NIS2 Ireland Preparation Guide: National Cyber Security Bill, NCSC Ireland and CyFun Framework for 2026

Ireland is the only major EU member state that has not yet enacted NIS2 transposition legislation. As of April 2026, the National Cyber Security Bill has not been introduced to the Oireachtas (Irish Parliament). Ireland faces EU infringement proceedings — a formal notice has been issued, and referral to the Court of Justice of the EU is threatened.

Yet Ireland is not standing still. The NCSC (National Cyber Security Centre) has published extensive preparation guidance, adopted Belgium’s CyFun framework as a compliance readiness tool, and published draft 15 Risk Management Measures. Some regulators, including ComReg (Commission for Communications Regulation), are already conducting informal compliance engagements with in-scope entities.

For Irish organizations — and the cyber insurance professionals who underwrite them — this guide covers what we know about the pending legislation, the CyFun framework, preparation steps, and why waiting for the law to pass is a dangerous strategy.

Ireland’s NIS2 Status: Legislation Pending

The National Cyber Security Bill

The National Cyber Security Bill is based on the General Scheme (Heads of Bill) published in September 2024. Key features of the General Scheme:

• Defines “management board” (Head 28) and personal liability provisions (Head 43)
• Designates NCSC Ireland as the lead competent authority
• Establishes the framework for essential and important entity classification
• Provides for sector-specific competent authorities
• Creates enforcement and penalty structures

Current status: The Bill has not been published or introduced to Parliament. The legislative timeline is uncertain, but passage in 2026 remains possible.

Why Ireland Delayed

Several factors contributed to Ireland’s delayed transposition:

• Government formation timeline — post-election government negotiations
• Complex regulatory landscape — financial services already covered by DORA under the Central Bank of Ireland
• Resource constraints at NCSC — the centre is being significantly expanded to handle NIS2 responsibilities
• Coordination challenges — designating multiple sector-specific competent authorities requires inter-departmental agreement

EU Infringement Pressure

Ireland faces escalating EU enforcement:

• Formal notice issued by the European Commission
• Reasoned opinion likely if legislation not introduced promptly
• CJEU referral threatened — could result in financial penalties

This pressure means the legislation is likely to be fast-tracked once introduced.

National Competent Authority — NCSC Ireland

NCSC (National Cyber Security Centre)

NCSC Ireland is designated as the lead competent authority under the General Scheme:

• Will serve as the primary NIS2 regulator
• CSIRT-IE — national CSIRT being strengthened for incident response
• Sector-specific competent authorities — being designated; an NCA forum is in place/in final stages
• Publishing proactive guidance despite legislation not yet enacted

Proactive Preparation Tools

NCSC Ireland has already published:

1. “Am I in Scope?” self-assessment tool — advisory tool for entities to determine NIS2 applicability
2. Draft Risk Management Measures guidance — 15 detailed RMMs with Foundational and Supporting actions
3. CyFun framework adoption — Belgium’s Cyber Fundamentals as a compliance readiness framework
4. Sector engagement program — NCSC conducting outreach to in-scope sectors

Sector-Specific Authorities

Sector	Expected Authority
Telecom	ComReg (already engaging informally)
Financial Services	Central Bank of Ireland (DORA coverage)
Energy	Commission for Regulation of Utilities (CRU)
Health	HSE / HIQA
Transport	Department of Transport

The CyFun Framework

What Is CyFun?

Ireland adopted Belgium’s CyFun (Cyber Fundamentals) framework as a key compliance readiness tool. Co-owned by NCSC Ireland, CyFun:

• Provides a tiered framework with four levels:
  • Small — basic security measures for small organizations
  • Basic — standard measures for medium organizations
  • Important — enhanced measures for important entities
  • Essential — comprehensive measures for essential entities
• Aligned with NIST CSF v2.0 — maps to the US National Institute of Standards and Technology framework
• Implementation-agnostic — focuses on outcomes rather than specific technologies

Why CyFun Matters for Insurance

CyFun gives underwriters something rare in the NIS2 space: a standardized, tiered maturity model that:

• Provides a common language for discussing cybersecurity posture
• Allows like-for-like comparison between entities
• Creates a certification pathway (planned over next 18-24 months)
• Can be verified through external assessment

National Cybersecurity Certification Scheme

Ireland plans to launch a national cybersecurity certification scheme over the next 18-24 months, based on CyFun. This will:

• Allow entities to demonstrate compliance through external verification
• Create certified assessor network
• Provide insurers with independently verified security posture data

Expected Entity Classification

Based on the General Scheme, Ireland is expected to follow the standard NIS2 two-tier model:

Essential Entities

Organizations in Annex I sectors exceeding size thresholds:

• ≥250 employees OR ≥€50M annual turnover (or ≥€43M balance sheet)
• Automatic inclusion regardless of size: DNS, TLD registries, cloud services, trust services, public electronic communications

Important Entities

Organizations in Annex II sectors meeting size thresholds:

• ≥50 employees AND (≥€10M turnover OR ≥€10M balance sheet)

Key Exemptions

• Financial market infrastructures — exempt from NIS2; covered by DORA under Central Bank of Ireland
• Public administration — scope to be defined in final legislation

15 Risk Management Measures

NCSC Ireland published draft guidance with 15 RMMs, divided into:

Foundational Actions (Mandatory for All)

1. Governance and risk management — board-level cybersecurity oversight
2. Asset management — identification and inventory of critical assets
3. Risk assessment — regular cybersecurity risk assessments
4. Access control — identity and access management policies
5. Data protection — encryption, data classification, privacy measures
6. Incident management — detection, response, and recovery procedures
7. Business continuity — backup, disaster recovery, resilience planning
8. Supply chain security — third-party risk management
9. Training and awareness — regular cybersecurity education
10. Vulnerability management — patching, testing, disclosure handling

Supporting Actions (Risk-Based)

11. Cryptography management — key management, certificate lifecycle
12. Physical security — facility access controls, environmental protection
13. Logging and monitoring — SIEM, anomaly detection, audit trails
14. Change management — controlled change processes for critical systems
15. Secure development — SDLC security, code review, testing

Expected Penalties

Based on the General Scheme:

Entity Type	Maximum Fine	Turnover Cap
Essential entities	€10M	2% worldwide group turnover
Important entities	€7M	1.4% worldwide group turnover

Management Liability (Head 43)

Board members face personal liability for infringements where there was:

• “Consent or connivance” (knowing participation)
• “Wilful neglect” (conscious failure to act)
• Head 28 also references liability for “gross negligence”

What Irish Organizations Should Do NOW

Despite the legislation not being enacted, several factors make immediate preparation critical:

1. Register with NCSC

Use the NCSC’s “Am I in Scope?” tool to determine whether your organization will be affected.

2. Conduct a Gap Assessment

Use the 15 RMMs and CyFun framework to assess your current posture against expected requirements.

3. Appoint a CISO / Cybersecurity Lead

Even without a legal requirement yet, designate a senior executive responsible for cybersecurity governance.

4. Implement Foundational Measures

The 10 Foundational Actions are unlikely to change significantly in the final legislation. Begin implementation now.

5. Review Supply Chain Contracts

Assess vendor security practices and update contracts with NIS2-compliant security clauses.

6. Prepare Incident Reporting Procedures

Establish internal procedures for 24h/72h/30-day reporting timelines, even before the portal is available.

7. Engage Your Insurer

Discuss NIS2 coverage with your cyber insurance broker. Policies written before NIS2 may not cover regulatory costs under the new framework.

Implications for Cyber Insurance

Underwriting Considerations for Irish Entities

1. Pre-legislation window — Underwriters should use the current period to educate clients about upcoming requirements and position coverage extensions.

2. CyFun as underwriting tool — The CyFun framework provides a ready-made risk assessment methodology. Consider requiring CyFun-level certification as a condition of coverage.

3. Tech sector concentration — Ireland hosts many major tech companies (Dublin’s “Silicon Docks”). These entities face both NIS2 and sector-specific requirements, creating complex coverage needs.

4. DORA overlap — Financial services entities covered by DORA are exempt from NIS2, but the dual regulatory burden creates compliance cost exposure.

5. ComReg proactivity — The telecom regulator is already engaging informally, suggesting Ireland’s enforcement may ramp up quickly once legislation passes.

Coverage Checklist

• Regulatory investigation and defense costs (when legislation enacted)
• Incident notification and response costs
• D&O liability for personal NIS2 exposure
• Business interruption from mandatory incident reporting
• Supply chain security compliance costs
• CyFun certification preparation costs
• Legal defense for management liability claims

Related NIS2 Country Guides:

• NIS2 France (ANSSI) | NIS2 Germany (BSI) | NIS2 Italy (ACN) | NIS2 Netherlands (NCSC-NL) | NIS2 Spain (INCIBE) | NIS2 Poland (NCSA) | NIS2 Belgium (CCB) | NIS2 Austria (NISG 2026) | NIS2 Sweden (MCF) | NIS2 Denmark (CFCS) | NIS2 Czech Republic (NÚKIB) | NIS2 Portugal (CNCS) | NIS2 Ireland (NCSC) | NIS2 Finland (Traficom)

Related Resources

• NIS2 Compliance Checklist for Brokers
• NIS2 Compliance Cost Analysis
• Cyber Insurance Buying Guide 2026
• NIS2 Gap Analysis: Readiness Assessment

---

Last updated: April 2026. Ireland’s NIS2 framework is still in legislative development. Check the NCSC Ireland website for the latest guidance and preparation tools.