John Grennan, Eamon Gallagher & Wayne Morgan
In light of the ever-evolving cyber threat landscape, the European Union is stepping up efforts to protect EU citizens data. From data protection and incident response to operational resilience, a wave of cybersecurity legislation is reshaping how organisations across the EU must operate.
In this post, we unpack the most important current and upcoming EU cybersecurity regulations—and what they mean for your business.
Cyberattacks are no longer isolated events, they’re strategic threats to national economies and public safety. In response, the EU has launched a series of coordinated laws aimed at improving digital trust, safeguarding critical systems, and enhancing cooperation across member states.
For businesses operating within or trading with the EU, this means more obligations, but also more opportunities to demonstrate resilience and reliability.
Adopted: 27 December 2022
Transposition deadline: 17 October 2024
Status in Ireland: Missed transposition deadline – legislation still pending as of June 2025
NIS2 sets strict cybersecurity and incident reporting obligations for essential and important entities, including digital service providers, healthcare, utilities, and MSPs. It significantly broadens the scope compared to the original NIS Directive.
Ireland has not yet transposed NIS2 into national law, despite the deadline having passed in October 2024. A draft bill is expected soon, but enforcement remains in limbo. However, businesses falling under the scope should already be preparing. Once enacted, Irish authorities are likely to move swiftly with implementation and oversight.
Expected adoption: Q3 2024
Applies from: Likely Q3–Q4 2026 (24 months after adoption)
Status in Ireland: Will apply automatically as an EU regulation
The CRA imposes mandatory cybersecurity requirements for digital products (e.g. software, smart devices) sold in the EU. It introduces vulnerability handling processes, secure-by-design principles, and ongoing update obligations.
Irish manufacturers, distributors, and importers should be reviewing their product security practices now—especially if they serve regulated industries or export into the EU market.
In force since: 16 January 2023
Applies from: 17 January 2025
Status in Ireland: Fully applicable as of this year
DORA sets operational resilience standards for financial entities, including banks, insurers, fintech firms, and their ICT third-party providers. It mandates risk assessments, testing, reporting, and resilience planning.
DORA is now active. Irish firms regulated by the Central Bank must be fully compliant as of January 2025. If your organisation provides services to the financial sector, expect DORA-aligned security and resilience requirements in contracts.
Adopted: December 2022
Transposition deadline: 10 October 2024
Status in Ireland: Still not transposed as of June 2025
CER complements NIS2 by addressing the physical resilience of critical infrastructure providers. It covers sectors like energy, water, health, and public transport, requiring risk assessments, threat modelling, and protection plans.
Ireland has missed the transposition deadline. However, organisations in critical sectors are strongly advised to prepare for CER-like obligations, especially where overlaps with NIS2 and EU strategies already exist.
In force since: June 2019
Status in Ireland: Directly applicable EU regulation
The Cybersecurity Act provides a voluntary certification framework for ICT products, services, and processes. While not mandatory, it gives assurance of robust cybersecurity standards.
Irish IT providers can seek EU cybersecurity certification as a trust signal, particularly valuable when working with public sector or regulated customers.
In force since: 25 May 2018
Status in Ireland: Transposed via Data Protection Act 2018
GDPR continues to require strong technical and organisational measures to protect personal data. Breach reporting, data minimisation, and secure processing remain core pillars.
Ireland’s Data Protection Commission (DPC) remains one of the EU’s most active regulators due to the number of multinational HQs here.
Expected adoption: Late 2025 or early 2026
Applies from: TBD (will be an EU Regulation)
Status in Ireland: Not yet in force
The Cyber Solidarity Act will provide an EU-wide cyber emergency response framework, including threat intelligence sharing, joint incident response, and crisis preparedness.
Ireland is expected to participate via its national CERT and cybersecurity bodies. Organisations in key sectors may later benefit from access to shared tools or support during pan-European cyber incidents.
Published: December 2020
Status: Strategic roadmap (non-legally binding)
This overarching framework guides the EU’s legislative agenda and shapes national cybersecurity priorities.
Ireland’s National Cyber Security Strategy is closely aligned with the EU vision, with ongoing investment in threat intelligence, critical infrastructure protection, and digital sovereignty.
Many of these regulations are already active—or overdue. For Irish businesses, this creates a risk of:
Achieving compliance for some of these regulations such s NIS2 can be complex, particularly for SMBs that may lack the internal resources to manage the extensive requirements. Partnering with an ISO 27001:2023 certified MSP like IT.ie offers significant advantages. While we provide the expertise, tools, and services necessary to implement and maintain a multi-layered cybersecurity strategy, the ultimate responsibility for achieving and maintaining compliance rests with your organisation. Our role is to support you by offering solutions that align with the directive’s requirements, helping you to build a resilient security posture. However, it’s important to understand that compliance is a continuous process that requires your organisation’s commitment to regularly assess, update, and manage its cybersecurity measures in accordance with the relevant regulations.
Even if some laws haven’t been enforced in Ireland yet—your clients, partners, and regulators are already expecting action. Get in touch with us at hello@it.ie to see how we can support your cybersecurity journey.
© IT.ie. All rights reserved. Designed and published by IT.ie.
Stay ahead of the curve with the latest in IT News, Offers, and Cyber Security advisories. Sign up for our mailing list today to keep your digital world secure and informed. Sign up now!
