Julie Austin
Partner, Mason Hayes & Curran
Ciara O’Rourke
Associate, Mason Hayes & Curran
The new NIS2 Directive is set to reshape how organisations approach cyber security. However, Member States’ different approaches are leading to complex and duplicative processes for global organisations.
The introduction of the Network and Information Security 2 (NIS2) Directive is the EU’s response to the rising volume and sophistication of cyberattacks, demonstrated by high-profile incidents such as the CrowdStrike outage.
New directive for cyber security
The NIS2 Directive will reshape how organisations approach cyber security, with new requirements for registration, risk management, board responsibility, incident reporting and training. Julie Austin, Partner in the Data and Technology Team at Mason Hayes & Curran, discusses the upcoming changes: “Cyber security can no longer be left to the IT team. Senior management in each jurisdiction is now responsible for compliance. The stakes are high, with direct accountability for boards and senior management for compliance failings.”
Fragmented approach across the EU
As a general rule, many organisations outside of the digital sector will be subject to the separate and concurrent jurisdiction of each Member State in which they are established. These jurisdictional rules are causing significant headaches for multinational organisations, as the rules can vary from jurisdiction to jurisdiction. Austin says: “What we are seeing in practice is that the national laws transposing NIS2 can differ materially, and different jurisdictions are at completely different places in the implementation process.”
There are some specific obligations in some countries which don’t exist in others. For example, Hungary requires organisations to appoint an auditor from an approved list by 15 September 2025. Other jurisdictions require risk assessments to be conducted annually and submitted to the relevant competent authority.
While Ireland’s National Cyber Security Centre (NCSC) published draft Risk Management Measures in June 2025 and has adopted the Cyber Fundamentals (Cy-Fun) certification scheme, acting as helpful tools for NIS2 compliance planning, other Member States are doing things differently.
Senior management in each
jurisdiction is now responsible
for compliance. The stakes are high.
European Cyber Law Network
Mason Hayes & Curran has established a European Cyber Law Network to support multinational clients navigating NIS2. “Under these new rules, the same cyber incident may need to be reported separately in 27 different Member States within 24 hours,” explains Ciara O’Rourke, Associate on the Data and Technology team. “This is creating inefficiencies and duplication.”
“Our network connects lawyers on the ground in each Member State,” says Austin. “We are taking away confusion and complication for our clients, giving them coordinated, strategic advice on local divergences and helping them prepare for the challenges of multi-jurisdictional compliance.”
With Ireland expected to transpose NIS2 by Q4 2025 / Q1 2026, organisations should start preparing now. “Organisations that act early, mapping obligations, upskilling management and monitoring national developments, will be best placed to meet NIS2 head-on,” adds O’Rourke.
