Helping Organisations Prepare for NIS2: Our Approach and the Role of Cyber Fundamentals

By Joseph Stephens, Director of Resilience, NCSC-IE

When the NIS2 Directive was adopted  at EU level in December 2022, it marked a step-change in how we approach cyber risk across critical sectors in Europe. For many essential and important entities in Ireland, it brings new and clearer obligations - especially in the areas of incident reporting, governance, and risk management.

While the Directive is now in force at EU level, we’re still in the process of full transposition into Irish law with a new National Cyber Security Act expected by year end. But the direction of travel is clear: NIS2 expects organisations to manage cyber risk in a more structured and accountable way. That means taking a serious look at governance, controls, and readiness - not just policies on paper.

What NIS2 Requires

NIS2 significantly broadens the scope of EU cybersecurity law, covering more sectors and introducing clearer duties for leadership. For essential and important entities, the obligations include:

• Top-Level Governance: management bodies must take responsibility for overseeing cybersecurity risk and ensuring compliance.
• Incident Reporting: prompt and structured notification of significant incidents.
• Risk Management Measures: technical, operational, and organisational controls appropriate to the entity’s risk and impact.

We’ve already published a lot of guidance on our dedicated NIS2 webpage to help organisations navigate this directive including a Quick Reference Guide, an ‘Am I in Scope’ tool and a detailed Frequently Asked Questions section.

Risk Management Measures

Today, to help organisations interpret these obligations, the NCSC has published a set of draft Risk Management Measures (RMMs). This guidance, which we’ve created in partnership with the relevant sectoral National Competent Authorities (NCAs), is our view of what’s needed to meet the legal requirements of the Directive for essential and important entities. The RMMs are also aligned with the European Commission Implementing Regulation, which applies directly to ‘cross-border entities’ in the Digital Infrastructure and Digital Service Provider sectors.

The proposed RMMs have two types of measures:

• Foundational Actions which are controls the NCSC consider to be the minimum required to meet the legislative obligations of the Directive, and
• Supporting Actions which are further controls that may be required, depending on specific risks faced by the organisation.

It is worth being clear: the responsibility to comply with NIS2 lies with the management body of each entity in scope. Ultimately, non-compliance may be decided by the relevant NCA. The RMMs are intended to provide structured, credible guidance - helping organisations move beyond uncertainty and into action.

The RMMs let you know ‘what’ an organisation must do to meet the key legal obligations of NIS2, but it doesn’t tell you ‘How’. Organisations of various sizes from small companies all the way up to large multinationals will have varying approaches, using their own information security policies or various cyber security standards and frameworks, like IS0 27001, ISA/IEC 62443, COBIT amongst others. Provided their approach meet the foundational actions that are set out in the RMMs then you should be compliant with NIS2.

However, we’re also very pleased to announce today that the NCSC is recommending the Cyber Fundamentals Framework as a voluntary and practical pathway to help organisations of varying sizes to meet the requirements set out in the RMMs.

Introducing Cyber Fundamentals

As part of our support for implementation, we’re also introducing the Cyber Fundamentals Framework - a structured framework and certification scheme, originally developed by our Belgian counterparts at the Centre for Cybersecurity Belgium (CCB) which we have now joined as a scheme co-owner.

CyFun sets out three levels of assurance (Basic, Important, and Essential) that align closely with NIS2. It’s grounded in international standards — currently NIST Cybersecurity Framework v1.1, with a planned transition to NIST Cybersecurity Framework v2.0 which we are developing in collaboration with the other scheme owners Belgium and Romania. We expect that the updated framework will be available by Q3 this year. It is this version (CyFun 2025) that we recommend and will be developing our national certification scheme from.

The Cyber Fundamentals Framework includes a selection tool which allows organisations to make a well-informed and risk-based decision on which of the three levels to aim for, as well as a self-assessment tool to help baseline your current posture in advance of a certification assessment. Risk assessment is at the heart of CyFun, like NIS2, and allows companies to make decisions on what measures are appropriate and proportionate for their context. However, the framework also has a small number of Key Measures which must be met to receive certification – these measures are non-negotiable and must be implemented. It also happens that these are the measures that are most effective in preventing cyber-attacks and we have selected them for that reason.

We recommend Cyber Fundamentals as a practical and effective pathway to implementing NIS2 obligations. It is not mandatory, but we believe it’s a strong option: it provides structure, clarity, and a path to external assurance through certification. We’ve also included an annex to our RMMs mapping each of the foundational and supporting actions to the CyFun framework.

Over the coming months we will be developing and releasing a lot of resources, tools and support to assist organisations to implement Cyber Fundamentals 2025 (NIST CSF 2.0), as well as developing a dedicated space on our new website – however, in the meantime there is already great material available on our Belgian colleague’s website to support your journey. We also have some information on our own webpage to get started...that's a work in progress.

A Word About Certification

Many organisations in Ireland will be wondering: can we be certified today? The answer is - not quite yet.

Implementing a national certification system is a complex endeavour. It requires the development of legal instruments, processes, resourcing, training of assessors, and accreditation of conformity assessment bodies. We expect it will take 18 to 24 months before a functioning national certification process is fully in place.

But that doesn't mean you need to wait! The Cyber Fundamentals framework itself is already open, available, and ready to use - and it is Free! Organisations can start now: assess their maturity, begin implementation of controls, and prepare for certification down the line. This early work will not only ease the certification process when it comes but will also help meet NIS2 obligations from day one. 

National Competent Authorities for the various sectors may choose to use CyFun as an accepted method of assurance of compliance with NIS2 while a certification system is being developed.  Indeed, the NCSC’s own National Competent Authority for Public Administration intends to use CyFun as a preferred method for showing compliance with NIS2 for entities in the public administration sector.  

Beyond Compliance: Enabling Trust

Certification isn’t just about compliance - it’s about business enablement and building trust. In a world of complex supply chains and cross-border digital services, showing clear and externally validated cyber maturity is an asset. It helps meet procurement requirements, builds stakeholder confidence, and signals a serious approach to resilience.

Our long-term vision is to make Cyber Fundamentals a central part of Ireland’s national certification ecosystem. We see it as a tool for clarity, assurance, and trust - across sectors and organisations. But our ambitions go beyond just the Irish market – we plan to promote and advance Cyber Fundamentals as a cross-EU framework that will help build up cyber resilience, trust and ease integration of the single digital market and simplify the process of cross-border NIS2 compliance. By making this an EU-wide framework we will not only simplify compliance, but also stimulate competition between providers in the market delivering certification related services, driving down costs for our essential and important entities.

As we move toward the full implementation of NIS2, our message is straightforward: the legal obligations are real and pressing, but the tools to meet them are already appearing. The NCSC is here to support you with clear guidance, practical frameworks, and a long-term vision for improvement. If you’re a newly regulated entity starting your compliance journey, now is the time - and Cyber Fundamentals is one of the best places to begin.