NIS2 Directive: New Legal Cybersecurity Obligations and Fines

#NIS2 Directive: New Legal Cybersecurity Obligations and Fines Put Pressure on Irish Businesses Across Critical Sectors

Irish organisations across a wide range of industries are being urged to urgently assess their cybersecurity and compliance readiness as the NIS2 Directive introduces new legal obligations, increased regulatory oversight, and significant financial penalties for non‑compliance.

The updated Network and Information Security Directive (NIS2) represents one of the most far‑reaching pieces of EU cybersecurity legislation to date. It expands the scope of mandatory cybersecurity requirements well beyond traditional critical infrastructure and places clear legal responsibility on senior management and boards to ensure effective cyber risk management is in place.

Industries Clearly in Scope Under NIS2

At a glance, NIS2 applies to medium and large organisations operating in the following sectors, among others:

• Energy and Utilities
• Transport and Logistics
• Healthcare and Life Sciences
• Banking, Financial Services and Insurance
• Digital Infrastructure and Cloud Services
• Manufacturing of Critical Products
• Public Administration (central and regional)
• Waste and Water Management
• Telecommunications and Digital Service Providers
• Postal and Courier Services

In many cases, organisations may be in scope without realising it, particularly where they provide essential services, support critical supply chains, or operate across EU markets. Size thresholds, sector classification, and the criticality of services all play a role in determining applicability.

NIS2 Is a Legal Requirement — Not Guidance

Unlike previous cybersecurity frameworks, NIS2 is legally binding. Organisations that fall within scope are required by law to implement appropriate cybersecurity risk management measures, including incident detection, response, reporting, business continuity, and supply‑chain security controls.

Importantly, responsibility does not sit solely with IT teams. NIS2 explicitly places accountability at board and senior management level, making cybersecurity a governance issue rather than a purely technical one.

“NIS2 introduces clear legal obligations for organisations and their leadership teams,” said Ian Power, Managing Director of Unitec IT Support provider. “This directive is a wake‑up call. Cybersecurity is now a regulated business function, and boards are expected to be able to demonstrate oversight, preparedness, and accountability. Failure to do so isn’t just a technical risk — it’s a legal and financial one.”

Significant Fines and Enforcement Powers

NIS2 also brings stronger enforcement mechanisms for national regulators. Organisations that fail to comply may face:

• Administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher
• Regulatory audits and security inspections
• Binding corrective measures
• Personal consequences for senior leaders in cases of serious governance failure

These penalties are designed to ensure cybersecurity is treated with the same seriousness as data protection, financial regulation, and health and safety obligations.

“We’re seeing cybersecurity move firmly into the same regulatory space as GDPR,” Power added. “The cost of inaction can be severe — not just in fines, but in reputational damage, operational disruption, and loss of trust. Organisations that act early will be in a far stronger position.”

Supply Chains and Third Parties Also Under Scrutiny

Another key feature of NIS2 is its focus on supply‑chain security. Organisations must assess and manage cyber risks introduced by third‑party suppliers and service providers, recognising that vulnerabilities in the supply chain can trigger serious downstream impacts.

This means that even companies not directly regulated may be required to meet higher cybersecurity standards if they support regulated entities.

Free Webinar: Understand Your Obligations Under NIS2

To help Irish organisations understand whether they are affected — and what practical steps they need to take — Unitec is hosting a dedicated NIS2 webinar on 21 April.

The session will cover:

• Which industries and organisations are in scope
• What NIS2 legally requires in plain English
• The potential penalties for non‑compliance
• How boards and leadership teams should respond
• Practical next steps to build compliance and resilience

Registration is now open. 👉 Secure your place at: www.unitec.ie/events