Network and Information Security Directive of 2022 (NIS2)

Everything Business Leaders Must Know About NIS2

Cybersecurity Is Now a Boardroom Priority

NIS2 is reshaping cybersecurity across the EU, moving it from a technical function to a strategic leadership priority. The directive sets a common standard for "good cybersecurity" and introduces real consequences for non-compliance.

In Ireland, this is becoming law through the upcoming National Cyber Security Bill, led by the National Cyber Security Centre (NCSC). It brings more sectors under regulatory scrutiny, including digital infrastructure, life sciences, online marketplaces, and large-scale food production.

This isn't just policy. The NCSC will have the power to audit, inspect, and spot-check organisations. Non-compliance can lead to fines of up to €10 million or 2% of global turnover, and personal liability for executives. Leadership must now approve, oversee, and understand their organisation's cybersecurity posture.

What Is NIS2 and Who Must Comply?

NIS2 is the European Union's updated cybersecurity directive, officially called the Network and Information Security Directive of 2022. It replaces the original NIS Directive from 2016 and significantly strengthens cybersecurity obligations for public and private entities across the EU.

The directive sets out a unified framework to improve the overall level of cybersecurity by requiring organisations in critical sectors to adopt stronger risk management practices, report major incidents promptly, and ensure operational continuity in the face of cyber threats. It also introduces direct accountability for leadership.

NIS2 outlines four core requirements:

  1. Risk Management: Take an "all-hazards" approach to cybersecurity, addressing threats from attacks, human error, or disasters.
  2. Corporate Accountability: Boards must approve risk strategies and complete cybersecurity training.
  3. Incident Reporting: Notify authorities of serious incidents within 24 hours (initial), 72 hours (detailed), and one month (final).
  4. Business Continuity: Prepare and test plans for recovery and crisis response.

NIS2 applies if your organisation is either:

  • Medium (50–249 staff or €10M–€50M turnover) or Large (250+ staff or over €50M turnover)
  • And operates in a critical sector, such as:
  1. Essential Entities: energy, transport, healthcare, digital infrastructure
  2. Important Entities: waste management, postal services, food production, digital platforms

How to Prepare for NIS2

The NCSC has provided guidance through the Risk Management Measures (RMMs) and Cyber Fundamentals (CyFun) framework. Compliance won't happen overnight, and there is no grace period once Ireland enacts the law in late 2025.

A practical roadmap includes:

  • Setting up a cybersecurity steering committee

  • Performing a gap analysis against RMMs

  • Implementing baseline security controls

  • Assessing risks in your supply chain

  • Testing and documenting compliance through real-world drills

How Saros Consulting Can Guide Your Compliance Journey

NIS2 compliance is a significant undertaking that requires dedicated resources, expertise, and time. For organisations in highly specialised sectors, the challenge is even greater. Saros Consulting acts as your specialist partner to demystify the process and provide a structured, efficient path to compliance.

We have a distinct focus on sectors that are profoundly impacted by NIS2, bringing deep domain knowledge to your specific challenges.
We help you implement robust security that aligns with both NIS2 and existing regulations.

  • NIS2 Gap Analysis: Conducting a detailed analysis of your current controls against the NCSC's Risk Management Measures (RMMs).

  • Sector-Specific Risk Assessments: Performing comprehensive risk assessments that account for the unique threats and regulatory landscape of your industry.

  • Policy & Procedure Development: Creating and implementing the robust documentation required to demonstrate compliance.

  • Board-Level Training: Delivering the mandatory cybersecurity training for senior management to ensure they can confidently fulfil their oversight duties.

enhancing your customer experiences, optimising operations, and driving innovation

We help you transform NIS2 from a regulatory burden into a strategic advantage, building a foundation of resilience and trust that protects your business and enhances your reputation.