Understanding NIS2: A Guide for Cross-Border SMEs

What is NIS2?

NIS2 represents the EU's second-generation approach to establishing consistent cybersecurity standards across member nations. Building on the original 2016 NIS Directive, NIS2 significantly expands both the scope of covered sectors and the depth of security requirements.^[1].

The directive, which came into force in 2022, strengthens security requirements, introduces stricter supervisory measures and enforcement mechanisms, and crucially for SMEs expands coverage to include supply chain security obligations^[2].

Key Objectives of NIS2

The directive's implementation framework encompasses three core areas: national-level governance structures and crisis protocols, organisational security requirements and incident reporting obligations, and cross-border coordination mechanisms^[1]:

Member State Responsibilities: Creating regulatory bodies, national strategies, vulnerability reporting systems, and emergency response protocols.

Risk Management: Mandating security controls and timely incident notifications for designated organisations.

Cooperation and Information Exchange: Enabling cross-border cooperation through working groups, technical response teams, and mutual assessments.

Who is in Scope?

NIS2 classifies organisations into two categories: Essential Entities and Important Entities. The classification depends on both the sector in which you operate and your organisation's size^[1].

Size Thresholds

Organisation size determines classification under NIS2. Companies with 250+ employees or €50M+ in annual turnover typically qualify as Essential Entities. The Important Entity category generally captures mid-sized organisations: those with 50-249 staff or €10-50M revenue. Smaller enterprises under 50 employees usually fall outside direct regulatory scope, though supply chain requirements may still affect them.^[1].

Sectors Covered

NIS2 covers 18 sectors divided into two annexes:

Annex I - Sectors of High Criticality: Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management (B2B), Public Administration, and Space.

Annex II - Other Critical Sectors: Postal and Courier Services, Waste Management, Chemicals, Food Production and Distribution, Manufacturing (specific types), Digital Providers (online marketplaces, search engines, social networks), and Research.

Note that certain digital infrastructure providers (qualified trust service providers, DNS service providers, TLD registries) are in scope regardless of size ^[1].

Why This Matters for SMEs

While many SMEs may not be directly classified as Essential or Important Entities, NIS2 has significant indirect implications through supply chain requirements.

The Supply Chain Effect

While SME size may place them outside direct NIS2 classification, the directive creates significant indirect obligations. Supply chain security appears to be one of ten mandatory risk management areas that Essential and Important Entities must address^[1]. This creates a cascading effect: major organisations in banking, healthcare, energy, transport, and public administration now have legal obligations to verify their suppliers meet appropriate security standards. Many Irish and UK SMEs are experiencing this shift firsthand, maintaining or securing contracts with larger clients increasingly requires demonstrating NIS2-aligned security capabilities.

The specific security expectations vary depending on the client relationship and context, but the underlying principle remains consistent: organisations within the supply chain need verifiable cybersecurity practices.

Cross-Border Considerations

For businesses operating across Ireland and the UK, understanding the regulatory landscape is particularly important. While NIS2 is an EU directive being implemented in Ireland, UK entities serving EU clients or operating EU subsidiaries may also need to demonstrate compliance with equivalent standards. The regulatory environment continues to evolve, and maintaining awareness of both jurisdictions' requirements is essential for cross-border trade.

The 10 Mandatory Security Measures

NIS2 establishes ten foundational security requirements that covered organisations must address. These requirements emphasize a risk-based approach, with implementation scaled to match organisational size, available resources, and potential incident severity ^[1].

1. Risk Analysis & Information System Security: Organisations must analyse threats to their systems and establish comprehensive security protocols.

2. Incident Handling: Organisation must develop incident management capabilities covering prevention, detection, response, and recovery phases.

3. Business Continuity Measures: Implement Continuity planning including data backup strategies and crisis response procedures.

4. Supply Chain Security: Assess and manage cybersecurity risks arising from suppliers and third party service providers.

5. Security in System Acquisition, Development, and Maintenance: Integrate security across system lifecycles, from procurement through maintenance, including vulnerability handling and coordinated disclosure procedures.

6. Policies and Procedures for Assessing Effectiveness: Regularly measure how well security controls perform.

7. Basic Cyber Hygiene and Training: Maintain fundamental employee training programs and essential security hygiene practices.

8. Cryptography and Encryption Policies: Implement appropriate policies on Data protection through cryptographic technologies.

9. Human Resources Security, Access Control, and Asset Management: Optimise personnel security protocols performing access restrictions and asset tracking.

10. Multi-Factor Authentication and Secured Communications: Deploy multi-factor authentication and encrypted communication channels.

Incident Notification Requirements

When significant incidents occur, covered entities must follow a three-stage reporting protocol to Ireland's National Cyber Security Centre ^[1][2]:

• Initial Alert (24-hour window): Organisations must provide early notification when they detect suspected significant incidents, particularly those involving malicious actors or cross-border implications.

• Formal Report (72-hour deadline): A detailed notification must include preliminary severity assessments, operational impacts, and technical indicators.

• Final Documentation (one-month timeframe): Once resolved, entities submit comprehensive reports covering root causes, impacts, and remediation steps. Unresolved incidents require final reports within one month of closure.

National authorities may request additional status updates between these formal reporting points ^[1].

A "significant incident" is defined as anything affecting or capable of affecting operations, causing financial loss, or potentially harming other persons through material or non-material damage^[2].

Supervision and Enforcement

NIS2 replaces the previous distinction between "operators of essential services" (OES) and "digital service providers" (DSP) with a new framework distinguishing Essential from Important entities^[1].

Supervisory Approach

Essential Entities face both ex-ante and ex-post supervision, including on-site inspections, regular security audits, security scans, and information requests^[1].

Important Entities are subject to ex post supervision, including on-site inspections following incidents, targeted security audits, and information requests to assess implemented measures ^[1].

Authorities can take a risk-based approach to prioritize supervisory activities ^[1].

Penalties for Non-Compliance

Regulators possess significant enforcement authority, from advisory warnings through to substantial financial sanctions^[1]:

Essential Entities: Administrative fines up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher.

Important Entities: Administrative fines up to €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher.

Beyond organisational penalties, NIS2 introduces personal accountability for leadership. Executive teams must formally approve security measures, oversee implementation, and participate in relevant training. In Essential Entities specifically, top executives found in serious non-compliance may face temporary prohibition from holding management positions ^[1].

Looking Ahead

The implementation timeline for NIS2 across member states continues to progress, with Ireland NIS2 transposition in law expected in 2026. National guidelines on incident reporting and security measures are being developed, providing greater clarity on implementation expectations.

For SMEs, particularly those engaged in cross-border trade, understanding and addressing NIS2 implications represents both a compliance necessity and a competitive advantage. Organisations that proactively build robust cybersecurity practices will be better positioned to secure contracts with larger clients, demonstrate trustworthiness to partners, and protect their own operations from increasingly sophisticated cyber threats ^[3].

The path to NIS2 alignment need not be overwhelming. By taking incremental steps, leveraging available resources, and maintaining open dialogue with clients and partners, SMEs can successfully navigate this evolving regulatory landscape while strengthening their overall cybersecurity posture.

Step 1: Determine your status

First, assess whether your organisation falls directly within NIS2's scope by reviewing your sector and size against the criteria outlined above. Even if you are not directly in scope, consider whether you supply organisations that fall in banking, healthcare, energy, transport, or public sector categories.

Step 2: Engage with Your clients

If you supply covered entities, proactively discuss their security expectations. Understanding their specific requirements early allows you to plan implementation rather than responding reactively to contract terms or tender requirements.

Step 3: Implement the fundamentals

Begin with basic security measures that align with NIS2 requirements. The Cyber Fundamentals Framework (CyFun), co-owned by the Irish and Belgian National Cyber Security Centre, provides a structured approach aligned with international best practices, like NIST Cybersecurity Framework 2.0 ^[3]. In fact The CyFun framework reutilizes the six NIST CSF 2.0 domains (Govern, Identify, Protect, Detect, Respond, and Recover) mapping them to the NIS2's requirements.

Priority areas for most SMEs include automated backup systems, multi-factor authentication across business-critical applications, documented incident response procedures, regular staff training on cybersecurity, and access control policies.

Step 4: Document your security posture

Create and maintain documentation of your security policies, procedures, and controls. This documentation serves multiple purposes: demonstrating compliance to clients, providing evidence during audits, and ensuring consistency in security practices across your organisation.

Step 5: Consider certification

As the Cyber Fundamentals Framework develops its certification pathway in the next future^[4], achieving formal certification can provide concrete evidence of security standards to clients. Additionally, investigate whether sector-specific certifications (such as ISO 27001 for information security management) align with your clients' expectations.

Resources and Support

Several resources are available to support SMEs in understanding and addressing NIS2 requirements:

National Cyber Security Centre (NCSC) Ireland: The NCSC provides comprehensive NIS2 guidance including quick reference guides, sector-specific information, and FAQs. Key resources:

• NIS2 Homepage: www.ncsc.gov.ie/nis2
• NIS2 FAQs: www.ncsc.gov.ie/nis2/FAQ

Cyber Fundamentals Framework (CyFun): A structured, voluntary framework based on NIST Cybersecurity Framework v2.0, designed to help entities align with cybersecurity best practices:

https://cyfun.eu/en/cyberfundamentals-framework-2025

UK Cyber Essentials: For UK-based SMEs or those serving UK clients, the Cyber Essentials scheme provides a clear baseline:

www.ncsc.gov.uk/cyberessentials/overview

ENISA (European Union Agency for Cybersecurity): ENISA provides practical guidance specifically designed for SMEs, including a 12-step guide to securing your business and comprehensive reports on cybersecurity challenges and recommendations for small enterprises.

https://www.enisa.europa.eu/publications/cybersecurity-guide-for-smes

Sector-Specific Support

Many industry bodies are developing sector-specific cybersecurity training and guidance. SMEs should contact their relevant trade associations or industry groups to inquire about available support programs.

Funding and Support Programs

While specific NIS2 implementation funding varies by jurisdiction and sector, several avenues for financial support merit investigation:

National Digitalisation Initiatives: Many national digitalization funding streams now embed cybersecurity requirements, potentially covering web development, cloud migration, and digital transformation projects^[5].

SME Support Programs: Check with Enterprise Ireland, Local Enterprise Offices, or equivalent UK support organisations about available cybersecurity grants or voucher schemes.

Sector-Specific Funding: Some sectors may have dedicated funding mechanisms for cybersecurity improvements. Contact your sector's regulatory body or industry association for details.

Article reviewed by the InterTradeIreland Trade Hub Team: March 2026

 

References

[1] National Cyber Security Centre. (2024). NIS2: A Quick Reference Guide. Available at https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_Guide.pdf

[2] Department of the Environment, Climate and Communications. (2024). The NIS2 Directive: Conference Presentation Slides. NCSC Conference 2024.         
https://www.ncsc.gov.ie/pdfs/NIS2_NCSC_Conference_2024_Slides.pdf

[3] Munster Technological University and National Cyber Security Centre. (2025). SME Cyber Resilience: State of the Sector 2025.

https://cyberresilience.ie/wp-content/uploads/2026/01/SME-Cyber-Resilience-State-of-the-Sector-2025.pdf

[4] NCSC Cyber Fundamentals CyFun https://www.ncsc.gov.ie/CyFun/