The Law Society Gazette reported on the NCSC’s publication of guidance aimed at helping organisations prepare for an EU cybersecurity directive expected to cover thousands of Irish organisations once transposed. The article notes the anticipated scope expansion and the practical need for organisations to understand whether they will fall within the directive’s reach.
This matters because NIS2 expands the number and type of entities subject to cybersecurity governance and incident reporting obligations. Even for organisations that believe they may be “too small” or “not critical”, the expanded scope means assumptions should be tested. The compliance effort is not solely technical; it includes governance structures, risk management policies, supplier oversight, and incident response capability with reporting readiness.
Separately, the Gazette has also highlighted cyber-related policy and governance themes — including calls to strengthen procurement rules and implement EU cyber frameworks — reflecting the wider push for resilience as an operational requirement for public and private sector organisations.
Acompli perspective: Organisations should treat NIS2 as a programme rather than a project: scope confirmation, gap analysis, control implementation, evidence generation, and incident reporting drills. The earlier you structure your approach — mapping systems, suppliers, and key controls — the less disruptive compliance becomes. For many organisations, the “hard part” is not the controls themselves; it is proving they exist and are managed.