Home Services Self-Assessment About Book a call

Your company may already be breaking EU law.

EU law now holds company directors personally responsible for cybersecurity failures — and if your organisation has over 50 employees or turns over more than €10 million, you are almost certainly in scope. Fines reach €7 million or 1.4% of annual turnover for most businesses, and €10 million or 2% for those in critical sectors. Ireland's enforcement deadline is expected Q4 2026. Germany, Belgium, and Italy are already enforcing.

Get Us Secure helps Irish and EU businesses understand exactly which laws apply to them, fix the gaps, and keep their boards protected — before a regulator comes calling.

ActiveChief Security Officer · Major EU company
Big 4Advisory background
11Markets covered
NIS2Ireland deadline Q4 2026
CISSPISO 27001 · Big 4 trained
Are you in scope?

160,000 organisations across the EU are now regulated under NIS2. Most don't know it yet.

If your organisation operates in one of the sectors listed here AND has 50 or more employees or €10 million or more in annual revenue, this law likely applies to you. This means your board has legal obligations under NIS2 — including personal liability for failures.

Some businesses are in scope regardless of size — particularly in digital infrastructure and critical services. If you are unsure, the self-assessment below will confirm your position in 7 minutes.

Take the Free Self-Assessment →
NIS2 Sectors In Scope
Energy
Transport
Healthcare
Banking & Financial Services
Digital Infrastructure & ICT Services
Manufacturing
Food Production & Processing
Chemicals
Waste Management
Postal & Courier Services
Research

Some entities are in scope regardless of size, particularly in critical digital infrastructure. If in doubt, take the assessment.

Enforcement consequences
What happens if you don't act

NIS2 is not a framework. It is a law with hard deadlines and personal consequences.

Critical sectors
Fines up to €10 million or 2% of global annual turnover — whichever is higher
Individual board members can be personally fined and temporarily banned from holding management positions.
Most SME's in scope
Fines up to €7 million or 1.4% of global annual turnover — whichever is higher
The same personal liability applies. Regulatory investigations become public record — visible to customers, insurers, and investors.
Already Enforcing
Germany, Belgium & Italy
Germany: In force since December 2025. Directors cannot be indemnified by their company. Belgium: First EU country to fine board members directly. Italy: Active enforcement since January 2026.
Ireland — expected Q4 2026
Ireland — enforcement expected Q4 2026
The Network and Information Systems Security Act transposition is expected Q4 2026. NCSC enforcement powers will include binding instructions, on-site audits at the entity's expense, and temporary prohibition orders on individuals.
Cyber insurance risk

Insurers are now reviewing whether non-compliant businesses are insurable. Policies may be reduced in value or voided entirely following an incident where NIS2 obligations were not met.

Regulatory obligations
What NIS2 actually requires

Six things the law now requires of your board — personally, not just your IT team.

Board Governance & Personal Accountability

Your management body must formally approve cybersecurity measures, oversee their implementation, and receive documented training. Board members are personally liable for failures. This obligation cannot be delegated to IT.

NIS2 Art. 20

Security Measures

Ten specific security requirements must be implemented and documented — covering written policies, incident response plans, business continuity, supply chain security, access controls, encryption, and vulnerability management.

NIS2 Art. 21

Incident Reporting

Significant incidents must be reported to your national authority within 24 hours (initial warning), 72 hours (full notification), and one month (final report). Your board needs defined roles for each stage before an incident occurs.

NIS2 Art. 23

Registration with Your National Authority

In-scope organisations must formally register with their national cybersecurity authority — in Ireland, that is the NCSC. Failure to register is itself a legal breach, independent of whether a security incident has occurred.

NIS2 Art. 27

Supply Chain Security

You are legally responsible for the security of your critical third-party suppliers. Written security requirements in supplier contracts and regular supplier reviews are expected as evidence of compliance.

NIS2 Art. 21(2)(d)

Board Training — Documented and Recurring

Every member of the board must receive formal cybersecurity training — not a one-off briefing. Attendance must be documented and held available for a regulator. This obligation recurs on a regular basis.

NIS2 Art. 20(2)

Not sure how your organisation measures up across these six areas? The self-assessment takes 7 minutes →

Why Get us Secure

Advice from someone who lives with it every day — not a training company, not a law firm, not a packaged compliance product.

My name is Colin Walsh. I am the Chief Information Security Officer for a major European ecommerce company — managing real NIS2 obligations, live regulatory environments, and board conversations every day across the EU.

NIS2 creates personal obligations for board members — not just IT departments. Meeting those obligations requires more than a training certificate or a policy template. It requires ongoing governance, documented oversight, and the judgement to know what a regulator will actually scrutinise.

Get Us Secure delivers that across the full compliance lifecycle: from initial readiness assessment and board training, through compliance programme design, to ongoing security leadership that maintains your position.

Every engagement is delivered personally — not outsourced, not templated, not generated.

  • Active practitioner, not a trainerCurrently serving as EMEA CISO at a major European e-commerce organisation — navigating real incidents, regulators, and board conversations every day.
  • 11 markets, one advisorDeep familiarity with NIS2 transpositions across Ireland, UK, Germany, Belgium, Netherlands, Spain, Portugal, Norway, Italy, Cyprus, and Greece.
  • Outcome-based, not document-basedThe goal is not a gap report — it is an organisation that can demonstrate compliance to a regulator and maintain it.
  • Full regulatory stackGDPR, NIS2, EU AI Act, CRA, DORA, and ISO 27001 — all covered under one practice with current enterprise CISO experience.
  • AI builder, not just AI advisorBuilds and deploys AI automations using n8n and Claude API. Every implementation includes GDPR data residency verification and EU AI Act risk classification — not added as an afterthought.
Services
Five ways to engage

Start by understanding where you stand. Fix what needs fixing. Then make sure it stays fixed.

01

Regulatory Readiness Assessment

Not sure which EU regulations apply — or how exposed you are? A structured two-week engagement that maps every applicable regulation and tells your board exactly where it stands.

€4,500 fixed fee · EI Access Advice eligible
Start here
02

Board & Leadership Training

Half-day facilitated session — regulatory briefing, live cyber attack simulation, and Board Cyber Risk Scorecard. Legally satisfies your board's documented training obligation under NIS2. Annual renewal available.

From €3,500 · EI Access Advice eligible
Foundation · Standard · Premium
03

Compliance Programme Build

Builds the policies, governance structures, and compliance programmes your assessment identified as missing. Covers NIS2, GDPR, and all applicable EU regulations. Delivered in 3–4 months with a board-ready evidence pack.

From €8,000 · EI Strategic eligible
NIS2 · GDPR · ISO 27001 · Cyber insurance ready
04

Fractional CISO & Compliance Advisory

Senior cybersecurity leadership on a monthly retainer — your NIS2 and GDPR programme owned and maintained, monthly board briefings, and on-call incident support. The expertise of a full-time Chief Security Officer, without the €200k+ salary.

From €4,500/month
12-month minimum · Board reporting · NIS2 · GDPR
05

AI Readiness & Implementation

AI opportunity audit, workflow automation build, and EU AI Act compliance advisory. GDPR and security compliance built in from day one — not retrofitted.

From €3,500 · EI Digital Discovery grant eligible
Audit · Build · Retainer · AI Act

Advisory board roles for VC-backed European tech companies also available. Enquire directly →

Advisory coverage across 11 EU jurisdictions — Ireland, Germany, Belgium, Netherlands, Italy, Portugal, Spain, Norway, Cyprus, Greece, and the UK. About the practice →

Free tool
Is your board personally exposed?

The NIS2 Board Readiness Self-Assessment takes 7 minutes. It tells you whether your organisation is in scope, what your board is personally liable for, and what your most urgent gaps are. No email required.

Take the free self-assessment →
Your full regulatory exposure

NIS2 is one of six EU regulations your organisation may need to address

For organisations in NIS2-regulated sectors, compliance rarely stops at NIS2. Most face overlapping obligations across several of the following — often simultaneously.

Regulation What it requires Enforcement status Maximum fine
Data Protection Law
GDPR
Protection of personal data for all EU residents. Applies to any organisation that collects, stores, or processes personal data — including employee records, customer data, and website analytics. Fully enforced
DPC active in Ireland
Up to €20M or 4% of global annual turnover
Cookie & Marketing Law
ePrivacy Directive
Requires informed consent before placing cookies or tracking technologies on a visitor's device. Applies to every website with analytics, advertising, or third-party scripts. Fully enforced
Enforced alongside GDPR
Material violations carry GDPR-level fines — up to €20M or 4% turnover
Cybersecurity Law
NIS2
Mandatory cybersecurity measures and board personal accountability for essential and important sector organisations. Covers risk management, incident reporting, supply chain security, and documented governance. Ireland: Q4 2026
EU countries already enforcing
Important Entity: up to €7M or 1.4% turnover
Essential Entity: up to €10M or 2% turnover
AI Regulation
EU AI Act
Transparency obligations for AI systems — including chatbots, automated hiring tools, and AI-generated content. Board-level governance requirements for high-risk AI deployments. Article 50: August 2026
Full enforcement from 2027
Transparency violations: up to €7.5M or 1% turnover
High-risk failures: up to €15M or 3%
Product Cybersecurity Law
Cyber Resilience Act (CRA)
Mandatory cybersecurity requirements for manufacturers, importers, and distributors of products with digital components — hardware with software, connected devices, and standalone software sold in the EU. Reporting: September 2026
Full compliance: December 2027
Up to €15M or 2.5% of worldwide annual turnover
Financial Digital Resilience Law
DORA
Digital operational resilience for financial entities and their ICT service providers. Covers ICT risk management, incident reporting, and third-party provider oversight for banks, insurers, investment firms, and their technology suppliers. In force January 2025
CBI enforcing in Ireland
Up to 2% of worldwide annual turnover or €5M — whichever is higher

Get Us Secure covers the full stack — identifying which regulations apply to your organisation, assessing your gaps, and building a programme to address all of them.

NIS2 is already being enforced across the EU. Ireland's transposition is expected Q4 2026.

If your board hasn't been trained, your organisation isn't compliant — and you're personally exposed. The first step takes two weeks and costs €4,500.

Book a discovery call →