Around half of Irish organisations do not manage cyber risk at board level.
That finding comes from a live poll conducted at a recent National Cyber Security Centre event, cited in Bird and Bird’s March 2026 analysis of NIS2 in Ireland and the forthcoming National Cyber Security Bill. It is not a criticism of those businesses.
It reflects the way technology and business growth have always coincided — responsibility landing with whoever was closest to the problem at the time.
Under the legislation now working its way through the Oireachtas, that will not be enough.
Ireland’s National Cyber Security Bill will bring NIS2 into Irish law. When it does, accountability for cybersecurity risk management moves formally to senior management. Personal liability for directors is part of the framework. The sectors in scope are broader than most people realise.
NIS2 in Ireland: where the legislation actually stands
Ireland missed the EU’s original NIS2 transposition deadline of October 2024.
The National Cyber Security Bill, which will bring NIS2 into full Irish law, is still working through the legislative process.
As of March 2026, Ireland had not yet completed formal transposition, though substantial preparatory work has been done and the direction is not in doubt.
The NCSC has confirmed that both the NIS2 registration portal and incident reporting portal will open once the legislation is implemented.
That date has not been officially confirmed, though a number of legal and compliance guides are pointing to July 2026 as the expected timing, with a three-month registration window following the portal launch.
The NCSC’s own NIS2 page is the authoritative source to monitor as the bill progresses.
What is confirmed is this: the bill is moving, personal director liability is part of the framework, and the sectors in scope are broader than most businesses realise.
Health, energy, banking, digital infrastructure, manufacturing, food production and distribution, postal and courier services, waste management and more are all covered.
If you have not yet checked whether your organisation is likely to be in scope, the NCSC has published an ‘Am I in Scope’ tool that is a useful starting point.
It is not definitive, but it is designed to help organisations think through the aspects of their business that might bring them into scope.
Who formally owns cyber risk in your organisation, and do they have the authority, the board access and the seniority to act on it?
Why NIS2 in Ireland is a leadership issue, not just a compliance one
Article 20 of NIS2 places accountability for cybersecurity risk management squarely with senior management, not the IT team. Under Ireland’s forthcoming legislation, personal liability provisions are expected to hold directors and senior officers responsible for compliance failures — with consequences including personal liability, temporary bans from exercising management functions and significant administrative fines. Bird and Bird’s analysis sets this out clearly and is worth reading if your board has not yet had this conversation. (Bird and Bird, March 2026)
A recent live poll at an NCSC conference found that approximately 50 per cent of Irish organisations manage cyber risk at board level, while the other half delegate responsibility to CIOs, CISOs or IT Managers. (IAPP, February 2026) For companies in the 50 to 500 employee range, the picture is often less defined still. Cyber accountability has grown informally around whoever was closest to IT as the business scaled. That arrangement worked when cyber was a technical issue. Under NIS2, it will not be enough.
What the Irish NIS2 market is telling us right now
IT Search’s 2026 Salary Report projects 12 to 15 per cent growth in demand for cybersecurity talent in Ireland this year, driven largely by NIS2 and DORA. Their dedicated Cyber Security Salary Guide 2026 puts it plainly: Ireland now counts over 9,000 cybersecurity professionals, but an estimated 1,200 or more new roles are required annually to keep pace with business and regulatory needs.
The best candidates in this space, people who can lead the function and communicate it at board level are not sitting idle waiting to be found.
They are already in roles, and they are being approached constantly.
A slow or unfocused hiring process will lose the right person, and so will a rushed one.
Speed and specificity both matter, and both require having a clear answer to one question before you go to market: what is this person actually being hired to own?
Define the leadership gap before you define the job title
One of the most common mistakes companies make in response to regulatory pressure is to move straight to a job title. We need a CISO or do we need a cyber manager. Maybe it should be all under Head of IT.
Any of those may turn out to be the right answer, but going to market before the business has answered the underlying questions is a way to hire the wrong person quickly.
Before scoping the role, the business needs to understand what the person is actually being hired to own.
Is this a strategic leadership position with board access and cross-functional authority?
Is it a governance and compliance role?
Is it a technical security role?
Is it an interim appointment to bridge the gap while a longer-term solution is built?
Is it a reshaping of an existing IT Manager or Head of IT role to reflect the accountability NIS2 now requires?
These questions shape everything that follows the seniority of the hire, the salary, the type of candidate who will be interested and, most importantly, whether the person appointed has a genuine chance of succeeding.
Responsibility without authority is a risk in itself, and it is one that shows up in poorly scoped IT leadership roles more often than it should.
Questions worth asking now, not when the portal opens
Before deadline pressure drives the decision, these are the questions Irish CEOs, CTOs and IT Directors should be sitting with:
• Who formally owns cyber risk in your organisation today, and is that ownership clear or assumed?
• Does that person have the authority to act, the budget to make change happen and the board access to brief leadership in plain language?
• Is your current IT leadership structure strong enough for what NIS2 will require, or has it grown informally around the needs of the business at an earlier stage?
• If the current arrangement is not fit for the new accountability framework, is the answer a new hire, a reshaped existing role or an interim appointment to provide expertise while a longer-term solution is built?
• If a hire is the right answer, do you know what profile is realistic in the current Irish candidate market and what the right salary expectation looks like?
These are not questions about panic or compliance for its own sake. They are questions about clarityand the companies that answer them carefully and correctly now will be in a significantly stronger position than those that wait for a portal launch date to force the decision.
How Star Recruitment can help
I work with Irish companies at exactly this stage.
My focus is senior IT leadership hiring — IT Managers, Heads of IT, IT Directors, CTOs and specialist roles in cybersecurity, data and digital delivery.
If NIS2 is prompting a leadership conversation in your business, I can help you define the role you actually need, understand what is realistic in the current Irish candidate market and find the right person before deadline pressure turns a considered decision into a rushed one.
Reach me at imelda@starrecruitment.ie or connect with me directly on LinkedIn. You can also visit www.starrecruitment.ie to learn more about how we work.
Sources
NCSC Ireland — NIS2 guidance and registration
NCSC Ireland — Am I in Scope tool
Bird and Bird — NIS2 and Ireland’s National Cyber Security Bill, March 2026
twobirds.com/en/insights/2026/ireland/nis2-and-irelands-national-cyber-security-bill
IAPP — NIS2 and Ireland’s National Cyber Security Bill, February 2026
Enactia — Ireland National Cyber Security Bill NIS2 Guide
enactia.com/ireland-national-cyber-security-bill-2024-2026-nis2-guide-enactia
NIS2 Directive transposition tracker, Ireland update March 2026
nis-2-directive.com/Transposition/Ireland.html
IT Search Salary Report 2026
itsearch.ie/resource/it-search-salary-report-2026
IT Search Cyber Security Salary Guide 2026
itsearch.ie/resource/cyber-security-salary-guide-2026
