Risk Management Measures and Cyber Fundamentals

On 24 June 2025, Ireland's National Cyber Security Centre (NCSC) published a set of proposed Risk Management Measures (RMMs) and launched Cyber Fundamentals, a framework designed to assist organisations to comply with the EU’s Directive (EU) 2022/2555 (the NIS2 Directive). The NIS2 Directive sets out high level measures for cybersecurity for in-scope entities across the EU and is to be transposed in Ireland by the upcoming National Cybersecurity Bill.

RMMs

Who do they apply to?

The RMMs are intended to apply to essential and important entities within scope of the NIS2 Directive and which are subject to the jurisdiction of Ireland. Under Article 21 of the NIS2 Directive, individual Member States must ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of certain network and information systems and to prevent or minimise the impact of incidents on service recipients and other services.

The RMMs, however, are largely not proposed to apply to ‘relevant entities’ (including most in-scope providers in the digital infrastructure, digital provider and ICT service management sectors) which are instead subject to the risk management measures set out in Commission Implementing Regulation (EU) 2024/2690. The exception to this is the risk management measures relating to registration (RMM001) and governance (RMM002).

Within Ireland, categorisation of essential and important entities will be defined by the criteria set out in the proposed National Cybersecurity Bill (which is yet to be finalised), but will at a minimum include entities falling within the scope of the NIS2 Directive, such as providers of public electronic communications networks, providers of publicly available electronic communications services, providers within the transport, energy and healthcare sectors contemplated by Annex I and Annex II to the NIS2 Directive.

What are the measures?

The RMMs provide non-binding guidance on the measures that essential and important entities can take to demonstrate compliance with the obligations under Article 21 of the NIS2 Directive within Ireland. The RMMs are grouped into the following categories:

Foundation Actions: Controls which the NCSC consider to be the minimum required to meet the legislative obligations of the Directive; and

Supporting Actions: Supplemental controls which may be required, depending on the specific risks faced by the organisation.

The guidelines include 16 categories of RMMs which essential and important entities will have to comply with at a minimum. Under each measure, the NCSC has provided detailed guidance, including tips and suggested evidence that in-scope entities can use to demonstrate compliance against each measure. The measures include the minimum items identified in Article 21(2) of the NIS2 Directive, from governance measures to incident handling and reporting measures.

For further details on the RMMs please see here.

Cyber Fundamentals

Additionally, the NCSC launched its Cyber Fundamentals framework. Whilst the RMMs are designed to demonstrate the types of measures that organisations can take in order to  meet the requirements of the NIS2 Directive, Cyber Fundamentals is a cyber security framework designed to help entities to achieve compliance with the NIS2 technical requirements by providing a voluntary certification program.

The NCSC has estimated that it will take a further 18-24 months to establish the national certification system under Cyber Fundamentals. The NCSC has confirmed that while Cyber Fundamentals (or CyFun) can assist in demonstrating credible compliance with cyber security, it will not be considered to be the only way for an in-scope entity to demonstrate compliance, as other frameworks such as ISO 27001, ISO 62443, COBIT or NIST standards can also be used to help meet these requirements.

While the NCSC develops tailored resources and guides for the operation of CyFun in Ireland, the CCB’s CyFun website is available for implementation support here.

If you would like any further information on the RMMs, please contact Aideen Burke, partner, Tayla Price, lawyer, Shannon Owens, solicitor or your usual contact on A&L Goodbody’s Technology team.

Date published: 1 July 2025