscape. As a hub for digital services, Ireland's approach to NIS2 will be closely watched."
He continued: “By embracing a proactive, risk-based approach, companies can not only achieve compliance but also gain a competitive edge. The key is to view NIS2 not as a regulatory burden, but as a catalyst for building a stronger, more secure business.”
The survey also highlighted that a quarter of businesses (25%) are not confident in their ability to meet their new reporting requirements under NIS2. The new directive mandates that incidents are detected and reported within 24 to 72 hours.
Julie Austin added: “The new window for reporting incidents is extremely tight, and failure to comply could result in severe penalties. We are helping clients to significantly streamline their reporting processes to ensure they can act swiftly and mitigate the risk of costly sanctions."
Read more about our survey on RTE, Tech Central, Business Plus, and Irish Legal News. For more information and expert advice, please contact a member of our Technology team.
