The European Union’s revised NIS2 Directive (Network and Information Systems Directive) (NIS2) establishes clear instructions for how companies and public sector bodies should respond to cybersecurity attacks.

The proposed National Cyber Security Bill (CSB), still in preparation, is the legislative measure to transpose NIS2 into Irish law.  As of the date of this article, the general scheme of the CSB is available but the CSB has not yet been drafted or put before the Oireachtas. Because of the 2024 general election, the Irish Government missed the 17 October 2024 deadline for EU member states to transpose NIS2 into domestic law. The newly formed Irish Government published its Spring 2025 Legislative Programme on 18 February 2025, and the CSB has been assigned for priority drafting during the Spring session.

Central to NIS2 are the provisions for both mandatory incident notifications and voluntary notifications, as outlined in Articles 23 and 30. These provisions set out obligations in relation to reporting cybersecurity incidents and promote proactive engagement with the Computer Security Incident Response Team (CSIRT) to safeguard essential services. In Ireland, the NCSC will be designated as the CSIRT for Ireland.

1. The Importance of Incident Notifications

Incident reporting and handling is essential to mitigate the impact of increasing cyberattacks and other significant incidents, to maintain public trust, and to prevent potential cascading effects across essential services. The incident notification scheme under NIS2 intends to strike a balance between the need for swift reporting to contain the impact of incidents and the need for in-depth reporting to learn from incidents.  Therefore, NIS2 implements a multi-stage notification process.  Proper notification procedures ensure that the NCSC is promptly informed and can take appropriate measures to address and mitigate the incident, while also obtaining information to formulate valuable lessons.

Under NIS2, incident notifications are not limited to mandatory notifications alone. Voluntary notifications are also encouraged, promoting a culture of proactive cybersecurity management where companies collaborate with authorities to tackle potential threats and actual incidents.

2. Mandatory Notification of Cybersecurity Incidents

NIS2 outlines the requirement for mandatory incident notifications. This obligation applies to essential and important entities, as discussed in our previous article. The rationale behind mandatory notifications is to ensure the timely reporting of incidents that could significantly impact the operation of essential services.

Obligations Under Article 23 of NIS2

a) Significant Incident: Under NIS2, incidents that have caused or are capable of causing severe operational disruptions of the services of or financial loss for the in-scope entity concerned or have caused or are capable of causing considerable material or non-material damage to other natural or legal persons must be reported within specific time frames. The European Commission has published the final version of Commission Implementing Regulation (EU) 2024//2690 (CIR), which provides further detail on what is considered ‘significant’ in terms of reporting incidents and related obligations. While the CIR is limited in application to certain in-scope entities (e.g. DNS service providers, cloud computing service providers, search engines and social networking platforms), it is helpful for all entities to give further meaning to NIS2’s requirements.

b) Who should you notify?: Companies should notify both the CSIRT and, where appropriate, the recipients of their services of significant incidents that are likely to adversely affect the provision of those services, as well as any measures or remedies that those recipients are able to take in response to the significant incident.

c) Notification Timing and Content:Companies are required to notify NCSC:

• without undue delay, and in any event within 24 hours of becoming aware of a significant incident, indicating if the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact;
• without undue delay, and in any event within 72 hours of becoming aware of a significant incident, updating the information already provided and providing an initial assessment of the significant incident, including its severity and impact, as well as the indicators of compromise where available (incident notification);
• at NCSC’s request, an intermediate report on relevant status updates; and
• not later than one month after the submission of the incident notification, a detailed description of the incident, including its severity and impact, the type of threat or root cause that is likely to have triggered the incident, applied and ongoing mitigation measures. The report should also include, where applicable, the cross-border impact of the incident, and in the event of an ongoing incident, provide a progress report and a final report within one month of their handling of the incident.

In the case of a notified significant incident, the NCSC shall provide the notifying entity with initial feedback on the significant incident and, if requested by the notifying entity, guidance and operational advice on implementing possible mitigation measures and additional technical support. Where the significant incident is suspected to be of a criminal nature, the NCSC shall provide guidance on reporting to law enforcement authorities.

3. Voluntary Notifications of Cybersecurity Incidents

Article 30 of NIS2 introduces a provision for voluntary notifications. Voluntary reporting encourages companies to engage with the NCSC, acting as the CSIRT, even when an incident does not meet the threshold for mandatory notification. This proactive approach (along with Article 29 on information-sharing) helps build a broader understanding of the cybersecurity landscape in Ireland and allows for early intervention in potential threats.

a) Who can submit a voluntary notification? All companies, regardless of whether they fall within the scope of NIS2, that encounter significant incidents and essential and important entities regarding all incidents, cyber threats and near misses.

b) What information should be provided? The NCSC may request relevant information regarding the voluntary notification.

It is important to note that voluntary reporting will not result in any additional obligations on the company that it would not have been subject to had it not submitted the notification.  However, this is without prejudice to the prevention, prosecution, investigation and detection of criminal offences.

Voluntary notifications allow companies to obtain guidance from the NCSC, even if the incident does not meet mandatory reporting thresholds. The voluntary notification regime should help companies to improve their cybersecurity framework.

Next steps

NIS2 provides a robust framework for managing cybersecurity threats in Ireland. The mandatory notification requirements ensure that significant incidents are promptly reported, allowing swift action to protect critical infrastructure and essential services. Meanwhile, the voluntary notification provisions encourage organisations to engage with authorities even for minor incidents, fostering a proactive and collaborative approach to cybersecurity.

Companies should start reviewing their data breach and incident handling processes and procedures now to ensure compliance with these updated timelines, once NIS2 is implemented in Ireland.  This will include:

• ensuring that the definitions of incidents and breaches under existing policies also align with the definition of ‘significant incidents’ that must be reported under NIS2;
• updating existing timeframes, escalation procedures, notifiable bodies and reporting obligations in existing policies and procedures to ensure compliance with NIS2;
• putting in place or updating investigation and remediation procedures to ensure that required information and reporting will be available within the required timeframes;
• training relevant personnel and stakeholders to ensure awareness of new notification and reporting obligations;
• updating relevant documentation and forms; and
• maintaining appropriate incident logs and records, including documentation decisions not to report and the rationale.

As cyber threats continue to evolve, NIS2’s focus on both mandatory and voluntary notifications highlights the importance of timely reporting and cooperation.

For more information on NIS2, see the previous article in our NIS2 series here, or William Fry’s TechReg Connect software solution. Contact Leo Moore, Rachel Hayes, Susan Walsh, or your usual William Fry contact on our expert Technology team.