Skip to content
Is Your Business in Scope?
NIS2 came into effect across EU member states in October 2024, replacing the original NIS Directive with significantly broader scope and stricter obligations. For many Irish businesses, the key question is simple: does this apply to us? The answer depends on two things — what sector you operate in, and how large your organisation is.
Two categories of in-scope organisations
The directive splits regulated organisations into essential entities and important entities. Essential entities face the heaviest obligations and include energy, transport, banking, financial market infrastructure, healthcare, and digital infrastructure. Important entities cover a wider range: food production, chemicals, waste management, manufacturing, postal and courier services, and digital providers, among others.
€10M
Maximum penalty for essential entities or 2% of global turnover
€7M
Maximum penalty for important entities or 1.4% of global turnover
Size Thresholds
The baseline threshold is medium-sized enterprises — broadly, organisations with 50 or more employees and an annual turnover or balance sheet total exceeding €10 million. A 60-person insurance broker, a healthcare provider with 80 staff, or a mid-sized manufacturer can all find themselves in scope.
What Organisations Commonly Get Wrong
The most common mistake is assuming NIS2 only applies to large enterprises or technology companies. That was broadly true of the original NIS Directive. NIS2 changed that. A second common error is conflating sector and activity — a company providing software to a healthcare organisation is not automatically in scope because its client is.
The Supply Chain Angle
Even if your organisation sits outside direct scope, in-scope clients may require you to meet certain security standards as part of their own compliance obligations. This is already generating commercial pressure across Irish professional services, legal, and IT supply chains.
“Assume you are in scope and seek confirmation, rather than assuming you are not and finding out otherwise when an incident occurs.”
Sean Lucas
Chief Technical Engineer, DNA IT Solutions
How to Check your Position
Start with sector. Does your primary activity fall within one of the NIS2 categories? If yes, check your size against the threshold. If you meet both criteria, confirm your position with a compliance adviser rather than assuming the opposite. The cost of getting this wrong is not just financial — an in-scope organisation without the required governance structures is exposed to regulatory penalty and reputational damage.
The NCSC has a practical survey tool, which will allow you to discern your standing in relation to the legislation: https://www.ncsc.gov.ie/nis2/amiinscope/