NIS2 - Ireland’s Risk Management Measures and Cy-Fun

The National Centre for Cybersecurity in Ireland (NCSC) published its draft set of Risk Management Measures in accordance with the NIS2 Directive. The NCSC also announced that it joined the Cy-Fun framework, which has been developed by the Centre for Cybersecurity in Belgium. As we await the Irish transposition of NIS2, the draft Measures and the Cy-Fun framework act as helpful tools for NIS2 compliance planning. Our Data & Technology team highlights some key takeaways from these recent developments.

What you need to know

• NIS2 has yet to be transposed into Irish law, with implementation expected by late 2025 or early 2026.
• The NCSC has published draft Risk Management Measures, or ‘RMMs’, under Article 21 of NIS2, providing helpful interim guidance despite their draft status.
• These draft RMMs offer a practical starting point for organisations outside the Digital Provider and Digital Infrastructure sectors that are preparing for NIS2 compliance.
• Ireland will base its national assessment and certification scheme on the Cyber-Fundamentals Framework, also known as ‘Cy-Fun’, which is aligned with the NIST Cybersecurity Framework and currently being updated to version 2.0.
• Cy-Fun is a non-sector-specific cybersecurity risk assessment tool, suitable for both essential and important entities and a valuable option for organisations seeking certification to support NIS2 compliance.

In June 2025, the National Centre for Cybersecurity (NCSC) published its proposed set of draft Risk Management Measures (RMMs) and launched Cyber Fundamentals (Cy-Fun). The draft RMMs and Cy-Fun will provide a cybersecurity framework to help organisations comply with their obligations under NIS2. These developments mark a step forward for in-scope entities preparing for the implementation of NIS2 in Ireland.

1. Draft Risk Management Measures

To recap, Article 21(1) of NIS2 requires Member States to put in place:

“appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services”.

Article 21(2) goes on to say that measures must be proportionate to the risk posed and must be based on an “all hazards approach” to protect systems and the physical environment. Article 21 also states that the risk management measures should include at a minimum:

• Policies on risk analysis and information system security
• Incident handling
• Business continuity, such as backup management and disaster recovery, and crisis management
• Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
• Basic cyber hygiene practices and cybersecurity training
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption
• Human resources security, access control policies and asset management
• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate

However, it is up to individual Member States to determine which precise RMMs will apply to in-scope entities within its jurisdiction, provided they meet the minimum requirements of Article 21(2) of the NIS2 Directive.

The European Commission published its Implementing Regulation[1] (Implementing Regulation) in October 2024 which created a single set of EU-wide RMMs for NIS2 entities within the digital providers and digital infrastructure sectors. Consequently, this meant that entities outside those sectors were still largely in the dark as to the measures they would be expected to put in place to be NIS2 compliant. However, in June 2025 the NCSC published a draft set of RMMs for these entities in Ireland.

The draft Irish RMMs are divided into two categories. These are:

• Foundation actions, and
• Supporting actions

Foundation actions are the minimum controls the NCSC considers necessary to comply with NIS2. As described by the NCSC, foundation controls “establish a baseline of security practices that all entities are expected to uphold”.

Separately, supporting actions are additional controls that may be required depending on the specific risks faced by an organisation. When determining which supporting actions are needed for a given organisation, the draft Irish RMMs provide that organisations should conduct a thorough risk assessment. In the context of any risk assessment, entities need to consider several factors, including:

• Exposure to risk
• Size of the entity
• Likelihood and severity of incidents
• Societal and economic impact, and
• The cost of implementing measures[2]

Even though they are still in draft form and therefore subject to change, the draft Irish RMMs are currently the best starting point for organisations in Ireland outside of the Digital Provider and Digital Infrastructure sectors when preparing for NIS2 compliance. This is because the draft RMMs provide structured guidance on compliance which reflects the NCSC’s view of what NIS2 compliance looks like for in-scope entities in Ireland which are outside the digital provider and digital infrastructure sectors.

2. Cyber Fundamentals Framework

The NCSC also announced in June 2025 that it had joined the Cy-Fun, a framework originally developed by the Centre for Cybersecurity in Belgium. Along with Romania, Ireland will be adopting Cy-Fun as its national assessment and certification scheme and have become joint owners of the scheme.

Cy-Fun is largely based on the NIST Cybersecurity Framework and is currently being updated to the NIST 2.0 Cybersecurity Framework. Cy-Fun is a tool that can be used by all entities to assess cyber security risk. Cy-Fun can be used by both essential and important entities and is not sector specific.

There will be a national certification scheme for Cy-Fun and certification is expected to be available by 2027. The NCSC has stated that the scheme does not, however, represent the sole route to compliance. It will be optional and voluntary, and the NCSC will continue to recognise other internationally accepted standards such as ISO 27001 for information security and ISO 62443 for industrial control systems.

To the extent that organisations are considering whether to adopt certification standards to assist demonstrating NIS2 compliance, Cy-Fun is an option that should be considered.

Conclusion

The publication of the draft Irish RMMs and the announcement that Ireland is joining Cy-Fun is an important development for organisations preparing for NIS2 Compliance. Although a Heads of Bill was published last year, it is not expected that NIS2 will be transposed into Irish law until late 2025 at the earliest. On this basis, the recent announcements from the NCSC give in-scope entities an early and structured indication of what needs to be done to become NIS2 compliant in Ireland and how to do it.

For more information on the Draft Irish RMMs, Cy-Fun or NIS2 generally, please get in touch with a member of our Data & Technology team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] (EU) 2024/2690

[2] Recital 82, NIS2