What does your NIS2 readiness look like?
Knowing you are in scope for NIS2 is one thing.Working out what to do about it is another.
NIS2 sets out minimum security measures that in-scope organisations must have in place, and while the directive does not prescribe specific technical solutions, it is clear about the domains that need to be addressed.
The following is a practical first-pass framework. It is not a substitute for a formal compliance assessment, but it should give you a useful baseline picture of where you stand.
Checklist
Key Focus Areas
Governance and Accountability
Your board or senior management team should have formal ownership of cybersecurity risk. This means documented policies, a named individual with responsibility for oversight, and evidence of regular review. If your current arrangements leave cybersecurity entirely to an IT team without board-level visibility, that needs to change before anything else.
Risk Assessment
You need a current, documented assessment of the cybersecurity risks facing your organisation, covering your systems, your data, your supply chain dependencies, and the likely impact of different types of incident. Many Irish businesses have not done this systematically; a gap analysis against a recognised framework such as ISO 27001 or the NIST Cybersecurity Framework is a practical starting point.
Incident response
A documented and tested incident response plan is a requirement. It must reflect NIS2’s reporting timelines: a 24-hour early warning to the relevant authority, followed by a full notification within 72 hours. A plan that has never been tested through a simulated scenario is an untested plan, and that distinction matters when a real incident occurs.
Business continuity
In-scope organisations must have arrangements in place for maintaining or restoring operations following a significant disruption. Backup procedures, recovery time objectives, and crisis communication plans all fall within this scope; having these documented and reviewed regularly is the baseline expectation.
Supply chain security
You are responsible for assessing the cybersecurity practices of third-party suppliers and service providers with access to your systems or data. That includes your managed IT provider, your cloud platforms, your payroll software, and any external service with a connection into your environment.
Staff awareness
Employees at all levels need cybersecurity awareness training that is documented, recurring, and relevant to the threats your organisation actually faces. It does not need to be elaborate, but it does need to be evidence-based and repeatable.
“People wait for defeat before they act. They’ll put robust controls in place after something’s happened. By then, the horse has bolted.”
Sean Lucas
Chief Technical Engineer, DNA IT Solutions
