The march to greater cyber resilience: Recent changes to EU cybersecurity laws

The EU has introduced several key cybersecurity laws in recent years that organisations should be aware of. These laws aim to enhance the EU’s collective cyber resilience, improve incident response, and establish common standards across Member States. One such law, the focus of this note, is the NIS2  Directive (EU) 2022/2555, but is forms part of a comprehensive suite of EU cybersecurity legislation that collectively aims to enhance the Union's cyber resilience. While NIS2 focuses on operational resilience and incident response capabilities for critical infrastructure and digital service providers, it operates alongside other key regulations such as the Cyber Resilience Act (which mandates security-by-design for digital products), the EU Cybersecurity Act (which establishes the certification framework for ICT products and services), and GDPR (which governs data protection and breach notification). NIS2 expands the scope of the original NIS Directive, which establishes the base line, to cover more sectors and introduces stricter supervisory and enforcement measures. 

According to the European Union Agency for Cybersecurity (ENISA), EU Member States are at different stages of transposing NIS2 into national law. Most countries missed the October 2024 deadline however, citing the complexity of the Directive and the need to overhaul existing cybersecurity laws. While several Member States have published draft legislation or consultation papers, others are still in the legislative drafting phase.

In Ireland, the heads of the general scheme of the National Cyber Security Bill were published on 30 August 2024. While it remains at the drafting stage it provides for the transposition of the Directive into Irish law and seeks to provide for the establishment of the National Cyber Security Centre (NCSC), which has been in operation in Ireland since 2011, on a statutory basis. Many of my clients, who experienced cyber incidents in recent years have benefited greatly from assistance provided by the NCSC and their international networks to accelerate the investigation and recovery processes, so I welcome these developments.

The Bill currently extends to 183 pages and sets out the functions and powers of the NCSC. While it is intended that the NCSC will have broad powers to undertake its functions, they are likely to include the power to engage in proactive scanning of publicly accessible networks and information systems in Ireland for the purpose of identifying vulnerabilities and to require DNS service providers or domain registrars to take specific measure to block or suspend a domain.

In the meantime, on 24 June 2025 the NCSC published a draft guidance document outlining the Risk  Management Measures (RMMs) that entities must implement to comply with the Directive and at the same time launched Cyber Fundamentals which is announced as a practical cyber security framework designed to help organisations comply with the Directive.

Who is Impacted by NIS2?

NIS2 applies to two main categories of organisations namely organisations coming within the definition of Essential Entitles and separately; Important Entities. The Directive will apply to medium sized public and private organisations that provide services in Ireland and the EU. Importantly however, it will also apply to organisations, regardless of size, where the disruption of their services could have a significant impact on public safety, public security or public health. 

The following organisations are identified as falling within the two broad categories of organisations:

1. Essential Entities – These include operators in sectors such as:
   • Energy (electricity, oil, gas)
   • Transport (air, rail, water, road)
   • Banking and financial market infrastructures
   • Health (including hospitals and private clinics)
   • Drinking water and waste water
   • Digital infrastructure (e.g. DNS service providers, cloud computing)
   • Public administration
2. Important Entities – These include:

• Postal and courier services
• Waste management
• Chemicals production
• Food production and distribution
• Manufacturing of critical products (e.g. medical devices, electronics)
• Digital providers not classified as essential (e.g. online marketplaces, search engines)

What Actions Are Required?

The NCSC guidance outlines 13 Risk Management Measures (RMMs) that impacted entities must implement. These RMMS are designed to align with existing security standards set out in the ISO/IEC 27001, the NIST Cybersecurity Framework and ENISA guidelines and to ensure a consistent and robust approach to cybersecurity across the EU. 

1. Registration - Entities must register with the competent authority and provide up-to-date contact and operational details. This ensures authorities can communicate effectively during incidents and audits.
2. Governance - Senior management must demonstrate commitment to cybersecurity. This includes, assigning accountability at board level, allocating sufficient resources and integrating cybersecurity into business strategy
3. Network and Information Security Policy - Organisations must develop and maintain a formal security policy that defines roles and responsibilities, covers all relevant systems and services and is reviewed regularly and updated as needed.
4. Risk Management Policy - A structured approach to identifying, assessing, and mitigating cybersecurity risks is required. This includes risk assessments, risk treatment plans and regular reviews and updates.
5. Continuous Improvement - Entities must regularly assess the effectiveness of their cybersecurity measures and make improvements, which includes the undertaking of internal audits, consideration of lessons learned from incident and benchmarking the measures in place against best practices.
6. Basic Cyber Hygiene and Training - All staff must receive regular cybersecurity training. Basic hygiene practices must be enforced including, patch management, secure configuration and strong password policies.
7. Asset Management - Organisations must maintain an accurate inventory of information assets and ensure their protection. This includes the requirement to maintain hardware and software inventories, to undertake the classification of information assets and to ensure that ownership and lifecycle management practices are in place.
8. Human Resources Security - Security responsibilities must be defined for all roles. This includes the undertaking of background checks (where permitted and appropriate), the inclusion of security clauses in contracts of employment and a requirement to ensure that secure onboarding and offboarding processes as implemented.
9. Access Control - Access to systems and data must be restricted based on roles and responsibilities. The measures identified include the implementation of role-based access control, multi-factor authentication and regular access reviews.
10. Environmental and Physical Security - Physical access to critical systems must be controlled and monitored. Again the measures identified include securing facilities, putting appropriate surveillance systems in place and implementing a visitor management system.
11. Cryptography, Encryption and Authentication - Entities must use appropriate cryptographic controls to protect data. The measures identified there include the encryption of data both at rest and in transit, the implementation of a secure key management and the requirement that strong authentication mechanisms be in place.
12. Supply Chain Policy - Cybersecurity risks in the supply chain must be assessed and managed. The actions required here includer the undertaking of supplier risk assessments, the imposition of security requirements in contracts and the monitoring of third-party compliance with those requirements.
13. Security in System Development and Maintenance - Security must be embedded in the lifecycle of IT systems. This includes, secure coding practices, vulnerability management and finally, change control processes.

Implementation Considerations

The guidance emphasises a risk-based approach, meaning that the depth and complexity of implementation should be proportionate to the entity’s size, sector, and threat exposure. All entities must however be able to demonstrate their compliance with each RMM.

Documentation and Evidence

Entities are expected to:

• Maintain documentation for each RMM
• Provide evidence of implementation during audits
• Update documentation regularly

Supervision and Enforcement

The NCSC and other competent authorities will have powers to:

• Conduct audits and inspections
• Request documentation and evidence
• Impose fines and sanctions for non-compliance

Essential entities will be subject to proactive supervision, while important entities will be supervised reactively, based on incidents or complaints.

Next Steps for Impacted Entities

1. Determine Applicability - Assess whether your organisation falls within the scope of NIS2 based on sector and size.
2. Conduct a Gap Analysis - Compare current cybersecurity practices against the 13 RMMs to identify gaps.
3. Develop an Implementation Plan - Prioritise actions based on risk and resource availability. Assign responsibilities and set timelines.
4. Engage Senior Management - Ensure leadership understands their responsibilities and allocates necessary resources.
5. Register with the Competent Authority - Complete the registration process as required by RMM001.
6. Prepare for Audits - Maintain documentation and evidence to demonstrate compliance.

Types of Enforcement Actions

According to the NCSC’s Quick Reference Guide national authorities (like the NCSC in Ireland) are empowered to take the following actions:

1. Issue Warnings – Formal notices of non-compliance.
2. Issue Binding Instructions – Mandates to take specific corrective actions.
3. Order to Cease Non-Compliant Conduct – Immediate halting of practices that breach the directive.
4. Order to Comply – Requirements to bring risk management or reporting practices into compliance by a set deadline.

Financial Penalties

The directive mandates that penalties must be effective, proportionate, and dissuasive. While the exact amounts are determined by each Member State, the NIS2 Directive sets maximum thresholds:

• For essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
• For important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher 

Other Consequences

• Public disclosure of non-compliance may be ordered, potentially damaging an organisation’s reputation.
• Suspension of certifications or authorisations may occur in severe cases.
• Personal liability: Senior management can be held accountable for failures in governance or oversight.

Cyber Fundamentals Framework

To support organisations in their compliance journey, Ireland has joined the Cyber Fundamental’s framework (CyFun). This is a practical cybersecurity framework specifically designed to help organisations comply with the NIS2 Directive. While currently being updated to integrate the NIST Cybersecurity Framework 2.0, version 2 of CyFun is expected to be available in September. The NCSC will continue to recognise other internationally accepted standards, it is recommending CyFun as a helpful guidance and tools that aligns with the 13 Risk Management Measures. It offers entities a structured approach for assess their current cybersecurity posture and developing implementation roadmaps. CyFun will be particularly valuable for organisations that lack extensive cybersecurity expertise by providing a step-by-step guidance on building robust cyber resilience capabilities while also meeting the NIS2 requirements. CyFun will ultimately involve a national certification process but the systems for this to be established is expected to take between 18-24 month. More information in relation to CyFun is available at this link.