If you work in cybersecurity, compliance, governance, risk, IT, or operations, you have probably heard a lot about NIS2 by now.
You may also have heard a lot of slightly different answers to the same basic questions.
The reassuring answer is: you are not expected to have all of this figured out.
The NIS2 Directive is a significant change, and Ireland is still working through the detail of implementation. The National Cyber Security Centre has been publishing guidance, resources, and updates to help organisations understand what is coming. They also have a useful NIS2 page with an "Am I in Scope?" tool and a contact route for questions.
The message I would take from that is simple: this is a shared journey. The NCSC team and National Competent Authorities (NCAs) want to work with organisations as everyone navigates the new requirements together.
At Fortify Institute, we have built that same thinking into our PECB NIS 2 Directive Lead Implementer blended training. The course gives you the structured PECB implementation methodology, but we have also added extra Ireland-specific content, including coverage of CyFun.
First Things First: What Does NIS2 Stand For?
NIS2 stands for the Network and Information Security Directive 2. It is an EU cybersecurity law, not a standard or framework. Its full legal name is Directive (EU) 2022/2555, but thankfully most people just call it NIS2.
And yes, one of the most common questions I get is:
"Is NIS2 the same as NIST?"
No. They sound similar, but they are completely different things. NIS2 is an EU directive. It sets legal cybersecurity obligations for organisations in scope. NIST usually refers to the US National Institute of Standards and Technology, which publishes cybersecurity frameworks and guidance, including the NIST Cybersecurity Framework. So, NIS2 tells certain organisations what they are legally expected to achieve. NIST-style frameworks can help organisations structure how they manage cybersecurity risk.
That is also one of the reasons CyFun is interesting. CyFun is a practical cybersecurity framework, and the updated CyFun 2025 framework has been aligned with international standards such as the NIST Cybersecurity Framework 2.0, as well as legislation and regulation including NIS2.
In other words:
NIS2 is the legal driver. NIST is a framework reference point. CyFun helps translate cybersecurity expectations into practical controls and evidence.
What Is NIS2?
NIS2 is the EU's updated cybersecurity directive. It replaces the original NIS Directive and expands cybersecurity obligations across more sectors and more types of organisations. It is designed to improve cyber resilience across critical and important services, including areas such as energy, transport, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, manufacturing, food, postal and courier services, research, and digital providers.
In plain English: NIS2 is about making sure organisations that society and the economy depend on have appropriate cybersecurity measures in place, understand their risks, can respond to incidents, and have leadership taking cyber risk seriously.
Is NIS2 Already Law in Ireland?
The NCSC has noted that Ireland has not yet completed transposition of NIS2 into Irish law, and that the existing NIS1 framework continues to apply where relevant while national implementation progresses.
That does not mean organisations should wait.
This is probably the first practical question most organisations ask. NIS2 generally applies to medium and large organisations operating in specified essential or important sectors. Some types of entity may fall within scope regardless of size, depending on the services they provide. But scope is not always obvious. An organisation might provide several different services. It might support an in-scope customer. It might sit inside a supply chain where NIS2 expectations start to appear in contracts, even if the organisation is not directly regulated itself.
That is why the NCSC's "Am I in Scope?" tool is so useful. It gives organisations a practical starting point for thinking through whether NIS2 may apply to them. And if you are unsure, ask. The NCSC has made it clear that organisations can send NIS2 queries to them.
Essential or Important: What Is the Difference?
NIS2 uses two main categories for organisations in scope: essential entities and important entities. The distinction depends on factors such as the sector, the type of service provided, and the size or significance of the organisation. The short version is that essential entities are generally subject to a more proactive supervisory approach, while important entities may be supervised more reactively. But both categories matter, and both involve cybersecurity risk management and incident reporting obligations.
If your organisation may be in scope, it is worth taking the time to understand which category may apply, what services are relevant, and what evidence you would need to support your position.
What Are Organisations Expected To Do?
The exact Irish legal framework is still being finalised, but the core direction of NIS2 is clear. In-scope organisations will need to take appropriate cybersecurity risk management measures. That includes areas such as governance, risk management, incident handling, supply chain security, business continuity, vulnerability handling, access control, training, and the use of appropriate technical and organisational controls. One of the biggest shifts is that NIS2 is not just an IT issue. It puts cybersecurity firmly into governance and management territory.
Boards and senior leaders need to understand the risks, approve appropriate measures, and oversee implementation. That does not mean every director needs to become a technical expert. It does mean leadership needs enough understanding to ask good questions, support the right investments, and take accountability seriously. That is a good thing. Cybersecurity works better when it is understood as an organisational risk, not just a technical problem sitting with one team.
Where Does CyFun Fit In?
This is where things get especially relevant for Irish organisations. CyFun, or the CyberFundamentals Framework, was developed by the Centre for Cybersecurity Belgium. The updated CyFun 2025 framework has been aligned with international standards such as the NIST Cybersecurity Framework 2.0 and with legislation and regulation including NIS2.
CyFun is practical. It helps organisations structure their cybersecurity controls, assess maturity, and evidence what they have in place. That evidence point is important. Compliance is not just about saying "we have controls." It is about being able to show how those controls work, how they are governed, and how they are maintained.
The NCSC has also highlighted Cyber Fundamentals as part of Ireland's NIS2 readiness landscape. That does not mean CyFun automatically proves compliance. It does mean it is becoming a very useful framework for organisations that want a structured, recognised way to prepare.
Why We Added Extra CyFun Content To Our NIS2 Training
Standard NIS2 training is useful, but it can sometimes feel broad. The directive applies across the EU, but Irish professionals need to understand how to apply it in the Irish context. That is why our PECB NIS 2 Directive Lead Implementer training includes extra content on CyFun and the Irish regulatory perspective. The programme includes the PECB Certified NIS 2 Directive Lead Implementer courseware, exam, and certification, but we have added bonus live sessions to make the learning more relevant for organisations in Ireland.
The CyFun session looks at how the framework can be used as a practical baseline for NIS2 readiness. The Irish perspective session looks at NCSC guidance, the developing Irish regulatory landscape, and the practical questions Irish organisations are asking now.
The Questions You Should Be Asking Now
Are we likely to be in scope?
Have we checked the NCSC's NIS2 guidance and "Am I in Scope?" tool?
Do we understand whether we may be an essential or important entity?
Who owns cybersecurity risk at management level?
Do we have documented cybersecurity risk management measures?
Can we evidence the controls we say we have?
Do we have an incident response process that would stand up under pressure?
Have we looked at supply chain risk?
Could CyFun help?
Who in the organisation needs training so this does not sit with one person?
We Are All Navigating This Together
It is easy for regulatory change to feel intimidating, especially when the detail is still developing. But NIS2 should not be treated as a panic project. It is an opportunity to build stronger cybersecurity governance, clearer accountability, better incident readiness, and more confidence across the organisation.
The NCSC is putting guidance and tools in place. They are open to questions. CyFun gives organisations a practical way to think about cybersecurity maturity. And training helps turn all of that into a plan people can actually implement.
The next cohort starts 3 July 2026. Most participants complete the programme and sit the exam within four to six weeks.
If you'd like to discuss whether this programme is right for your role or organisation, contact me directly at [email protected].