Gaps emerge in Ireland’s cyber readiness ahead of NIS2

Boards face fines and disqualification with almost half of essential organisations remain unprepared as new EU cybersecurity rules move closer to Irish law.

Nearly half of essential organisations remain unprepared as new EU cybersecurity rules move closer to Irish law

Board members of Irish companies operating in critical sectors are being urged to urgently strengthen their cybersecurity posture, as new research shows that a significant share of organisations are unprepared for the EU’s incoming Network and Information Security Directive, known as NIS2.

Ireland’s national domain registry, .IE, has warned that directors whose companies fail to comply could face fines, reputational damage and potential disqualification once the directive is signed into Irish legislation, which is expected by July.

Risky business

Research commissioned by .IE and carried out by Amárach found that 45% of Ireland’s “essential” and “important” entities are not ready for NIS2 implementation. These organisations operate across areas that are vital to the economy and society, including energy, transport, water, banking, healthcare and digital infrastructure.

Under NIS2, up to 5,000 essential entities in Ireland will be required to take structured measures to manage risks to their network and information systems. Organisations must also be able to prevent or minimise the impact of cyber incidents on customers and service users and notify significant incidents within 24 hours.

Crucially, accountability will rest with company boards.

“Ignorance is not an excuse. We urge organisations to start to take cyber risk as seriously as they do economic risk, the entire way along their supply chain,” said Louise McKeown, chief growth officer at .IE.

The research suggests that supply chain exposure remains a significant weak point. Almost half of respondents, 47%, said they had not fully mapped their supply chain for critical services. This has implications not just for regulated entities themselves, but for thousands of third-party suppliers that may also fall within the scope of NIS2 requirements.

Cyber incidents are already a reality for many organisations. The survey found that 17% of Ireland’s key organisations have experienced a significant cyber-attack since 2024, underlining the practical risks associated with weak preparedness.

With nearly half of organisations still not ready, .IE said that failure to comprehensively assess and address cyber risks could have personal consequences for those sitting on boards of management.

“As well as fines for your company, Ireland is small and the reputational damage that will go along with non-compliance could have a long-lasting, negative impact,” McKeown said.

To support organisations that may be unsure where to begin, .IE is pointing businesses towards DigitalTrust.IE, a free online assessment tool that evaluates a firm’s current level of digital vulnerability across its website, email and domain.

Once an organisation applies, its setup is assessed using a proprietary scoring evaluation based on industry-defined best practice. Applicants receive a grade by the next working day. Businesses that achieve an A-rating can display Ireland’s first Digital Trust Mark for a period of 12 months, while those that fall short are provided with a detailed outline of recommended actions.

The Digital Trust Mark, created by .IE, has been described as an NCT for a firm’s online identity and is intended to help organisations demonstrate good cyber hygiene as regulatory scrutiny increases.

Top image: Louise McKeown, Chief Growth Officer at .IE

• Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here

• For support in challenging times, click here

• Listen to the ThinkBusiness Podcast for business insights and inspiration. All episodes are here. You can also listen to the Podcast on:

• Spotify

• SoundCloud

• Apple