Contact: info@bluefish.ie
Cart
0
0.00 €

NIS 2 - Update 2026 ..

20/05/2026

1. NIS2 Directive implementation in Ireland | Shaping Europe's digital future https://digital-strategy.ec.europa.eu/en/policies/nis2-directive-ireland

2. NIS2 is complex, and remains unadopted as of 20.05.2026. A draft act published of RMM (Risk management Measures) with Ireland and Belgium co-authors of a framework developed by the Centre for Cybersecurity Belgium (CCB) Risk Management Measures (RMM) & Cyber Fundamentals (CyFun)  guiding requirements based on entity size and scope of criticality and maturity https://ccb.belgium.be/news/cyfunr-2025-here.

It is based on US NIST CSF https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 and offers a wealth of tools for organisations to conduct self assessments quick start guide HERE or full link: CSF 2.0 Quick Start Guides | NIST, https://www.nist.gov/cyberframework/quick-start-guides#resourceOverview

CyFUN Homepage

CyFun is built around three maturity levels: Basic, Important, and Essential. These levels allow organizations to assess their cybersecurity posture and implement controls appropriate to their risk exposure. The framework covers six key cybersecurity functions: CyberFundamentals Framework | CyFun and has some very good spider-graphs for maturity visualisation:

Self Assessment small

Self Assessment Basic

Self Assessment Important

  • Identify: Understanding organizational assets, risks, and vulnerabilities.
  • Protect: Implementing safeguards like access control, awareness training, and data otection.
  • Detect: Monitoring and detecting anomalies or potential breaches.
  • Respond: Planning and executing incident response strategies.
  • Recover: Restoring normal operations after an incident.
  • Govern: Ensuring policies, compliance, and continuous improvement.

CHALLENGES : 

NIS 2 is a challenge with boards now facing personal liability for cybersecurity negligence.

Article 21 - Mandates testing of company perimeters at least yearly. For those of us from a testing background, this is not always simple in modern elastic data stores and complex supply chains for the breath of digital products and devices we use on a daily basis.


"entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures."


  1. Do YOU know who your suppliers are ? 
  2. Have you started altering contracts to get this information ?
  3. How will you gather and store it ?
  4. What if you break their service - who is liable ?


Many more questions than answers - it is a highly nuanced topic with many countries still operating only on draft references as Ireland (which is far ahead), france just publishing a working reference framework in march 2026. 

"Since March 17, 2026, the French National Cybersecurity Agency (ANSSI) has made available the Cyber ​​France Reference Framework (ReCyF), a working version, which lists the measures recommended by ANSSI to achieve the security objectives set by NIS 2" https://cyber.gouv.fr/.

CRITICAL INFRASTRUCTURE IS NOT FOR THE FAINT HEARTED

People die, these are hospitals, water supplies, power plants, electricity grids, rockets, planes, submarines. We face an absurd lack of technical security knowledge about OT already and mounting exposure to AI threats. [Operational Technology versus IT systems] 

I worked on the Enterprise Ireland Cyber Grants, a fantastic scheme, however many of our 3500 Enterprises and SMEs in scope of NIS 2, as with many Enterprises and SMEs across Europe are struggling with 

- Outdated infrastructure

- Outdated Skills 

- Explosion of boundaries and data in transit due to ubiquitous AI use

-----------------------------------------------------------------------------------------------------------------

IMPORTANT FOR BOARDS

Article 21 [or the need to test for your risks and vulnerabilities]

Cybersecurity risk-management measures

1. Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.

Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed. When assessing the proportionality of those measures, due account shall be taken of the degree of the entity's exposure to risks, the entity's size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.

2.

The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following:

(a)

policies on risk analysis and information system security;

(b)

incident handling;

(c)

business continuity, such as backup management and disaster recovery, and crisis management;

(d)

supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
[= a renegotiation of every supply chain contract]

(e)

security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

(f)

policies and procedures to assess the effectiveness of cybersecurity risk-management measures;

(g)

basic cyber hygiene practices and cybersecurity training;

(h)

policies and procedures regarding the use of cryptography and, where appropriate, encryption;

(i)

human resources security, access control policies and asset management;

(j)

the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

3. Member States shall ensure that, when considering which measures referred to in paragraph 2, point (d), of this Article are appropriate, entities take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers, including their secure development procedures. Member States shall also ensure that, when considering which measures referred to in that point are appropriate, entities are required to take into account the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).4. Member States shall ensure that an entity that finds that it does not comply with the measures provided for in paragraph 2 takes, without undue delay, all necessary, appropriate and proportionate corrective measures.5. By 17 October 2024, the Commission shall adopt implementing acts laying down the technical and the methodological requirements of the measures referred to in paragraph 2 with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers.

The Commission may adopt implementing acts laying down the technical and the methodological requirements, as well as sectoral requirements, as necessary, of the measures referred to in paragraph 2 with regard to essential and important entities other than those referred to in the first subparagraph of this paragraph.

When preparing the implementing acts referred to in the first and second subparagraphs of this paragraph, the Commission shall, to the extent possible, follow European and international standards, as well as relevant technical specifications. The Commission shall exchange advice and cooperate with the Cooperation Group and ENISA on the draft implementing acts in accordance with Article 14(4), point (e).

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). 

NIS 2 [Full text] : Europa.eu. (2022). EUR-Lex - 02022L2555-20221227 - EN - EUR-Lex. [online] Available at: https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

.


MAKE FRIENDS WITH YOUR SECURITY DEPARTMENT, TRAIN THEM IN COMMERCIAL LEADERSHIP, NEGOTIATION AS WELL AS BUSINESS RESILIENCE AND DISASTER RECOVERY SKILLS.


They are your strongest ally!

Share