Request Demo

Roadmap to
NIS2 COMPLIANCE

DOWNLOAD PDF

About Us

Centripetal, the global leader in intelligence powered cybersecurity, is operationalizing the world’s largest collection of threat intelligence, in real-time, to protect organizations from every known cyberthreat through its innovative patented technologies. The company’s CleanINTERNET® service delivers the only proactive approach to intelligence powered cybersecurity, leveraging the latest computing

technology and skilled operations intelligence analysts, at dramatically lower cost. We are experts in threat intelligence, with a team comprised of cryptologists, and security analysts from the U.S. Intelligence & Defense community who have protected the most sensitive assets in the world. Centripetal is based in Reston, VA with offices in Portsmouth, NH and Galway, Ireland.

BACKGROUND

The Network and Information Security Directive II (NIS2 Directive) is a comprehensive EU-wide piece of cybersecurity legislation designed to strengthen cybersecurity and resilience across the European Union. NIS2 replaces the earlier Network and Information Security Directive (NIS1), which was found inadequate in responding to the rising frequency and sophistication of cyber threats. Effective from 16 January 2023, NIS2 seeks to enhance collective cybersecurity among Member States by imposing rigorous obligations on critical infrastructure sectors. These obligations include expanded security requirements, enhanced cybersecurity risk management practices, and stricter reporting responsibilities, accompanied by tougher penalties for non-compliance. Member States were required to transpose the NIS2 Directive into national law by 17 October 2024, with the new regulations coming into effect on 18 October 2024.

The NIS2 Directive will expand the number of sectors impacted by the regulation from 7 to 18, categorizing them into essential and important entities. It will introduce new cybersecurity risk management measures and incident reporting obligations. The directive will intensify regulatory oversight including proactive supervision and enforcement. Furthermore, it will introduce a more stringent fine for failing to comply with requirements. Accountability will be imposed on top level management for non-compliance with cybersecurity obligations. In the event of a significant cyber incident, strict reporting requirements will be imposed. NIS2 mandates that essential and important entities adopt supply chain risk management reducing the risk of supply chain attacks.

Ireland's Position

As an EU directive, the NIS2 Directive requires each member state to transpose its provisions into their national or local legal frameworks. In Ireland, this process will be implemented through the National Cybersecurity Act 2024. Although the directive’s transposition deadline was October 17, 2024, Ireland has not yet met this deadline. Once enacted, the Act will serve as the primary legal instrument for incorporating the NIS2 Directive into Irish law. While NIS2 establishes baseline compliance standards, the National Cybersecurity Act will integrate these standards and introduce additional requirements tailored to Ireland’s specific national context.

Currently, the General Scheme of the National Cybersecurity Bill has been
published and is progressing through the legislative process in the Oireachtas.

Once it has completed the pre-legislative process, it will be brought forward through the legislative process in the Oireachtas:

1. Initiation
2. Second Stage
3. Report Stage
4. Committee Stage
5. Final Stage

Bill signed by the President into law

Chapter 1

SCOPE

What Sectors are included in the Scope?

The NIS2 Directive broadens the scope of its predecessor, NIS1, to include additional sectors and subsectors.
This expanded scope covers critical infrastructures that are vital for the functioning of the economy and society.
The graphic below provides an overview of the sectors listed in Schedule I and Schedule II of the NIS 2 Directive and forthcoming cybersecurity legislation, which are within the scope of the Directive and are required to comply with its provisions.

Schedule 1

  • Energy
  • Transport
  • Health
  • Water
  • Digital Infrastructure
  • ICT service management
  • Public administration entities
  • Space

DORA

  • Banking
  • Financial Markets

Schedule 2

  • Chemicals
  • Food
  • Manufacturing
  • Digital providers
  • Postal & courier services
  • Waste management Research
What Size
Organizations are Affected?

The NIS2 Directive applies to all medium and large entities operating within its covered sectors or services. Small and micro enterprises are generally exempt unless their activities are deemed critical to society. Large enterprises are defined as those with annual revenue of €50 million and 250 + employees, while medium enterprises have an annual revenue of €10 million and 50 + employees.

Team Up with Cyber Experts for AI-Driven Defense

In the vast playing field of cyber protection, leveraging expert knowledge and AI technology is a game-changer. Collaborate with top-tier cybersecurity specialists who bring AI and human intelligence together. This partnership fortifies your defenses against a multitude of threats, allowing sports organizations to stay secure without stretching resources thin.

Team Up with Cyber Experts for AI-Driven Defense

In the vast playing field of cyber protection, leveraging expert knowledge and AI technology is a game-changer. Collaborate with top-tier cybersecurity specialists who bring AI and human intelligence together. This partnership fortifies your defenses against a multitude of threats, allowing sports organizations to stay secure without stretching resources thin.

Team Up with Cyber Experts for AI-Driven Defense

In the vast playing field of cyber protection, leveraging expert knowledge and AI technology is a game-changer. Collaborate with top-tier cybersecurity specialists who bring AI and human intelligence together. This partnership fortifies your defenses against a multitude of threats, allowing sports organizations to stay secure without stretching resources thin.

Are you an Essential or Important Entity?

The NIS2 Directive categorizes entities into two groups: essential and important. This directive primarily focuses on medium and large sized organizations but also extends to smaller entities when their operations are deemed vital to societal and economic activities.

Essential Entities

Entities that fall under Schedule I of the NIS2 Directive and are classified as large organizations are deemed essential entities.
These include critical infrastructure sectors such as energy, transport, and healthcare. Additionally, any organization designated by the Minister or previously identified as an Operator of Essential Services or Digital Service Provider under the original NIS1 Directive will be classified as an essential entity. In Ireland, these designations will also be governed by the National Cyber Security Act 2024.

The Directive also includes small enterprises and microenterprises if their services are critical to the public or economy. Notably, qualified trust service providers, top-level domain (TLD) name registries, and DNS service providers are categorized as essential entities regardless of their size due to the importance of their services in ensuring internet security and stability.

Important Entities

All other entities that do not meet the criteria for essential entities but are covered under Schedule I or Schedule II, and are medium or large-sized organizations, are classified as important entities. Additionally, the Minister can designate an entity as important, even if it does not fit the standard classification. Public electronic communications network providers, public administration entities, and non-qualified trust service providers are considered important regardless of their size, given their significant role in the provision of critical services.

Scope and Inclusions of Small organisations

Although micro and small enterprises are generally excluded from the scope of NIS2, exceptions are made for those operating in particularly sensitive sectors. Entities such as domain name registration service providers are within the scope of NIS2, regardless of their size, due to their critical function in the overall cybersecurity ecosystem.

Summary of the Key
Criteria for Inclusion:

To determine whether your
organization falls under the NIS2
Directive, consider the following:

01

Sector Relevance:

Is your company operating within any of the sectors listed above?

02

Size Requirements:

Does your company meet the size thresholds for medium or large enterprises?

03

Specific Criteria for Critical Entities:

Beyond general sector and size applicability, certain entities are specifically included due to their critical role or potential impact on society and the economy. These include:

  1. Providers of public electronic communications networks or services.
  2. Trust service providers.
  3. Top-level domain name registries and domain name system service providers.
  4. Entities whose service disruption could significantly impact public safety, security, health, or induce systemic risk.
  5. Sole providers of essential services in a Member State.
  6. Public administration entities, especially those critical at the central or regional level.

Chapter 2

RESPONSIBILITY & GOVERNANCE

Effective cybersecurity governance is a top-level responsibility, and the NIS2 Directive and the National Cyber Security Bill emphasizes the accountability of senior leadership and management bodies in Essential and Important entities. The management board – the group responsible for overseeing and controlling the organization – must approve and monitor the implementation of cybersecurity risk-management measures. Failure to comply with these measures has serious consequences for top executives, including CEO’s, Directors, and Secretaries, who can be held personally accountable under the Act and the NIS2 Directive.

Key Responsibilities
for Senior Management

  1. Approval and oversight of cybersecurity risk management measures.

  2. Regular training in cybersecurity risk management to stay informed about emerging risks.

  3. Promotion of cybersecurity training for all employees, fostering a culture of security.

  4. Ensuring compliance with the NIS2 Directive and National Cyber Security Act through ongoing monitoring and updates.

  5. Collaboration with the National Competent Authority (NCA) to ensure that business licenses remain in good standing by meeting cybersecurity requirements.

Failure to meet these
obligations can result in:

  1. Personal liability for the management board or the person who is responsible for discharging managerial responsibilities at chief executive officer or a director or a secretary of an essential or important entity, especially in cases of gross negligence following a cybersecurity incident.
  2. Penalties, including removal from senior management positions and suspension of business licenses.
  3. Public disclosure of non-compliance, which can damage an organization’s reputation and disrupt operations.
  4. These penalties are significant, reflecting the gravity of cybersecurity breaches and aligning with the NIS2 Directive and the Companies Act 2014. By leading proactive cybersecurity efforts, senior management not only ensures compliance but also safeguards the organization’s financial health and reputation.

Chapter 3

CYBERSECURITY RISK MANAGEMENT MEASURES

The NIS2 Directive specifies a range of cybersecurity risk management measures that essential and important entities must implement as a minimum requirement. When your organization evaluates these measures, it’s beneficial to reference International Standards to guide implementation. When assessing the relevant cybersecurity risk management measures, consider factors such as the level of risk associated with your network and information systems, the size of your organization, the likelihood of an incident occurring, and the potential severity of such an incident. These measures include:

These measures include:

a. Policies for risk analysis and information system security;

b. Incident response and handling procedures;

c. Business continuity planning, including backup management, disaster recovery, and crisis management;

d. Supply chain security, covering the security aspects of relationships with direct suppliers or service providers;

e. Security in the acquisition, development, and maintenance of network and information systems, including vulnerability management and disclosure;

f. Policies and procedures to assess the effectiveness of cybersecurity risk management measures;

g. Basic cyber hygiene practices and cybersecurity training;

h. Policies and procedures for the use of cryptography and, where applicable, encryption;

i. Human resources security, access control policies, and asset management;

j. The use of multi-factor authentication, continuous authentication solutions, secured communication systems (voice, video, text), and secured emergency communication systems within the organization, where appropriate.

Cybersecurity Frameworks
to Aid Compliance with NIS2

Currently, there are no specific guidelines or frameworks designed exclusively for implementing NIS2 requirements. However, the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), updated in February 2024, and ISO 27001:2022 are two internationally recognized frameworks that provide organizations with a structured, risk-based approach to managing and mitigating cybersecurity risks. Both frameworks align closely with the goals of the NIS2 Directive.

ISO 27001:2022

The ISO 27001:2022 framework enables organizations to establish, manage, and monitor an information security management system (ISMS). It addresses cybersecurity risk management measures through comprehensive risk assessments, the implementation of security controls across people, processes, and technology, and the application of organizational measures.

NIST CSF 2.0

The NIST CSF 2.0, widely adopted globally, offers practical guidance to organizations on how to identify, protect, detect, respond to, and recover from cyber incidents. Its most recent update includes enhanced emphasis on governance, risk management, supply chain risk management, and threat intelligence, making it even more relevant to the objectives of the NIS2 Directive.

To help you bridge any gaps and achieve compliance with NIS2 cybersecurity risk management measures, we’ve provided a comparison table of these frameworks, enabling a clear gap analysis and actionable insights.

Mapping the NIS2 Directive with ISO 27001
and the NIST Cybersecurity Framework 2.0

NIS2 Directive Requirement

SO 27001:2022 Requirements

NIST CSF (2.0)

Policies on risk analysis and information system security

4.4 Information Security Management System

5.2. Policy

5.3. Organizational Roles, Responsibilities, and Authorities

5.7 Threat intelligence

6.1.1. General – Identify and Manage Security Risks

6.1.2. Information Security Risk Assessment

6.1.3. Information Security Risk Treatment

9.3.2. Management Review Inputs

GV.RM-02: Risk appetite and risk tolerance statements are established, communicated and maintained.

GV.RM-06: A standardized method for calculating, documenting, categorizing and prioritizing cybersecurity risks is established and communicated

GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced.

GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission.

GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed.

Incident Handling

5.24 Information security incident management planning and preparation

5.25 Assessment and decision on information security events

5.26 Response to information security incidents

5.27 Learning from information security incidents

8.20 Network security

8.21 Security of network services

ID.IM-04: Incident Response Plans and Cybersecurity Plans

RS.MA-01: Incident Response Plan Execution

RS.MI-01: Incident Containment

RS.MI-02: Incident Eradication

RS.MA-03: Incident Categorization and Prioritization

RS.MA-04: Incident Escalation

RS.MA-05: Criteria for Incident Recovery

RS.AN-07: Incident Data Collection and Integrity

RS.AN-03: Incident Analysis for Root Cause and Impact

DE.AE-02: Potentially Adverse Events Analyzed

DE.AE-03: Information Correlation from Multiple Sources

DE.AE-06: Information on Adverse Events Provided to Authorized Staff and Tools

DE.AE-08: Incidents Declared Based on Criteria

GV.SC-08: Cyber Supply Chain Risk Management

RC.RP-06: End of Incident Recovery Declaration

RS.AN-08: Incident Magnitude Estimation and Validation

Business Continuity, such as backup management, disaster recovery, and crisis management

5.30 ICT Readiness for Business Continuity

5.29 Information Security During Disruption

8.13 Information Backup

8.14 Redundancy of Information Processing Facilities

GV.SC-07 (Cyber Supply Chain Risk Management)

ID.IM-02 (Improvement – Security Tests & Exercises)

ID.IM-04 (Incident Response & Cybersecurity Plans)

PR.DS-11: Backups of data are created, protected, maintained, and tested

Supply Chain Security

5.19 Information Security in Supplier Relationships

5.20 Addressing Information Security within Supplier Agreements

5.21 Managing Information Security in the ICT Supply Chain

5.22 Monitoring, Review, and Change Management of Supplier Services

GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders

GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes

GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties.

GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle

GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

Security in Network and Information Systems, Acquisition, Development and Maintenance

5.23 Information security for use of cloud services

8.25 Secure development life cycle

8.28 Secure coding

8.29 Security testing in development and acceptance

7.13 Equipment maintenance

8.22 Segregation of networks

8.32 Change management

8.8 Management of technical vulnerabilities

8.9 Configuration management

PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

ID.RA-09: The authenticity and integrity of hardware and software are assessed prior to acquisition and use

ID.RA-10: Critical suppliers are assessed prior to acquisition

ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

ID.RA-01: Vulnerabilities in assets are identified, validated, and recorded

Policies and Procedures to assess the effectiveness of cybersecurity risk management measures

6.1.1. General – Identify and Manage Security Risks

6.1.2. Information Security Risk Assessment

6.1.3. Information Security Risk Treatment

GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission.

Basic Cyber Hygiene Practices and Cybersecurity Training
6.3 Information security awareness, education and training

PR.AT-01: Personnel are provided with awareness and training so that they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind

Policies and Procedures regarding the use of cryptography and encryption

8.24 Use of cryptography

PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization

PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected

PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected

Human Resource Security, Access Control, Asset Management

6.1 Screening
6.2 Terms and conditions of employment
6.4 Disciplinary process
6.5 Responsibilities after termination or change of employment
6.6 Confidentiality or non-disclosure agreements
5.15 Access control
5.18 Access rights
5.11 Return of assets
5.10 Acceptable use of information and other associated assets
5.9 Inventory of information and other associated assets

PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization 

GV.RR-04: Cybersecurity is included in human resources practices

ID.AM-05: Assets are prioritized based on classification, criticality, resources, and impact on the mission

PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk

Multi-Factor Authentication, Secured Voice, Video, Text Communications

8.5 Secure authentication

PR.AA-03: Users, services, and hardware are authenticated

Cyber Threat Intelligence & Risk Management

s organizations begin to understand the scope of the NIS2 Directive, there is a strong emphasis on adopting a risk-based approach to cybersecurity, which requires Essential and Important entities to implement ‘proportional and appropriate’ security measures.

This aligns closely with globally recognized frameworks such as ISO 27001 and NIST CSF 2.0, which emphasize continuous risk assessment, threat intelligence integration, and proactive security controls. However, traditional cybersecurity measures often struggle to keep pace with the scale and sophistication of modern threats, leaving organizations exposed to increasingly complex attacks. Effective cyber risk management demands a strategic, intelligence-driven approach—one that not only identifies risks, but actively mitigates them in real-time.

A key requirement under the NIS2 Directive is the establishment of a risk management framework (Article 21(2), Point (a)), which mandates relevant entities to identify, assess, and address cybersecurity risks to their network and information systems. This includes conducting documented risk assessments, establishing risk treatment plans, and integrating cyber threat intelligence into the risk analysis process. Organizations must analyze threats by assessing their likelihood, impact, and overall risk level, while also ensuring that risk decisions and residual risks are formally accepted by accountable leadership.

Centripetal revolutionizes cybersecurity risk management by operationalizing the world’s largest collection of cyber threat intelligence

Our CleanINTERNET® service delivers real-time protection at line speed, filtering out millions of known threats before they reach an organization’s network. By continuously monitoring and shielding against malicious traffic, Centripetal helps businesses comply with ISO 27001:2022 (5.7 Threat Intelligence) by collecting, analyzing, and applying threat intelligence to enhance security posture. This approach results in the elimination of malicious traffic at the perimeter, preventing threats from ever reaching the network.

By eradicating harmful activity before it can infiltrate internal systems, organizations significantly reduce the likelihood and impact of security incidents, strengthening the overall security posture. This proactive approach significantly reduces alert fatigue, allowing security teams to focus on critical incidents rather than being overwhelmed by redundant alerts. By enforcing intelligence-driven protection at the network perimeter, reducing the attack surface and lowering overall cyber risk exposure,

Centripetal aligns with the objectives of the NIS2 Directive, helping organizations bolster their cyber resilience while ensuring compliance with international security standards.

Chapter 4

Incident Reporting Obligations

Incident reporting plays a crucial role in ensuring cybersecurity and operational resilience. Under the NIS2 Directive, organizations must report “significant incidents” to the Computer Security Incident Response Team (CSIRT) or the relevant authority without delay (Article 23). In Ireland, the National Cyber Security Centre (NCSC), which includes CSIRT-IE, has primary responsibility for incident reporting and acts as the national competent authority. NIS2 requires both mandatory and voluntary incident notifications (Articles 23 and 30), aimed at ensuring timely reporting and promoting proactive engagement with the CSIRT to safeguard critical services.

Defining a ‘Significant Incident’

Under the NIS2 Directive, organizations must report incidents that are deemed “significant,” but what does that mean in practice?

According to Article 6(6), an incident is any event that compromises the availability, authenticity, integrity, or confidentiality of data or the services provided through network and information systems.

However, an incident is classified as “significant” under Article 23(3) if it either (a) causes or has the potential to cause severe operational disruption or financial loss to the affected entity, or (b) results in considerable material or non-material damage to other individuals or organizations.

To provide further clarity, the European Commission published Commission Implementing Regulation (EU) 2024/2690 (‘Implementing Regulation’) on 17 October 2024. This regulation outlines specific criteria to help organizations determine when an incident requires mandatory reporting. While it primarily applies to certain sectors, ICT Service Management (B2B), Digital Infrastructure and Digital Providers, its guidelines serve as a useful reference for all entities covered under NIS2.

Criteria for a Significant Incident under the Implementing Regulation

According to Article 3 of the  implementing regulation, an incident is considered significant if it meets one or more of the following conditions:

Financial Loss: Exfiltration of Trade Secrets

The unauthorized access and potential exfiltration of trade secrets as defined in EU Directive 2016/943.

Impact on Human Life and Health:

The incident results in or could result in the death of a person or considerable damage to a person’s health. 

Unauthorized Access:

A successful and potentially malicious unauthorized access to network and information systems.

Recurring Incidents

Even if individual incidents are not significant, they are considered significant when they recur at least twice within six months and share the same apparent root cause.

Sector-Specific Criteria:

The regulation also includes additional specific criteria for different sub-sectors, such as cloud computing service providers, DNS service providers, and data centre service providers, which must also be considered when determining the significance of an incident (see Table 1).

Sector

Criteria for Significant Incident

DNS service providers
  • A recursive or authoritative domain name resolution service completely unavailable for >30 minutes. 
  • Average response time >10 seconds for >1 hour. 
  • Integrity, confidentiality, or authenticity compromised affecting ≥1% or 1,000 domain names.
TLD name registries
  • Authoritative domain name resolution service completely unavailable. 
  • Average response time >10 seconds for >1 hour. 
  • Integrity, confidentiality, or authenticity compromised.
Cloud Computing Service Providers
  • Cloud service unavailable for >30 minutes. 
  • Service level agreement (SLA) not met for >5% or 1 million users for >1 hour. 
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% or 1 million users.
Data Centre Service Providers
  • Data centre service completely unavailable. 
  • SLA not met for >1 hour. 
  • SLA not met due to malicious action. 
  • Data integrity, confidentiality, or authenticity compromised as a result of suspectedly malicious action. 
  • Physical access compromised.

Content Delivery Network Providers

  • Content delivery network unavailable for >30 minutes. 
  • SLA not met for >5% or 1 million users for >1 hour. 
  • Availability of content delivery of service provider with no SLA is impacted. 
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% or 1 million users.
Managed Service Providers and Managed Security Service Providers
  • Managed service completely unavailable for >30 minutes. 
  • SLA not met for >5% or 1 million users for >1 hour. 
  • Availability of services with no SLA is impacted. 
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% or 1 million users.
Providers of Online Marketplaces
  • Marketplace unavailable for >5% or 1 million users. 
  • >5% or 1 million users impacted by large delays. 
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% users.
Providers of Online Search Engines
  • Search engine unavailable for >5% or 1 million users. 
  • >5% or 1 million users impacted by large delays. 
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% or 1 million users.

Providers of Social Networking Services Platforms

  • Platform unavailable for >5% or 1 million users. 
  • >5% or 1 million users impacted by large delays. 
  • Data integrity, confidentiality, or authenticity compromised due to malicious action or impacting >5% or 1 million users.
Trust Service Providers
  • Trust service unavailable for >20 minutes. 
  • Trust service unavailable for >1 hour per week. 
  • >1% or 200 000 users impacted by service availability. 
  • Physical access to sensitive areas compromised. 
  • Data integrity, confidentiality, or authenticity compromised affecting >0.1% or 100 users customers, whichever smaller.

Exclusions and Special Considerations

Planned maintenance-related service downtimes are not considered significant incidents. This distinction separates routine service interruptions from genuine security or operational failures that require reporting.

Who Needs to Be Notified?

Entities affected by significant incidents based on the criteria above are required to notify their CSIRT or relevant competent authority. They must also inform service recipients about significant cyber threats that could impact them and suggest any appropriate response measures (Article 23(1)).

How to Report a Significant Incident

All relevant entities must submit the following reports to the CSIRT or competent authority:

An early warning within 24 hours of becoming aware of the significant incident, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.

An incident notification within 72 hours of becoming aware of the significant incident, updating information provided in the early warning and including, indicate an initial assessment including its severity and impact, and the indicators of compromise.

An intermediate report if requested by the CSIRT, providing relevant status updates.

A final report no later than one month after the submission of the incident notification, detailing the incident, its severity, impact, the likely threat or root cause, mitigation measures applied or ongoing, and the cross-border impact of the incident where applicable.

In the event of an ongoing incident, entities must provide a progress report at the time of the submission of the final report and a final report within one month of handling the incident.

Stay Ahead of Cyber Threats: Centripetal’s Edge in Incident Reporting

With NIS2’s strict reporting requirements—demanding early warnings within 24 hours and full reports within 72 hours—organizations must detect, assess, and report cybersecurity incidents quickly. Centripetal’s CleanINTERNET® alleviates this pressure by delivering real-time threat intelligence, automated shielding, and actionable reporting to prevent threats from escalating into reportable incidents.

Security Analysts work closely with clients to tailor risk models, alerts, and reporting procedures, ensuring incidents are accurately categorized and documented in compliance with NIS2. With detailed reporting and executive insights, organizations can track potential incidents and submit timely, accurate notifications to CSIRTs or national cybersecurity agencies. 

By leveraging over 100 billion indicators of compromise, CleanINTERNET® proactively detects and blocks threats.

100

billion cyberattacks 
attempts per week

With threat Intelligence
updated every

15 min.

With threat intelligence updated every 15 minutes, Centripetal also supports NIS2’s information-sharing requirements by ensuring organizations have access to the most current cyber threat data. CleanINTERNET® enhances collaborative cyber defense efforts, enabling essential and important entities to share actionable intelligence while strengthening overall security.

By continuously monitoring, enforcing proactive security measures, and streamlining compliance processes, Centripetal ensures organizations have the critical information they need—when they need it—so they can meet NIS2 deadlines with confidence.

How Centripetal Can Support Incident Reporting and Information Sharing

Centripetal’s CleanINTERNET® solution provides essential support for organizations subject to incident reporting requirements. With our real-time threat intelligence and automated threat blocking, we help organizations meet the strict data-sharing obligations outlined in the report by providing:

Indicators of Compromise (loCs)
CleanINTERNET® generates
a wide range of loCs, including:

  • IP addresses
  • Domain names and URLs
  • Malware file hashes and details
  • Timestamps and security logs
  • Network activity data (ports, protocols, etc.)
  • User account activities and database traffic

Threat Intelligence Data Centripetal
provides real-time insights into the
tactics, techniques, and procedures
(TPs) used by threat actors, including:

  • Phishing
  • DDoS attacks
  • Ransomware
  • Data exfiltration and destruction
  • Supply chain attacks

Steps to Begin Compliance with NIS2 Reporting and Reducing Cyber Risk

To help your organization comply with the NIS2 Directive and reduce cyber risk, we have outlined key steps to guide the process. These steps ensure regulatory alignment, proactive security measures and enhance your organization’s resilience against evolving threats:

01

Identify the Scope of
Assets and Services:

  • Assess the critical infrastructure and services that may be impacted by a significant incident.

02

Implement an Incident
Response Plan:

  • Create and document a clear, actionable incident response plan tailored to your organization’s needs.

03

Develop and Maintain an Incident Response Playbook:
  • Create a playbook to guide your team through the steps of detecting, classifying, and mitigating significant incidents.

04

Provide Ongoing Training:

  • Regularly train key personnel on incident response processes, communication, and regulatory compliance. 
  • Centripetal offers specialized training based on current threat trends and regulatory requirements.

05

Conduct Incident Response Tabletop Exercises:

  • Simulate real-world cyber incidents with tabletop exercises to ensure your team is prepared for various scenarios. 
  • These exercises can be enriched with Centripetal’s intelligence on attack methodologies, providing realistic and timely scenarios.

06

Implement CleanINTERNET® to Reduce Risk:
  • Leverage Centripetal’s CleanINTERNET® solution to proactively block cyber threats, reducing the likelihood of a significant incident. 
  • The solution continuously monitors and shields against new threats, preventing cyberattacks from developing into significant incidents.

07

Stay Up to Date with NCSC Incident Response Forms:

  • Ensure you’re using the latest NIS2-compliant forms and templates for reporting incidents, as outlined by the NCSC. 
  • Centripetal provides ongoing updates to help you stay aligned with regulatory changes and streamline the reporting process.

By integrating CleanINTERNET® into your cybersecurity strategy, Centripetal enables you to meet the NIS2 Directive’s strict incident reporting requirements while enhancing your overall incident detection, response, and mitigation capabilities.

Chapter 5

Geographical Implications

Understanding the Requirement for Designated Representatives for Non-EU Entities

Overview

The NIS2 Directive stands out as a landmark regulatory framework aimed at strengthening the security and resilience of network and information systems across the European Union (EU). One of its key provisions—outlined in Recital 116 and Article 26 of the NIS2 Directive—addresses a critical compliance requirement: non-EU entities offering digital services within the EU must designate a representative established in the Union. This chapter explores the geographical implications of this requirement and provides practical guidance on interpreting jurisdiction, determining obligations, and appointing a representative.

Jurisdiction Clarification Under NIS2

The NIS2 Directive is designed to account for the cross-border nature of digital services. It establishes clear jurisdictional rules for determining which Member State oversees regulatory compliance.

Main Establishment Rule:
 Jurisdiction is attributed to the Member State where the entity has its main establishment in the Union—defined as the location where decisions on cybersecurity risk management are predominantly taken.

Fallback Criteria:
If the above cannot be determined, jurisdiction falls to the Member State where cybersecurity operations are carried out or, failing that, the location with the highest number of employees.

Non-EU Entities:
If an entity is not established in the Union but offers services within it, it must designate a representative in an EU Member State where those services are provided. This representative acts as the official point of contact for authorities and CSIRTs.

To help you bridge any gaps and achieve compliance with NIS2 cybersecurity risk management measures, we’ve provided a comparison table of these frameworks, enabling a clear gap analysis and actionable insights.

Who Must Comply:
Applicability to Non-EU Organizations

Entities operating in the following sectors are explicitly covered under Article 26:

DNS service providers

TLD name registries

Domain name registration services

Cloud computing and data centre service providers

Content delivery networks

Managed service providers and managed security service providers

Providers of online marketplaces, online search engines, and social networking platforms

These “relevant entities” must assess whether they are actively offering services within the Union.

Indicators of Service Presence in the EU

The Directive outlines several indicators for
determining intent to offer services within the Union:

Indicators that trigger compliance:

Use of a language or currency commonly used in one or more Member States

Availability of service ordering in an EU language

References to EU-based customers or testimonials

Marketing or targeting users within the Union

What doesn’t qualify:

Merely having a website accessible from the EU or listing contact information is not sufficient to establish intent.

The Role of the Designated Representative

The designated representative is formally appointed through a written mandate and acts on behalf of the non-EU entity.

Their responsibilities include:

  • Liaising with national competent authorities and CSIRTs, such as the NCSC and industry allocated authorities
  • Handling incident notifications and responses
  • Supporting regulatory audits and investigations
  • Managing compliance documentation and communications

The representative must be formally appointed by a written mandate and be established in a Member State where services are offered.

Strategic and Legal Implications

Appointing a representative is not just a formality. It signifies operational and legal accountability in the EU.

Furthermore:

  • Organizations must reevaluate where decisions about cybersecurity are made, as this may influence jurisdiction under the “main establishment” criteria.

 

  • Non-compliance with NIS2 may result in fines up to €10 million or 2% of global turnover, creating significant financial and reputational risks.

 

  • Designating a representative and aligning with EU security standards also supports business continuity, builds customer trust, and enhances cross-border partnerships.

What This Means for US
and UK-Based Companies

For organizations based in the United States and United Kingdom, the NIS2 Directive introduces direct compliance obligations if they offer digital services to customers within the EU. Despite being outside the EU, these companies are not exempt—jurisdiction is determined by where services are offered, not where the business is headquartered. This means a US or UK cloud provider, managed service provider, or online platform serving EU users must assess whether NIS2 applies and, if so, appoint a designated EU representative to act on its behalf. UK-based firms, even post-Brexit, are treated as non-EU entities under NIS2.

To maintain access to EU markets and ensure legal compliance, companies in both the US and UK must align their cybersecurity practices with NIS2 standards, prepare for increased regulatory scrutiny, and treat the designation of a representative as a foundational compliance step—not a formality.

Final Reflections

The geographical provisions under NIS2 signal a significant shift in how the EU approaches cross-border cybersecurity accountability. For non-EU entities, appointing a designated representative is not optional—it’s strategic.

By ensuring clear jurisdiction and local representation, organizations:

  • Avoid enforcement actions
  • Strengthen EU partnerships
  • Enhance resilience and credibility in the market
  • Demonstrate alignment with global best practices in cybersecurity

As cybersecurity continues to grow in importance, aligning with NIS2 is not only a legal necessity—it’s a business advantage.

Chapter 6

The Role of the Competent Authority

The Role of the National Cyber Security Centre (“the NCSC”) in Ireland

Ireland’s National Cyber Security Centre (NCSC) has taken centre stage in the country’s implementation of the NIS 2 Directive. The NCSC has been formally established on a statutory basis under the proposed National Cyber Security Bill 2024 (“the Bill”), which defines its legal mandate and powers. As the designated competent authority for cybersecurity in Ireland under NIS 2, the NCSC is charged with both regulatory oversight and operational cyber defense roles. As we provide a deeper insight into how the role of the NCSC affects Irish businesses, we aim to provide an understanding of the practical implications for compliance and cybersecurity risk management in your organisation.

What is the National Cyber Security Centre?

The NCSC is an executive office within the Department of the Environment, Climate and Communications. It was originally created in 2011 but lacked formal legislative authority. The new 2024 Bill (Head 3) gives the NCSC a statutory basis and significantly expands its functions.

The NCSC also acts as a trusted liaison between the Irish State and international cyber agencies.

It’s primary responsibilities include:

  • Safeguard the security and integrity of Ireland’s network and information systems.

  • Identify and analyse cyber threats and vulnerabilities.

  • Produce reports on significant national cybersecurity risks and incidents.

  • Support the Defence Forces and An Garda Síochána in national security matters.

  • Providing cyber threat intelligence to the public and private sectors.

  • Promoting cybersecurity awareness and industry development.
The NCSC’s Role Under NIS 2
Under the NIS 2 Directive, every EU member state must appoint competent authorities, a Computer Security Incident Response Team (CSIRT), and a Single Point of Contact (SPOC). Ireland has opted for a sectoral approach.
It’s primary responsibilities include:

The NCSC is the Lead Competent Authority, guiding the implementation of NIS2 across all sectors.

It serves as Ireland’s national CSIRT, leading incident response and coordination

It is designated as the Single Point of Contact for EU-level cooperation

Other sectoral regulators, such as Commission for Communications Regulation (ComReg) for ICT Service Management, Digital providers, Space and Digital Infrastructure Sectors act as competent authorities within their domains. The NCSC is designated as the competent authority for “all other sectors” covered by NIS2 that are not explicitly assigned to sectoral regulators. Therefore, the NCSC oversees coordination and fills in for sectors without dedicated regulators. This centralised role means that many businesses—particularly those in public administration—will engage directly with the NCSC for regulatory and operational matters.

Oversight and Enforcement:

As Ireland’s lead authority under NIS2, the NCSC plays a central role in both coordinating and enforcing cybersecurity obligations. Under the National Cyber Security Bill 2024, it holds legal powers to supervise compliance and, where necessary, impose penalties.

The NCSC may investigate incidents, request further information, mandate mitigation actions, or share alerts with other at-risk organisations. As mentioned in previous chapters, non-compliance can result in substantial fines.

Essential and Important Entities are required to report significant cyber incidents promptly—within 24 hours of detection, followed by a detailed report within 72 hours, and a final submission within one month. These timelines, outlined in Head 15 of the Bill, align with EU requirements.

In practice, the NCSC’s role is twofold: it ensures regulatory oversight and provides national coordination. Even where other sectoral authorities apply, the NCSC’s standards will underpin Ireland’s cybersecurity framework—making it a central figure in every organisation’s compliance strategy.

Enhanced Operational Powers of the NCSC under the Bill

The National Cyber Security Bill 2024 grants the NCSC significant operational powers, enabling it to take a proactive role in national cyber defense. These capabilities reflect the Centre’s evolving mission—from reactive incident responder to active guardian of Ireland’s digital infrastructure. For business leaders, especially those operating essential or important services, understanding these powers is vital for preparedness and compliance.

Some of the key powers provided by the Bill include:

Proactive Vulnerability Scanning
Under Head 6 of the Bill, the NCSC is authorised to perform non-intrusive scans of publicly accessible systems (such as websites and internet-facing servers) to identify vulnerabilities. These scans are conducted on a risk-based basis and aim to help organisations address weaknesses before they are exploited. For example, where the NCSC’s scans find a critical server exposed, the NCSC can alert the company before malicious actors exploit it, reducing systemic risk. With consent, the NCSC may also conduct deeper “offensive assessments” (i.e. penetration testing), offering a valuable opportunity for critical operators to partner with the state in strengthening cyber defenses.
Domain Name Blocking and Sinkholing
Head 7 empowers the NCSC to respond rapidly to malicious activity involving domain names. If a domain is linked to phishing, malware, or other hostile cyber operations, the NCSC may direct Irish domain registrars to suspend or redirect it. If threats persist, it can escalate by instructing ISPs to block access at the DNS level. These sinkholing actions can contain threats before they spread, and businesses involved in such incidents may be required to collaborate swiftly with the NCSC.
Network Sensor Deployment
To improve real-time threat detection, Head 8 permits the NCSC to deploy passive monitoring sensors within the networks of essential and important entities—with consent. These sensors focus on metadata (e.g. DNS queries) to flag suspicious behavior. Companies in sectors like energy, telecom, or healthcare might consider allowing an NCSC sensor on their infrastructure as an added defensive layer; the sensor would enable the NCSC to immediately detect certain attack patterns (for example, malware beaconing to a known command-and-control server) and alert the company. While participation is voluntary, the benefits are significant: early warning of compromise, access to state-level threat intel, and improved national situational awareness. Data collected is subject to strict retention rules and must be deleted within 18 months.
Emergency Measures on Communications Networks
In severe national security scenarios, the NCSC may seek High Court approval to deploy temporary monitoring equipment on public telecoms networks or data centers (Head 9). This emergency power—used only under judicial oversight—underscores the State’s commitment to national resilience and may affect telecom providers or large infrastructure hosts.
Data Handling and Inter-Agency Cooperation Data Handling and Inter-Agency Cooperation
The Bill clarifies that the NCSC can process necessary personal and sensitive data when required to prevent or mitigate significant cyber threats. Head 11 also mandates structured cooperation between the NCSC, the Data Protection Commission (DPC), and An Garda Síochána. This collaboration ensures that data breaches, cybercrime, and national security issues are addressed holistically. For businesses, this means that a cybersecurity incident may trigger parallel engagements with multiple regulators—something incident response plans must be ready to handle.
Key Reflections on the NCSC’s Powers
Together, these operational powers elevate the NCSC’s role from a passive regulator to an active cyber defense agency—one capable of identifying threats, issuing early warnings, and coordinating national-level responses. For organisations, this introduces a two-way relationship: compliance and reporting, as well as potential real-time engagement from the NCSC. Executives and security teams should understand these powers and be prepared to respond when called upon.

Chapter 7

WHAT BUSINESS
LEADERS NEED TO KNOW

As Ireland moves to implement the NIS2 Directive through the National Cyber Security Bill 2024, the pressure on
business leaders to elevate cybersecurity readiness is intensifying. Compliance is no longer a future goal-it’s
a present priority. But beyond avoiding fines or passing audits, the real opportunity lies in building smarter, more
resilient organisations.

Centripetal’s CleanINTERNET® services offer a powerful solution at the intersection of innovation and
cybersecurity, redefining how organisations protect their networks. More than just a cybersecurity solution,
CleanINTERNET® enables organisations to proactively defend against threats, align with regulatory expectations,
and drive operational confidence in an era of heightened risk.

In this chapter, we explore how Centripetal’s threat intelligence-powered approach helps organisations not only meet NIS2 obligations-but lead in cybersecurity maturity.

01

Conduct Comprehensive
Cyber Risk Assessments:

Organizations must implement technical and organizational measures that effectively manage cybersecurity risks. These include, but are not limited to:

  • Access control and asset management
  • Incident handling procedures
  • Encryption and data security
  • Business continuity and crisis response plans
  • Supply chain risk management

The expectation is that cybersecurity is governed at board level, embedded into enterprise risk frameworks-not delegated solely to IT. This may require material investment in capabilities, including dedicated cybersecurity leadership (e.g., CISO), continuous monitoring technologies, and alignment with industry standards like ISO/IEC 27001.

02

Report Significant Cybersecurity
Incidents Promptly:

Entities must notify the NCSC (or sectoral competent authority) of any incident that significantly impacts the provision of services:

  • Initial notification: within 24 hours of becoming aware
  • Progress update: within 72 hours
  • Final report: within 1 month, including root cause analysis and mitigation status

This represents a major shift for many organizations previously unaccustomed to regulated breach reporting. To comply, businesses must have incident detection and escalation processes in place-often necessitating managed detection services, or for larger organizations, the implementation of a Security Operations Centre (SOC) .. While reporting is non-punitive in principle, failure to notify is a breach, and subject to enforcement.

03

Cooperate with Regulatory
Audits and Inspections:

The NCSC and relevant sectoral authorities will conduct supervisory activities to verify compliance. These may include:

  • Documentation reviews
  • Technical assessments
  • On-site inspections
  • Remediation directives

Ongoing regulatory engagement is expected, particularly for Essential Entities. Boards should be prepared for formal accountability, and compliance teams must ensure readiness for audit at any time.

Penalties for Non-Compliance:

  • Up to €10 million or 2% of global annual turnover for Essential Entities
  • Up to €7 million or 1.4% of turnover for Important Entities

In short, NIS2 elevates cybersecurity from operational risk to a regulated obligation. Boards, executives, and GRC leaders must now view cyber resilience as a core part of business continuity, legal compliance, and reputational protection.

Compliance and Challenges: What Business
Leaders must anticipate

The obligations under NIS2 are not just technical-they’re structural. For organisations falling under the scope of the Directive, compliance introduces significant and sustained demands. Below is a breakdown of the key challenges businesses will face-and the practical implications they must prepare for.

Costs and Impact

Implementing NIS2 will require ongoing investment in security infrastructure, governance,
and personnel. While the NCSC is state-funded, other regulators such as ComReg and the CRU are expected to recover supervision costs through sector-specific levies-enabled under Head 19 of the National Cyber Security Bill.

For organizations near the “Important Entity” threshold-especially SMEs or mid-sized
digital providers-these costs can be material. Compliance is not a one-time project; it
becomes an operational expense, with costs incurred annually for:

  • Hiring or upskilling cybersecurity personnel
  • Implementing or upgrading SOC and monitoring capabilities
  • Third-party security assessments and certifications
  • Governance, risk and compliance (GRC) program maturity

To manage this effectively, organizations should align with international standards such as
ISO/IEC 27001, Cyber Essentials, or NIST CSF-allowing for structured controls that can
serve multiple compliance regimes at once.

Timeline and Transition

Ireland missed the NIS2 deadline to transpose the Directive into Irish law by 18 October 2024, and the National Cyber Security Bill is the legislative vehicle to deliver this. The Bill has been prioritised for the Spring Legislative Programme. We should expect to see the legislation transposed in 2025. Given the short window between enactment and enforcement, companies must act immediately to ensure readiness.

While initial supervisory approaches may focus on education and cooperation, organisations
will be expected to demonstrate clear progress in key areas:

  • Risk assessments and control implementation
  • Incident detection and response planning
  • Board-level oversight and accountability mechanisms

A gap assessment against NIS2 obligations is essential. Most non-compliant organisations
will fall short due to a lack of centralised monitoring, unclear incident ownership, or
inadequate supplier and third-party security management.

Enforcement and Accountability

The NCSC and sectoral regulators have been granted enforcement powers that include:

  • Financial penalties (up to €10M / 2% turnover for Essential Entities)
  • Formal compliance directives and remediation orders
  • Suspension of services in the event of serious or persistent
    non-compliance
  • Liability for executive management, including potential board-level accountability

A gap assessment against NIS2 obligations is essential. Most non-compliant organizations
will fall short due to a lack of centralized monitoring, unclear incident ownership, or
inadequate supplier and third-party security management.

The Strategic Shift: From
Regulation to Resilience
Ireland’s NCSC is no longer just a technical response body-it is the country’s central authority for cybersecurity governance. As both regulator and partner, its engagement with industry will be deeper, more structured, and more visible under NIS2.

Those that act early-investing in the right controls,
governance structures, and partnerships-won’t just
avoid penalties. They will be better positioned to lead
in a digital economy that rewards transparency,
accountability, and preparedness.

For businesses, this creates a dual imperative:

  • Compliance with legal requirements to avoid
    enforcement

  • Strategic alignment to build trust, resilience,
    and long-term operational integrity
Proactive Threat Intelligence
with Centripetal

As the enforcement of the NIS2 Directive and Ireland’s National Cyber Security Act draws near, one
thing is clear: reactive cybersecurity is no longer sufficient. Organizations must now demonstrate
continuous, intelligence-powered cybersecurity. This is where Centripetal delivers exceptional value.

A recognized global leader in threat intelligence-powered network defence, Centripetal’s CleanINTERNET® service operationalizes over 10 billion threat indicators offering a level of protection and visibility that aligns directly with NIS2’s core risk management requirements.

CleanINTERNET®: Real-Time, Intelligence-Led Cyber Defence
CleanINTERNET® acts as a virtual barrier at the network edge-filtering, enforcing, and alerting based on verified, real-time threat intelligence from over 3500 feeds, including government feeds, ISACs, commercial threat providers, and Centripetal’s own research.

CleanINTERNET® Enterprise integrates into existing network
infrastructure to enforce custom security policies based on threat intelligence relevance. It continuously filters inbound and outbound traffic, preventing malicious communications without degrading performance or interrupting legitimate operations.

CleanINTERNET® DNS blocks access to known malicious domains -ransomware, phishing, botnets, and command-and-control infrastructure-before connections are even established. CleanINTERNET® DNS is a cost-effective enterprise solution that protects remote users by blocking access to malicious sources and ensuring the integrity of network and data from remote assets. This capability significantly enhances an organisation’s DNS-layer visibility and defence, offering broader scale and more granular insights that complement existing measures such as those provided by the NCSC.

Reducing Organizational
Risk & Enabling Compliance

CleanINTERNET® plays a direct role in helping Irish organisations reduce cyber exposure, meet regulatory requirements, and enhance operational maturity under NIS2.

Risk Management & Resilience (Head 29)

By blocking verified threats at the edge, CleanINTERNET® supports NIS2's requirement for technical controls that reduce risk at source- preventing attacks before they impact systems or services.

Incident Detection & Timely Reporting

CleanINTERNET® provides granular visibility into attempted intrusions, helping security teams detect events early and respond within the 24/72-hour incident notification windows defined by the NIS2 Directive.

Operational Readiness & Continuous Monitoring

Where NCSC sensor deployment is voluntary and limited by consent, Centripetal delivers advanced threat detection and enforcement- across the full network perimeter, with tailored threat profiles and policy-based controls.

Why Leading Organizations
Choose Centripetal

Intelligence-Driven Risk Reduction:

CleanINTERNET® filters billions of packets daily, ensuring that only clean traffic reaches your environment. This drastically reduces exposure to known threats and attack infrastructure.

Enterprise-Grade Monitoring:

Unlike the limited, consent-based NCSC scans, Centripetal performs enterprise-grade network monitoring continuously, customized to your threat landscape.

Reduced Complexity:

Integrating threat intelligence, policy enforcement, and managed detection into one service can streamline operations and maximises ROI on security investments.

Take Control of Your
Cyber Risk

With the compliance deadline fast approaching, there’s no time for half-measures. Centripetal enables you to move beyond checkbox compliance-toward a defensible, intelligence-led security posture that reduces risk and inspires confidence among stakeholders, regulators, and customers.

Partner with Centripetal to strengthen your network defences and prepare for Ireland’s cybersecurity future.

Visit www.centripetal.ai to learn more about CleanINTERNET® services and how we can help your business meet and exceed NIS2 expectations.