New guidance and Cyber Fundamentals framework aim to simplify obligations and strengthen trust

Ireland’s National Cyber Security Centre (NCSC) has today published a new set of proposed Risk Management Measures (RMMs) and launched Cyber Fundamentals, a practical cyber security framework designed to help organisations comply with the EU’s NIS2 Directive, the wide-ranging legislation governing cyber risk and resilience in critical sectors.

This marks a significant step in Ireland’s implementation of NIS2, providing a structured roadmap for the several thousand essential and important entities expected to come under the directive’s scope once transposed into Irish law in the coming months.

Joseph Stephens, Director of Resilience at the NCSC said:

• Risk Management Measures (RMMs): A detailed guide setting out what essential and important entities are expected to do under NIS2 to manage cybersecurity risk. The document aligns with the European Commission’s implementing act and will inform future national legislation
• Cyber Fundamentals: A structured, tiered framework based on the NIST Cybersecurity Framework. It provides practical, actionable controls to help entities meet their obligations, and can be used to prepare for voluntary cyber security certification scheme

The RMMs set of the minimum measures, in the view of the NCSC, are required to meet the obligations of NIS2 for essential and important entities.

Linked with this, the NCSC has also launched the Cyber Fundamentals Framework (CyFun) to provide a voluntary structured, risk-based approach for essential and important entities to implement these measures. CyFun is a cyber security framework originally developed in Belgium, with the aim of making NIS2 compliance easier.

The draft RMMs include the minimum baseline of compliance and represent the ‘what’ organisations need to do for NIS2 compliance, while the CyFun scheme is an optional ‘how’ they may do it.

The National Cyber Security Centre (NCSC) recommends the CyFun scheme as a well-recognised, structured, voluntary tool to assist entities in meeting their NIS2 obligations. Certification through CyberFundamentals will be optional but is seen as a strong and credible route to demonstrating compliance and can also serve as a business enabler and trust-building mechanism in supply chains and regulatory contexts. While CyFun is recommended, other frameworks such ISO 27001, ISO 62443, COBIT, or NIST standards can also be used to help meet these requirements.

A key tool to enable frictionless implementation of the framework by entities is the launch of the CyFun scheme in Ireland. Cyber Fundamentals provides a tiered, standards-based framework grounded in the NIST Cybersecurity Framework v1.1, soon to transition to v2.0 (Q3 2025). Version 1 is available for use now, however, for NIS2, the NCSC will be using the updated version, which is due September 2025.

Once the forthcoming update is released, the scheme’s reliance on NIST CSF V2.0 provides a well-established framework structured around six key cybersecurity functions:

• Govern: Determining how an organisation’s cybersecurity risk management strategy, risk appetite and policy are established, communicated, and monitored
• Identify: Understanding organisational risks, assets, and vulnerabilities
• Protect: Implementing controls to prevent cybersecurity incidents
• Detect: Developing capabilities to recognise and respond to threats
• Respond: Establishing incident response and mitigation procedures
• Recover: Ensuring business continuity and resilience following incidents

At a broader level, a national certification system will take 18–24 months to establish due to the need for legal agreements, resourcing, and accreditation infrastructure. In the meantime, entities are encouraged to use the CyFun framework, which is freely available, internally to aid preparations.

National Competent Authorities (the regulators supervising the Directive) may wish to use CyFun as a basis for compliance assurance in advance of certification. CyFun is a preferred method of the NCSC’s own National Competent Authority for Public Administration for demonstrating compliance with NIS2 for entities in the public administration sector.

At the core of the scheme is an initial selection tool that enables an organisation to determine its organisation’s cybersecurity risk level. This assessment considers factors such as the organisation’s size, sector, risk exposure, and the potential impact of a security incident.

Based on this assessment, the organisation is assigned one of three levels ( Basic, Important, Essential) of security maturity, ranging from foundational cybersecurity controls at the lower levels to more stringent requirements for high-risk entities. Each level has an increasing number of controls that an organisation implements, increasing the levels of protection.

For organisations classified as essential or important under NIS2, CyFun will provides a pathway to certification or formal assurance. This ensures that organisations with a high degree of societal or economic importance can demonstrate compliance through a structured, externally validated process.

While the NCSC will develop specific resources and guides for the operation of CyFun in Ireland, there is already significant amount of tooling and supports available from the CCB on their CyFun home page – www.cyfun.eu.

Ireland’s decision to join the Cyber Fundamentals Scheme represents a significant step in establishing a practical and internationally recognised compliance framework for NIS2.

The draft RMMs are aligned with the Commission’s Implementing Regulation for entities in the Digital Infrastructure, ICT Service Provider and Digital Provider’ sectors, which are covered by the ‘main establishment’ rule. The NCSC plans to further refine the RMMs once the enabling national legislation for implementation of NIS2 is in place.The RMMs guidance document is available https://www.ncsc.gov.ie/CyFun/

The CyFun framework has also been formally adopted by Belgium, Ireland and Romania, with other European countries exploring its introduction. Belgium, Ireland and Romania maintains the framework and associated documents as scheme owners, which allows for its roll-out to other European countries. Access the CyFun homepage.

Ireland’s participation in CyFun as a scheme owner offers several advantages:

• from a regulatory perspective, it provides a clear compliance route that can be recognised across sectors, simplifying the task of demonstrating compliance with NIS2
• for National Competent Authorities, the scheme allows for a standardised approach to compliance assessment while maintaining sector-specific flexibility
• for NIS2 essential and important entities, the scheme provides an accessible method of achieving cybersecurity assurance that is aligned with both European and global best practices
• CyFun offers a structured pathway for improving cybersecurity maturity while ensuring that compliance requirements are proportionate to risk
• the scheme also enhances harmonisation across EU Member States, reducing regulatory fragmentation and facilitating cross-border recognition of cybersecurity measures
• Ireland’s participation strengthens the scheme’s credibility and reach. Given the significant presence of multinational companies in Ireland, the NCSC will be able to promote the adoption of the scheme not only within Ireland but across the EU
• by aligning with an EU-based scheme that leverages the NIST CSF, the NCSC is supporting the creation of a harmonised approach that balances European regulatory requirements with global cybersecurity best practices. While full implementation will take time, the decision to join as a scheme owner ensures that Ireland is positioned to play an active role in shaping the future of cybersecurity assurance across Europe

A member of the National Cyber Security Centre may be available for interview upon request. Requests should be sent to the Department of Justice Press Office at pressoffice@justice.ie