The operational and reputational damage inflicted by a cyberbreach is bad enough, but there is also the prospect of regulatory punishment. All organisations are covered by GDPR to one extent or another, financial institutions have to comply with the Digital Operational Resilience Act (DORA), while organisations considered to be important entities are governed by NIS2 as well. Then there is the EU Cyber Resilience Act (CRA) and of course the earlier EU Cybersecurity Act. Sanctions can be harsh – under GDPR fines can be as high as €20 million or 4 per cent of a company’s global annual turnover, whichever is higher.
But how can organisations keep pace with these regulations and ensure they don’t fall foul of them?
According to Eoghan Daly, partner and head of cybersecurity with BDO Dublin, regulation, while cumbersome, serves as a critical driver for organisations to prioritise security, moving it from a technical IT problem to a boardroom-level priority. “Regulations like GDPR, DORA, and NIS2 set minimum standards for data protection and operational resilience, ensuring that organisations take concrete steps to protect sensitive information and critical infrastructure,” he explains. “Without these regulations, many organisations might not invest sufficiently in cybersecurity, leaving them and their customers vulnerable. The rules create a framework of accountability, which is essential for building public trust in a digital economy.”
Yet the sheer number and complexity of the regulations, especially for organisations operating in multiple jurisdictions, can be hugely challenging for organisations. “Companies often face challenges like resource constraints, a lack of skilled personnel, and the need to constantly adapt to evolving rules,” notes Daly.
READ MORE
PwC’s 2025 Irish CEO survey revealed that nearly half (48 per cent) of Ireland’s business leaders believe that changes in the regulatory environment will influence their organisation’s economic viability. “In my experience, the best shortcut is where I’ve seen clients shift their focus from strictly adhering to individual regulations to proactively managing their cyber (and indeed other) risks and building resilience into their operations,” notes Moira Cronin, digital risk partner, PwC Ireland. “This way, compliance becomes a natural outcome rather than the sole objective enabling organisations to truly understand the value of managing their cyber risk posture.”
Given the obligations imposed by the various regulations, Irish businesses are encouraged to stay informed about these regulations and engage with subject matter experts to ensure compliance, says Neil Redmond, director of cybersecurity, PwC Ireland. “Participation in industry forums can offer valuable insights and guidance for effective implementation, helping Irish businesses mitigate regulatory risks and adapt to the dynamic landscape of cybersecurity and data governance.”
Of all the regulations, the NIS2 (Network and Information Systems) Directive is perhaps the one with the most wide-ranging impact, Redmond points out. “This expands the scope of sectors covered by cybersecurity resilience regulation and intensifies security requirements for critical and digital infrastructure,” he explains, noting that practically all key industry sectors in Ireland are in-scope for this regulation. “As it is expected to be transposed into Irish law by December of this year, affected sectors should proactively prepare for enhanced risk management and incident response obligations.”
Non-compliance with NIS2 can lead to fines of up to €10 million or 2 per cent of global annual turnover, depending on a company’s size and sector. “It should also be borne in mind that the board of each organisation is accountable for NIS2 compliance,” adds Redmond.
The National Cyber Security Centre’s (NCSC) June 2025 guidance on risk management measures lays out actions companies should take to be NIS2-compliant, distinguishing between minimum requirements needed for compliance and further actions that can be taken if additional risks are identified.
Sanctions for non-compliance are severe and vary by regulation, notes Jackie Hennessy, who leads KPMG’s technology risk services. These include potentially multi-million euro fines but also investigations, enforced audits, and even operational bans. “To avoid these outcomes, entities should prepare for their obligations under these regulations as early as possible to allow them to meet the regulatory timeline,” Hennessy says. “Ensuring top-level management accountability and setting up a framework that allows for the continuous management of these obligations will also be key to avoiding regulatory surprises and reputational damage.”
Experts agree, however, that regulation that is too complex or burdensome – or multiple overlapping regulations – can be counterproductive. As a result, there are efforts ongoing in the EU to review digital regulations and ensure that they are implemented efficiently, transparently and consistently, notes Aine Clarke, digital and AI affairs executive with Ibec.
“A ‘digital simplification package’ is due for publication by the end of 2025, with cyber regulation as one of the main areas of focus,” Clarke explains. “In fact, it’s likely that Ireland will play an important role in driving this initiative forward during our presidency of the European Council from July to December 2026.”
While larger companies with more resources are generally more capable of handling compliance, smaller businesses often mistakenly think they will not be targeted, says David McNamara, founder of CommSec.
“In reality, lacking proper cyber defences can make them the weakest link in the supply chain,” he warns. “This means they may still be held accountable under regulations like NIS2, especially if they supply to essential or important entities.” Adopting frameworks like ISO 27001, whether certified or not, helps align with regulation requirements. “It strengthens both your security posture and governance.”
BDO’s Daly also suggests a strategic, holistic approach to compliance. “Rather than treating compliance as a one-off project, it must be embedded into the company culture through regular employee training and awareness programmes.”
The compliance burden may seem overwhelming for many organisations. But McNamara says regulators will consider whether an organisation is making a genuine effort. “If a business is clearly on the road to compliance, has adopted controls, and is working towards strengthening their cyber posture, that will count in their favour,” he notes. “Doing nothing and burying your head in the sand, however, leaves you wide open to penalties.”
McNamara points out that practical supports are available to help businesses of all sizes, but particularly for SMEs. “Enterprise Ireland offers funding for cyber assessments, and the NCSC has also provided implementation grants of up to €60,000. Cybersecurity is included in Ireland’s national development plan, so further support is expected.”
