Navigating the EU’s updated cybersecurity rules just got easier. Ireland’s National Cyber Security Centre (NCSC) has published two essential guides—Risk Management Measures (RMMs) and Cyber Fundamentals (CyFun)—to help your organisation meet NIS2 requirements. Read on for a concise overview, actionable roadmaps and key resources.
What Is NIS2?
NIS2 stands for the Network and Information Security Directive 2, the European Union’s updated cybersecurity framework. It replaces the original NIS Directive to:
- Expand sector coverage
- Strengthen governance and accountability
- Harmonise enforcement across member states
It’s been effective since 16 January, 2023, with transposition into national law required by 17 October 2024.
Ireland’s New Guides: RMMs & Cyber Fundamentals (CyFun)
Ireland’s NCSC has launched two practical frameworks to support your compliance journey:
- Risk Management Measures (RMMs) Defines the “minimum baseline” of controls essential and important entities must implement. Aligned with the European Commission’s NIS2 implementing act, RMMs will shape Ireland’s forthcoming legislation. Link here
- Cyber Fundamentals (CyFun) A tiered maturity model—Basic • Important • Essential—based on the NIST (National Institute of Standards and Technology) Cybersecurity Framework. Co-owned by Belgium, Ireland and Romania, CyFun guides organisations through RMM adoption, voluntary certification and mapping existing standards to NIS2. Link here
Key Changes & Requirements
- Expanded Scope covers sectors such as public administration, postal services and critical-goods manufacturing.
- Governance & Accountability mandates board-level oversight, defined CISO (Chief Information Security Officer) roles and personal liability for senior managers.
- Risk Management requires formal assessments, supply-chain vetting, threat modelling and continuous vulnerability handling.
- Incident Reporting stipulates 24-hour early warning and 72-hour detailed notifications to the national CSIRT-IE (Computer Security Incident Response Team – Ireland).
- Enforcement & Penalties include fines up to €10 million or 2% of global turnover, plus administrative orders and temporary bans.
Why These Guides Matter
Pairing RMMs (“what” to do) with CyFun (“how” to do it) offers:
- Proportional guidance tailored to businesses of different sizes and risk profiles.
- A harmonised compliance approach across EU member states.
- A clear path toward voluntary certification under national legislation.
Inside Risk Management Measures (RMMs)
RMMs translate the EC’s (European Commission) implementing act into five practical domains:
- Governance and Accountability Board-level responsibilities, CISO roles and escalation protocols.
- Risk Assessment Supply-chain vetting, threat modelling and continuous vulnerability management.
- Incident Reporting 24-hour early warning and 72-hour detailed notification requirements.
- Technical Controls Access management, encryption, network segmentation and logging.
- Continuous Improvement Audit schedules, tabletop exercises and policy refresh cycles.
Getting Hands-On with Cyber Fundamentals (CyFun)
CyFun simplifies RMM adoption through a three-level model:
| Level | Focus | Ideal for |
| Basic | Foundational controls (e.g., MFA, patching) | Small organisations and low-risk entities |
| Important | Enhanced monitoring and incident response | Mid-sized organisations |
| Essential | Advanced governance and supply-chain security | Large enterprises and critical providers |
Organisations targeting certification can follow CyFun’s structured process, while others can map ISO 27001, COBIT (Control Objectives for Information and Related Technologies) or NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) controls back to RMMs for compliance assurance.
Integrated Compliance Roadmap
- Identify Affected Entities – Determine Essential vs. Important status based on sector and size thresholds.
- Conduct Risk Assessment – Catalogue digital assets, model threats and prioritise vulnerabilities.
- Develop Security Policies – draft policies on encryption, access controls, patch management, supplier security and incident response.
- Embed Governance Structures – Appoint a CISO, formalise board cyber-risk committees and establish escalation protocols.
- Implement Technical Controls – Roll out MFA (Multi-Factor Authentication), network segmentation, intrusion detection, logging and regular vulnerability scans.
- Build Incident Response Capabilities – Create, test and refine your response plan covering containment, remediation, communication and recovery.
- Train & Raise Awareness – Launch organisation-wide cybersecurity training, phishing simulations and executive briefings.
- Monitor & Review – Schedule regular audits, tabletop exercises, policy reviews and continuous improvement cycles.
Transposition & Timeline
| Milestone | Date |
| NIS2 enters into force | 16 January 2023 |
| EU-wide transposition deadline | 17 October 2024 |
| Draft Irish Cyber Security Bill published | September 2024 |
| RMMs & CyFun launch in Ireland | 24 June 2025 |
| Estimated entity compliance deadline | Q2 2025 (est.) |
- Basic
- Focus: Foundational controls (e.g., MFA, patching)
- Ideal for: Small organisations and low-risk entities
- Important
- Focus: Enhanced monitoring and incident response
- Ideal for: Mid-sized organisations
- Essential
- Focus: Advanced governance and supply-chain security
- Ideal for: Large enterprises and critical providers
NIS2 enters into force
- 16 January 2023
EU-wide transposition deadline
- 17 October 2024
Draft Irish Cyber Security Bill published
- September 2024
RMMs & CyFun launch in Ireland
- 24 June 2025
Estimated entity compliance deadline
- Q2 2025 (est.)
Ireland is finalising it’s national legislation and related portals for registration and incident reporting ahead of full enforcement.
Next Steps & Resources
- Review RMMs guidance: https://www.ncsc.gov.ie/pdfs/NIS2_Draft_Risk_Management_Measures_Guidance.pdf
- Explore CyFun framework: https://www.cyfun.eu
- ENISA Transposition & Implementation Guide: https://www.enisa.europa.eu/publications/nis2-transposition-and-implementation-guide
- EC Management Accountability & Risk Framework: https://commission.europa.eu/publications/ec-management-accountability-risk-framework-2025
- NIS2 Directive Full Text: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555
- NIST Cybersecurity Framework v1.1: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- Irish Data Protection Commission: GDPR/NIS2 overlap guidance https://www.dataprotection.ie/en/resources/guidance
- “Am I in Scope?” Tool (launching soon): https://www.ncsc.gov.ie/am-i-in-scope
How NewTec Services Can Help
At NewTec Services, we translate these guides into tailored action plans:
- Gap analyses against RMMs and CyFun tiers.
- Customised risk assessments and technical roadmaps.
- Incident response planning and tabletop exercises.
- Mapping ISO 27001, COBIT and other standards to NIS2 requirements.
Ready to turn these resources into compliance success? Contact Newtec Services at 01 531 3777 or visit our website atwww.newtecservces.ie
Stay proactive, stay compliant! — The NewTec Services Team
Kind Regards,
The Newtec Services Team
