01
Governance & accountability
Board-level cyber accountability, named responsible officer, training cadence, policy ownership, supplier oversight.
NIS2 Compliance · Ireland & UK SMEs
NIS2 is in force. Now what?
The NIS2 Directive transposed into Irish law in October 2024 and pulls thousands of medium-sized operators into scope for the first time — food producers, digital infrastructure providers, manufacturers, B2B SaaS, managed service providers and parts of the supply chain. Penalties run to €10m or 2% of global turnover. We help you find out where you stand, fix the gaps that matter, and produce the evidence a regulator (or your largest customer's procurement team) actually wants.
Am I in scope?
If you have 50+ staff or €10m+ turnover in a covered sector — probably yes.
NIS2 splits operators into two categories — essential entities (energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration) and important entities(manufacturing, food production, postal services, waste management, digital service providers, research). Both categories include SMEs above the 50-staff / €10m-turnover thresholds.
Even if you're not directly in scope, your largest customers probably are — and they're already pushing NIS2-aligned supplier questionnaires down their supply chain. Refusing to engage with that questionnaire now is the fastest way to lose tenders in 2026.
What NIS2 actually requires
Eight control families. One framework.
Article 21 of the Directive sets out ten cybersecurity risk-management measures. In practice they map into eight control families. Our gap analysis grades each family Red / Amber / Green with named owners and remediation effort.
02
Risk management
Documented risk register, asset criticality grading, threat modelling for in-scope services, periodic review.
03
Incident handling
24-hour early warning, 72-hour incident notification to the National Cyber Security Centre, post-incident reporting, tabletop rehearsals.
04
Supply chain security
Supplier risk grading, contractual cyber clauses, monitoring of vendor security posture, sub-processor visibility.
05
Vulnerability management
Patch SLAs by criticality, asset inventory completeness, external scanning, secure-development lifecycle for in-house code.
06
Business continuity
Backup strategy, ransomware-readiness testing, crisis management plan, dependency mapping, RTO/RPO discipline.
07
Cryptography & access
Encryption in transit and at rest, key management, MFA across admin and remote access, privileged-access controls.
08
HR & training
Onboarding/offboarding security checks, role-based training, phishing simulations, awareness-evidence retention.
How we run a NIS2 engagement
Two days to a scorecard. Ninety to remediated.
We're calm about this. Most SMEs are 60–70% of the way to compliant without realising it — the remaining 30% is concrete, finite work. We deliver the gap analysis fast so the conversation can move to fixing things, not arguing about whether we're in scope.
01
2-day scoping interview
One half-day with leadership, one with IT and one with operations. We walk the eight control families, score Red / Amber / Green, and document evidence gaps.
02
Gap analysis report
Within one week of scoping — a CISO / DPO scorecard, prioritised gaps, owner mapping, effort estimate per gap, and a 90-day remediation roadmap.
03
Remediation sprint
We can run the remediation work directly (encryption, MFA, incident-response runbooks, supplier-clause templates) or hand off to your team with detailed playbooks.
04
Evidence pack & ongoing oversight
Final evidence pack ready for regulator inspection, board briefing, or supplier-questionnaire response. Optional quarterly oversight retainer.
Common questions
What in-scope SMEs ask us first.
When does NIS2 actually start being enforced in Ireland?+
Ireland transposed the NIS2 Directive into national law in October 2024 via the National Cyber Security Bill. The National Cyber Security Centre (NCSC) is the competent authority. Active enforcement and the formal registration of in-scope entities is progressing through 2025–2026; supplier questionnaires from large enterprises and public bodies are already in flight now.
How is NIS2 different from NIS1 (the original Directive)?+
Three big changes. First, the scope is far wider — manufacturing, food production, digital infrastructure, postal services, waste management, research and managed service providers are all newly in scope. Second, the size threshold drops to 50 staff / €10m turnover, sweeping in many SMEs. Third, the penalties are tougher (up to €10m or 2% global turnover for essential entities), with personal liability for senior management.
What does a NIS2 gap analysis cost?+
A typical SME gap analysis is fixed-price between €4,500 and €8,500 depending on operational scope. That covers the two-day scoping interview, the gap-analysis report, the eight-family scorecard and the 90-day remediation roadmap. You can take that report away and run the remediation yourself, hand it to another partner, or have us deliver the remediation under a separate scope.
Do you do the remediation work too, or just the audit?+
Both. We can run the technical remediation directly — encryption, MFA rollout, MDM, incident-response runbooks, supplier-clause templates, board-briefing decks, evidence packs. Or we hand off to your internal team with detailed playbooks. Most clients ask us to deliver the critical gaps (incident response, encryption, supplier oversight) and run the rest internally.
We're not directly in scope, but our customer is asking for NIS2 evidence. Can you help?+
Yes — this is the fastest-growing slice of our NIS2 work. We deliver a slimmed-down supplier-evidence pack designed to answer NIS2-aligned procurement questionnaires from your in-scope customers, with the controls, evidence and policies they'll be looking for. Typically 1–2 weeks turnaround.
What's the relationship between NIS2 and GDPR?+
They overlap but don't replace each other. GDPR is about personal-data protection; NIS2 is about cybersecurity and resilience of essential services. Our gap analysis maps every finding to both regimes — GDPR Art. 32 (security of processing) and the eight NIS2 control families — so you can run a single remediation programme that satisfies both.
Find out where you stand.
20-minute discovery call. If NIS2 isn't actually your problem, we'll tell you so — and point you at the regime that is.
Book a NIS2 readiness callWe use only strictly necessary cookies to keep this site working (e.g. your admin session, your consent choice). We do not run analytics or advertising trackers without your permission. See our privacy notice.