Mason Hayes & Curran: Many businesses unprepared for NIS2
Four in ten Irish businesses will not be prepared for NIS2 compliance by next week’s deadline, a survey by Mason Hayes & Curran suggests.
The business law firm surveyed 160 professionals ahead of 17 October, the date by which the government must transpose NIS2 into Irish law.
NIS2, which builds on the existing Network and Information Security (NIS) directive, dramatically broadens the scope of regulated sectors and introduces tougher cybersecurity standards across the EU. With Ireland playing a central role in enforcement, the financial and reputational consequences for non-compliance could be severe.
The survey found that 38 per cent of businesses have not yet updated their cybersecurity polices, leaving many organisations potentially exposed under the EU’s new regulatory regime.
Julie Austin, privacy and data security partner at Mason Hayes & Curran, said: “With the deadline for transposition just days away, the clock is ticking for businesses across Ireland.
“NIS2 is not just about adding more compliance checklists — it demands a complete overhaul of how organisations approach cybersecurity. The new directive puts leadership accountability at its core. We are working intensively with clients to review policies, update governance structures, and ensure senior leadership is fully engaged.”
Complexity emerged as the primary concern for implementing NIS2, with more than two-thirds (67 per cent) of respondents highlighting it as their biggest challenge.
Michael Madden, commercial partner at Mason Hayes & Curran, said: “While the complexity of NIS2 is daunting, it presents an opportunity for Irish businesses to lead by example in cybersecurity best practices, potentially influencing the broader European landscape. As a hub for digital services, Ireland’s approach to NIS2 will be closely watched.
“By embracing a proactive, risk-based approach, companies can not only achieve compliance but also gain a competitive edge. The key is to view NIS2 not as a regulatory burden, but as a catalyst for building a stronger, more secure business.”
The survey also highlighted that a quarter of businesses (25 per cent) are not confident in their ability to meet their new reporting requirements under NIS2. The new directive mandates that incidents are detected and reported within 24 to 72 hours.
Ms Austin added: “The new window for reporting incidents is extremely tight, and failure to comply could result in severe penalties. We are helping clients to significantly streamline their reporting processes to ensure they can act swiftly and mitigate the risk of costly sanctions.”