Ireland has just taken on the EU Council Presidency. A week later, it was referred to the EU's highest court for failing to implement its own cybersecurity law. Here's what the NIS2 delay actually means for Irish organisations, and why waiting for legal certainty is the wrong strategy.
Ireland referred to the Court of Justice over NIS2 delays: what it means for Irish organisations
Last week the European Commission referred Ireland, along with Spain, France and the Netherlands, to the Court of Justice of the EU for failing to implement the NIS2 Directive. The deadline passed on 17 October 2024. Nearly 21 months later, and after both a formal notice and a reasoned opinion, the Commission is now seeking financial penalties until full transposition is notified.
The timing is particularly awkward. Ireland assumed the EU Council Presidency on 1 July 2026, just one week before the referral.
Lee Bristow, our Director of Cyber & AI Governance, says the delay leaves organisations in a difficult planning position. “Given the Government’s focus on security during the Presidency, and against the backdrop of several high profile cyber incidents in recent years, it’s disappointing to see implementation delayed further towards the end of 2026. The organisations likely to fall within the scope of NIS2 would be wise not to wait for the legislation to catch up, as once live, there will be no grace period.”
Ireland’s National Cyber Security Bill, which will formally transpose NIS2 into domestic law, remains in pre-legislative scrutiny and is not expected to reach the Oireachtas before September at the earliest. In the meantime, the obligations set out at EU level, risk management measures, incident reporting timelines and management accountability, exist regardless of whether Irish legislation has caught up.
For organisations operating in sectors likely to fall within scope, energy, financial services, pharma and other critical infrastructure among them, the message is consistent regardless of when the legislation formally lands. Governance structures, risk management measures and incident reporting capability take time to build properly. Waiting for legal certainty before starting that work only compresses the runway once the law does take effect.
This is precisely the kind of regulatory ambiguity that makes independent, vendor neutral guidance valuable. Saros works with IT and security leaders to assess readiness against NIS2 requirements, identify governance gaps at board and management level, and build a practical roadmap toward compliance, without the pressure of a vendor pushing a specific platform or tool.
If your organisation is unsure where it stands, or has been waiting for clarity that keeps not arriving, now is the right time to have that conversation.
How Saros Consulting Can Guide Your Compliance Journey
NIS2 compliance is a significant undertaking that requires dedicated resources, expertise, and time. For organisations in highly specialised sectors, the challenge is even greater.
Saros offers a focused 5 day NIS2 Readiness Assessment, giving your organisation a clear answer on scope and classification, a prioritised gap analysis against the Directive’s core requirements, and a strategic roadmap for closing them, delivered straight to your leadership team.
If your organisation is unsure where it stands, this is the fastest way to find out.
Get in Touch with
Saros Consulting
Looking to simplify your IT challenges and achieve your goals? Reach out to discover how we can help.
Related Articles
September 22nd, 2025
In this article, Lee Bristow, Director of Cyber and AI Governance at Saros Consulting, examines how the EU AI Act and NIS2 are reshaping retail board responsibilities and exposing directors to new personal liabilities
September 02nd, 2025
There’s a dangerous disconnect in modern boardrooms. We assume the future of technology will be a simple continuation of the past, but a powerful confluence of AI and regulation is making that assumption fatal. In this new landscape, the most dangerous decision a board can make is to do nothing at all.






