EU law now holds company directors personally responsible for cybersecurity failures — and if your organisation has over 50 employees or turns over more than €10 million, you are almost certainly in scope. Fines reach €7 million or 1.4% of annual turnover for most businesses, and €10 million or 2% for those in critical sectors. Ireland's enforcement deadline is expected Q4 2026. Germany, Belgium, and Italy are already enforcing.
Get Us Secure helps Irish and EU businesses understand exactly which laws apply to them, fix the gaps, and keep their boards protected — before a regulator comes calling.
160,000 organisations across the EU are now regulated under NIS2. Most don't know it yet.
If your organisation operates in one of the sectors listed here AND has 50 or more employees or €10 million or more in annual revenue, this law likely applies to you. This means your board has legal obligations under NIS2 — including personal liability for failures.
Some businesses are in scope regardless of size — particularly in digital infrastructure and critical services. If you are unsure, the self-assessment below will confirm your position in 7 minutes.
Take the Free Self-Assessment →| NIS2 Sectors In Scope |
|---|
| Energy |
| Transport |
| Healthcare |
| Banking & Financial Services |
| Digital Infrastructure & ICT Services |
| Manufacturing |
| Food Production & Processing |
| Chemicals |
| Waste Management |
| Postal & Courier Services |
| Research |
Some entities are in scope regardless of size, particularly in critical digital infrastructure. If in doubt, take the assessment.
NIS2 is not a framework. It is a law with hard deadlines and personal consequences.
Insurers are now reviewing whether non-compliant businesses are insurable. Policies may be reduced in value or voided entirely following an incident where NIS2 obligations were not met.
Six things the law now requires of your board — personally, not just your IT team.
Your management body must formally approve cybersecurity measures, oversee their implementation, and receive documented training. Board members are personally liable for failures. This obligation cannot be delegated to IT.
Ten specific security requirements must be implemented and documented — covering written policies, incident response plans, business continuity, supply chain security, access controls, encryption, and vulnerability management.
Significant incidents must be reported to your national authority within 24 hours (initial warning), 72 hours (full notification), and one month (final report). Your board needs defined roles for each stage before an incident occurs.
In-scope organisations must formally register with their national cybersecurity authority — in Ireland, that is the NCSC. Failure to register is itself a legal breach, independent of whether a security incident has occurred.
You are legally responsible for the security of your critical third-party suppliers. Written security requirements in supplier contracts and regular supplier reviews are expected as evidence of compliance.
Every member of the board must receive formal cybersecurity training — not a one-off briefing. Attendance must be documented and held available for a regulator. This obligation recurs on a regular basis.
Not sure how your organisation measures up across these six areas? The self-assessment takes 7 minutes →
Advice from someone who lives with it every day — not a training company, not a law firm, not a packaged compliance product.
My name is Colin Walsh. I am the Chief Information Security Officer for a major European ecommerce company — managing real NIS2 obligations, live regulatory environments, and board conversations every day across the EU.
NIS2 creates personal obligations for board members — not just IT departments. Meeting those obligations requires more than a training certificate or a policy template. It requires ongoing governance, documented oversight, and the judgement to know what a regulator will actually scrutinise.
Get Us Secure delivers that across the full compliance lifecycle: from initial readiness assessment and board training, through compliance programme design, to ongoing security leadership that maintains your position.
Every engagement is delivered personally — not outsourced, not templated, not generated.
Start by understanding where you stand. Fix what needs fixing. Then make sure it stays fixed.
Not sure which EU regulations apply — or how exposed you are? A structured two-week engagement that maps every applicable regulation and tells your board exactly where it stands.
Half-day facilitated session — regulatory briefing, live cyber attack simulation, and Board Cyber Risk Scorecard. Legally satisfies your board's documented training obligation under NIS2. Annual renewal available.
Builds the policies, governance structures, and compliance programmes your assessment identified as missing. Covers NIS2, GDPR, and all applicable EU regulations. Delivered in 3–4 months with a board-ready evidence pack.
Senior cybersecurity leadership on a monthly retainer — your NIS2 and GDPR programme owned and maintained, monthly board briefings, and on-call incident support. The expertise of a full-time Chief Security Officer, without the €200k+ salary.
AI opportunity audit, workflow automation build, and EU AI Act compliance advisory. GDPR and security compliance built in from day one — not retrofitted.
Advisory board roles for VC-backed European tech companies also available. Enquire directly →
Advisory coverage across 11 EU jurisdictions — Ireland, Germany, Belgium, Netherlands, Italy, Portugal, Spain, Norway, Cyprus, Greece, and the UK. About the practice →
The NIS2 Board Readiness Self-Assessment takes 7 minutes. It tells you whether your organisation is in scope, what your board is personally liable for, and what your most urgent gaps are. No email required.
Take the free self-assessment →For organisations in NIS2-regulated sectors, compliance rarely stops at NIS2. Most face overlapping obligations across several of the following — often simultaneously.
| Regulation | What it requires | Enforcement status | Maximum fine |
|---|---|---|---|
| Data Protection Law GDPR |
Protection of personal data for all EU residents. Applies to any organisation that collects, stores, or processes personal data — including employee records, customer data, and website analytics. | Fully enforced DPC active in Ireland |
Up to €20M or 4% of global annual turnover |
| Cookie & Marketing Law ePrivacy Directive |
Requires informed consent before placing cookies or tracking technologies on a visitor's device. Applies to every website with analytics, advertising, or third-party scripts. | Fully enforced Enforced alongside GDPR |
Material violations carry GDPR-level fines — up to €20M or 4% turnover |
| Cybersecurity Law NIS2 |
Mandatory cybersecurity measures and board personal accountability for essential and important sector organisations. Covers risk management, incident reporting, supply chain security, and documented governance. | Ireland: Q4 2026 EU countries already enforcing |
Important Entity: up to €7M or 1.4% turnover Essential Entity: up to €10M or 2% turnover |
| AI Regulation EU AI Act |
Transparency obligations for AI systems — including chatbots, automated hiring tools, and AI-generated content. Board-level governance requirements for high-risk AI deployments. | Article 50: August 2026 Full enforcement from 2027 |
Transparency violations: up to €7.5M or 1% turnover High-risk failures: up to €15M or 3% |
| Product Cybersecurity Law Cyber Resilience Act (CRA) |
Mandatory cybersecurity requirements for manufacturers, importers, and distributors of products with digital components — hardware with software, connected devices, and standalone software sold in the EU. | Reporting: September 2026 Full compliance: December 2027 |
Up to €15M or 2.5% of worldwide annual turnover |
| Financial Digital Resilience Law DORA |
Digital operational resilience for financial entities and their ICT service providers. Covers ICT risk management, incident reporting, and third-party provider oversight for banks, insurers, investment firms, and their technology suppliers. | In force January 2025 CBI enforcing in Ireland |
Up to 2% of worldwide annual turnover or €5M — whichever is higher |
Get Us Secure covers the full stack — identifying which regulations apply to your organisation, assessing your gaps, and building a programme to address all of them.
If your board hasn't been trained, your organisation isn't compliant — and you're personally exposed. The first step takes two weeks and costs €4,500.
Book a discovery call →