NIS2 & the Online Safety Code: Irish Business Guide
Two big digital-regulation regimes are landing on Irish businesses at once — and they are often confused. NIS2 is an EU cybersecurity law aimed at protecting essential services; the Online Safety Code is an Irish rulebook for online platforms that host user content. If your organisation runs important infrastructure or an online service, you need to know which applies to you and what to do. This 2026 guide explains both in plain English.
NIS2: the EU cybersecurity directive
NIS2 (Directive (EU) 2022/2555) dramatically expands the EU’s cybersecurity rules. It applies to organisations in 18 sectors, split into “essential entities” (such as energy, transport, health, drinking water, digital infrastructure and public administration) and “important entities” in other sectors. If you are in scope, you must put in place risk-management measures, report significant incidents, and — crucially — hold senior management accountable for cybersecurity.
Where does Ireland stand in 2026?
The EU deadline to transpose NIS2 into national law was 17 October 2024, which Ireland missed. As of 2026, the National Cyber Security Bill is still progressing through the Oireachtas, and the European Commission has issued a formal notice over the delay. The Bill is expected to be enacted during 2026. It is set to introduce a self-registration requirement, meaning in-scope organisations must assess whether they fall under the regime and register with the National Cyber Security Centre (NCSC) within a set period after the system goes live.
Why boards need to pay attention
Under Article 20 of NIS2, senior managers are ultimately responsible for approving and overseeing cybersecurity risk-management measures. The penalties are serious: essential entities can face fines of up to €10 million or 2% of worldwide turnover, and important entities up to €7 million or 1.4% of worldwide turnover. Directors should not treat this as an “IT problem” — it is a governance and compliance issue.
The Online Safety Code: a separate regime
The Online Safety Code is not part of NIS2. It comes from Ireland’s Online Safety and Media Regulation Act 2022 and is enforced by Coimisiún na Meán (the Media Commission). Coimisiún na Meán adopted the final Code on 21 October 2024, and it places binding obligations on designated video-sharing platform services to protect children and the wider public from harmful content such as cyberbullying, incitement to hatred and content promoting self-harm.
Who does the Code affect?
The Code directly binds designated video-sharing platforms established in Ireland, but its ripple effects are wider: businesses that advertise on, build tools for, or rely on these platforms should understand the new content and age-assurance standards. If your business operates any service that hosts user-generated video, you should check whether you fall within scope.
What Irish businesses should do now
First, work out which regime, if any, applies to you — NIS2, the Online Safety Code, both, or neither. Second, for NIS2, begin a cyber risk assessment, tighten incident-response processes and prepare for registration with the NCSC. Third, for the Online Safety Code, review your content-moderation, reporting and age-assurance measures. Doing this early avoids a scramble when enforcement ramps up.
Our team can help you get ready. See our GDPR full compliance pack for SMEs, our data breach notification letter pack, and our AI Act readiness review, or explore our full GDPR & Data Protection service range.
Frequently asked questions
Is NIS2 already law in Ireland?
Not yet fully. The directive itself took effect at EU level, but Ireland’s transposing legislation, the National Cyber Security Bill, was still progressing through the Oireachtas in 2026. In-scope organisations should prepare now rather than wait for enactment.
Are NIS2 and the Online Safety Code the same thing?
No. NIS2 is an EU cybersecurity regime for essential and important entities. The Online Safety Code is an Irish content-safety regime for video-sharing platforms, enforced by Coimisiún na Meán. They are entirely separate.
What are the penalties under NIS2?
Essential entities can face fines of up to €10 million or 2% of global turnover, and important entities up to €7 million or 1.4% of global turnover, alongside potential personal accountability for senior management.
Get ahead of the deadline
Both regimes are moving quickly. Understanding whether NIS2 or the Online Safety Code applies to your business — and acting before enforcement begins — is the smart way to manage the risk.
This article is general information only and is not legal advice. Regulatory positions are evolving. Please book a consultation with a qualified professional before acting. Reviewed for general accuracy by an Irish solicitor.
