What are Ireland's legal obligations for cybersecurity incident response under NIS2?

Ireland is in the process of transposing the EU's NIS2 Directive (Directive 2022/2555/EU) through the National Cyber Security Bill 2024, which will bring approximately 4,500–6,000 organisations into scope. Until full transposition is complete, the original Network and Information Systems (NIS) Regulations 2018 (S.I. No. 360 of 2018) continue to apply to operators of essential services and relevant digital service providers. Under NIS2, entities classified as 'essential' or 'important' must implement appropriate and proportionate technical and organisational measures to manage cybersecurity risks. Critically, NIS2 introduces a strict multi-stage incident notification timeline. Affected entities must submit an early warning to the national CSIRT (Ireland's Computer Security Incident Response Team, hosted within the NCSC) within 24 hours of becoming aware of a significant incident. A more detailed incident notification must follow within 72 hours, and a final report must be submitted within one month. A 'significant' incident under NIS2 is one that has caused or is capable of causing severe operational disruption, financial loss, or that affects other natural or legal persons. The National Cyber Security Centre (NCSC) is designated as Ireland's primary competent authority for managing large-scale cybersecurity incidents. In parallel, where an incident involves a personal data breach, the GDPR and Data Protection Act 2018 require notification to the Data Protection Commission (DPC) within 72 hours of the organisation becoming aware of the breach.

What are the key phases of an effective cybersecurity incident response plan?

A well-structured incident response plan follows six recognised phases, each of which should be documented and assigned to specific personnel within the organisation. The preparation phase involves establishing the incident response team, defining roles and responsibilities, maintaining an up-to-date asset inventory, and conducting regular tabletop exercises. Under NIS2, preparation also requires implementing supply chain security measures, as many incidents originate through third-party providers. The identification phase covers the detection of anomalies through monitoring tools, intrusion detection systems, and staff reporting. The plan should define what constitutes a reportable incident and include a severity classification matrix to distinguish minor events from significant incidents triggering NIS2 notification obligations. The containment phase involves immediate actions to limit the spread of an incident — isolating affected systems, revoking compromised credentials, and preserving evidence for forensic analysis. Short-term containment must be followed by long-term containment strategies to allow the organisation to continue operating safely. The eradication phase covers the removal of the root cause: eliminating malware, patching vulnerabilities, and closing the attack vector. This must be documented thoroughly, as the NCSC may request technical details in the final incident report. The recovery phase addresses the restoration of systems and services to normal operation, with verification that the threat has been fully removed.

Which organisations in Ireland must have a formal cybersecurity incident response plan?

Under NIS2 as being implemented in Ireland, the obligation to maintain formal cybersecurity risk management measures — including an incident response capability — applies to medium and large organisations in sectors designated as 'essential' or 'important'. Essential sectors include energy (electricity, gas, oil, hydrogen), transport (air, rail, road, water), banking and financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS, IXPs, cloud, data centres, content delivery), ICT service management (managed service providers and managed security service providers), public administration, and space. Important sectors include postal and courier services, waste management, chemicals, food, manufacturing, digital providers (online marketplaces, search engines, social networks), and research. Managed service providers (MSPs) are explicitly brought into scope under NIS2, meaning that Irish IT outsourcing companies providing managed IT services to clients in essential or important sectors must maintain their own incident response plans and may be required to register with the NCSC. Even for organisations outside NIS2 scope, having a documented incident response plan is strongly recommended established standards. The DPC expects GDPR-regulated organisations to have procedures in place to detect, report, and investigate personal data breaches — which in practice requires incident response capabilities.

Do I need a lawyer to create a Cybersecurity Incident Response Plan (Ireland) in Ireland?

A Cybersecurity Incident Response Plan (Ireland) does not legally require a lawyer in Ireland, and individuals and businesses may draft and execute the document independently. The Companies Act 2014 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified Ireland lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The High Court of Ireland has jurisdiction over disputes arising from this type of document, and Companies Registration Office (CRO) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.

Do I need a lawyer to use a Cybersecurity Incident Response Plan (Ireland) in Ireland?

A Cybersecurity Incident Response Plan (Ireland) does not legally require a solicitor in Ireland, though legal advice is recommended for complex transactions. Under Irish law, individuals may draft and execute this type of document independently. The Courts and Civil Law (Miscellaneous Provisions) Act 2023 confirms access to justice for self-represented parties. However, the Workplace Relations Commission (WRC), Companies Registration Office (CRO), or other regulatory bodies may have specific requirements. For transactions involving the Land Registry, the Property Registration Authority (PRA) requires solicitors for certain conveyancing matters under the Registration of Title Act 1964. The Data Protection Act 2018 and GDPR impose obligations on parties handling personal data, and legal review confirms compliance with Section 7 of the Data Protection Act 2018. Where disputes arise, the Circuit Court or High Court of Ireland has jurisdiction. Forms-legal.com provides this template as a starting point — always review with a qualified Irish solicitor for significant transactions involving substantial value or regulatory complexity.

Cybersecurity Incident Response Plan (Ireland)

CYBERSECURITY INCIDENT RESPONSE PLAN

Organisation: [Organisation Name]

Address: [Organisation Address]

Sector: [Sector Type]

Version: [Plan Version]

Date of Approval: [Approval Date]

1. PURPOSE AND SCOPE

1.1 This Cybersecurity Incident Response Plan (the "Plan") sets out the procedures by which [Organisation Name] (the "Organisation") will detect, report, contain, eradicate, recover from, and review cybersecurity incidents affecting its information systems, networks, and data.

1.2 This Plan is designed to comply with the requirements of:

The NIS2 Directive (Directive (EU) 2022/2555) as being transposed into Irish law through the Network and Information Security Regulations and the National Cyber Security Bill 2024;
The General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018, in respect of personal data breaches;
The National Cyber Security Centre (NCSC) incident reporting guidelines; and
Any sector-specific regulatory requirements applicable to the Organisation's activities.

1.3 This Plan applies to all information systems, networks, cloud services, and data assets operated by or on behalf of [Organisation Name], including those operated by third-party service providers. The critical systems covered by this Plan include: [Critical Systems Description].

1.4 All employees, contractors, third-party suppliers, and any other person with access to the Organisation's information systems are required to comply with this Plan.

2. INCIDENT RESPONSE TEAM

2.1 The Organisation has established an Incident Response Team (IRT) responsible for executing this Plan. The IRT comprises the following roles:

Incident Response Lead: [IRT Lead Name], [IRT Lead Title] — overall coordination and decision-making authority during an incident;
Data Protection Officer: [DPO Name] — responsible for assessing GDPR and Data Protection Act 2018 notification obligations;
IT Security Contact: [IT Security Contact Name] — technical investigation, containment, and remediation;
Legal Counsel: [Legal Contact Name] — legal advice, regulatory liaison, and privilege considerations.

2.2 The Incident Response Lead has authority to activate this Plan, convene the IRT, escalate to senior management, and authorise communications with regulators and third parties.

2.3 In the absence of the Incident Response Lead, the IT Security Contact shall assume the coordination role until the Lead is available.

3. INCIDENT CLASSIFICATION

3.1 The Organisation classifies cybersecurity incidents using the following severity framework: [Severity Levels].

3.2 Severity levels are assigned as follows:

Critical: Incidents with severe impact on critical systems or services, potential for widespread data loss, ransomware affecting core infrastructure, or incidents likely to constitute 'significant incidents' requiring NCSC notification under the NIS2 Directive;
High: Confirmed breaches of personal data affecting a large number of individuals, or system compromise with significant operational impact;
Medium: Suspected breaches or incidents with moderate impact, requiring investigation and containment;
Low: Minor security events, failed attacks, or policy violations with limited impact.

3.3 A 'significant incident' within the meaning of the NIS2 Directive includes any incident that has caused or is capable of causing a severe operational disruption or financial loss, or that has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

4. DETECTION AND INITIAL REPORTING

4.1 Any employee, contractor, or system user who detects or suspects a cybersecurity incident must report it immediately to the IT Security Contact and the Incident Response Lead by the most expeditious means available, including telephone or emergency email.

4.2 Upon receipt of an incident report, the IRT shall record the following information in the Organisation's Incident Log:

Date and time the incident was first detected;
Name and contact details of the person who detected or reported the incident;
Description of the incident, including systems and data affected;
Preliminary assessment of severity;
Immediate actions taken.

4.3 The Incident Response Lead shall convene the IRT within two hours of receiving notification of a Critical or High severity incident.

5. MANDATORY REGULATORY NOTIFICATION

5.1 NIS2 Notification (NCSC): Where an incident constitutes or is reasonably suspected to constitute a 'significant incident' within the meaning of the NIS2 Directive, the Organisation shall:

Submit an Early Warning to the National Cyber Security Centre (NCSC) ([NCSC Contact]) within 24 hours of becoming aware of the incident, indicating whether it is suspected to be the result of unlawful or malicious action and whether it has a cross-border impact;
Submit a full Incident Notification to the NCSC within 72 hours of becoming aware of the incident, including an initial assessment of the incident, its severity and impact, and any indicators of compromise;
Submit a Final Report to the NCSC within one month of the Incident Notification, setting out a detailed description of the incident, the type of threat or root cause, applied and ongoing mitigation measures, and the cross-border impact.

5.2 GDPR / Data Protection Act 2018 Notification (DPC): Where the incident constitutes a personal data breach which is likely to result in a risk to the rights and freedoms of natural persons, the DPO shall notify the Data Protection Commission (DPC) ([DPC Contact]) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. The notification shall include:

The nature of the personal data breach, including the categories and approximate number of data subjects and records concerned;
Contact details of the DPO;
Likely consequences of the breach;
Measures taken or proposed to address the breach.

5.3 Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the DPO shall also notify affected individuals without undue delay under Article 34 GDPR.

5.4 Sector Regulator: Where required by the Organisation's sector-specific regulatory obligations, the Incident Response Lead shall notify the relevant regulator ([Sector Regulator Contact]) within the timelines prescribed by that regulator.

6. CONTAINMENT, ERADICATION, AND RECOVERY

6.1 Containment: Upon confirmation of an incident, the IT Security Contact shall implement immediate containment measures proportionate to the severity of the incident, which may include isolation of affected systems, suspension of user accounts, blocking of malicious IP addresses, and preservation of forensic evidence.

6.2 Eradication: Following containment, the IT Security Contact shall identify and remove the root cause of the incident, including malware, unauthorised access, or misconfigured systems. A technical root cause analysis shall be documented.

6.3 Recovery: Systems and services shall be restored from validated clean backups or secure configurations. Recovery shall be verified through testing before systems are returned to production. The Incident Response Lead shall authorise the return to normal operations.

6.4 Evidence Preservation: All forensic evidence relating to the incident, including system logs, network captures, and malware samples, shall be preserved in a manner that maintains their integrity and chain of custody in case of subsequent legal or regulatory proceedings.

7. COMMUNICATIONS AND ESCALATION

7.1 Internal communications regarding the incident shall be coordinated by the Incident Response Lead. All communications shall be factual, timely, and consistent.

7.2 External communications, including communications with customers, media, or third parties, shall be approved by the Incident Response Lead and Legal Counsel before release. No employee shall make any unauthorised public statement regarding a cybersecurity incident.

7.3 Where the incident may affect third-party service providers or business partners, the Incident Response Lead shall notify those parties as soon as reasonably practicable, subject to legal privilege considerations.

8. POST-INCIDENT REVIEW

8.1 Within 30 days of the resolution of any High or Critical severity incident, the IRT shall conduct a post-incident review to assess:

Whether the incident was handled in accordance with this Plan;
The root cause and contributing factors;
Effectiveness of containment, eradication, and recovery measures;
Whether regulatory notification timelines were met;
Lessons learned and recommended improvements to systems, processes, or this Plan.

8.2 The outcomes of the post-incident review shall be documented and presented to senior management. Identified improvement actions shall be assigned an owner and a target completion date.

9. PLAN MAINTENANCE AND TESTING

9.1 This Plan shall be reviewed [Review Frequency] and updated as necessary to reflect changes to the Organisation's systems, regulatory requirements, or the threat landscape. The next scheduled review is [Next Review Date].

9.2 The Organisation shall conduct incident response exercises at least annually to test the effectiveness of this Plan and the readiness of the IRT. Exercises may include tabletop simulations, technical drills, or full simulation exercises.

9.3 Any significant amendments to this Plan shall be approved by the Incident Response Lead and, where applicable, the Board of Directors or senior management of [Organisation Name].

10. GOVERNING FRAMEWORK

10.1 This Plan is governed by the laws of Ireland, including the Network and Information Security Regulations implementing the NIS2 Directive (Directive (EU) 2022/2555), the GDPR, the Data Protection Act 2018, and any applicable sector-specific legislation.

10.2 Queries regarding this Plan should be directed to the Incident Response Lead, [IRT Lead Name], [IRT Lead Title], at [Organisation Name].

APPROVED ON BEHALF OF [Organisation Name]:

Incident Response Lead: [IRT Lead Name]

Title: [IRT Lead Title]

Date: [Approval Date]

Incident Response Lead

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: 2026-06-23·Report an error

What Is a Cybersecurity Incident Response Plan (Ireland)?

A Cybersecurity Incident Response Plan in Ireland sets the service levels, data-handling duties, fees, and liability terms under which the technology or platform is supplied, and is governed by the Companies Act 2014.

The plan defines what constitutes an incident — ranging from phishing attacks and ransomware infections to distributed denial-of-service attacks and insider threats — and sets out the step-by-step procedures the organisation will follow from initial detection through to full recovery and post-incident review. It assigns clear roles and responsibilities to an incident response team, typically comprising IT security personnel, legal counsel, communications leads, and senior management.

Beyond technical containment, an IRP addresses the organisation's regulatory obligations. Under NIS2, significant cybersecurity incidents must be reported to the NCSC's CSIRT-IE within 24 hours (early warning) and 72 hours (detailed notification). Where an incident also constitutes a personal data breach under GDPR, a parallel notification to the Data Protection Commission (DPC) must be made within 72 hours. The IRP confirms these dual reporting timelines are tracked and met, avoiding penalties that can reach €10 million or 2% of global annual turnover.

For organisations in regulated sectors — financial services, healthcare, critical infrastructure — the IRP also interfaces with sector-specific regulatory obligations, such as the Central Bank of Ireland's IT and Cybersecurity Framework and the Health Service Executive's cybersecurity governance requirements.

The legal framework governing the Cybersecurity Incident Response Plan (Ireland) in Ireland draws on several key statutes and regulatory bodies. Under the Companies Act 2014, the Companies Registration Office (CRO) maintains the register of Irish companies. Section 343 of the Companies Act 2014 sets annual confirmation obligations. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022. The Central Bank of Ireland regulates financial services under the Central Bank Act 1971. The High Court of Ireland has jurisdiction under Section 212 of the Companies Act 2014. Parties executing a Cybersecurity Incident Response Plan (Ireland) in Ireland should confirm the document reflects current Irish law, including any amendments enacted since the original drafting date. The Companies Act 2014 sets the foundational requirements, while secondary legislation and statutory instruments may impose additional obligations depending on the specific circumstances of the transaction.

When Do You Need a Cybersecurity Incident Response Plan (Ireland)?

A Cybersecurity Incident Response Plan is needed before an incident occurs — not after. The window between an attack being launched and an organisation detecting it can be days or weeks, and without a pre-established response plan, critical time is lost in improvised decision-making, escalating both operational damage and regulatory liability.

Under the National Cyber Security Bill 2024, organisations in NIS2 scope must have formal incident management capabilities in place before they are required to register with the NCSC. The self-registration deadline is three months after the NCSC portal launches, expected in mid-2026, and first audits are anticipated by mid-2027. Organisations that cannot demonstrate a functioning IRP at that stage face compliance sanctions.

An IRP is also needed when a significant change occurs in the organisation's risk profile — such as migrating to cloud infrastructure, acquiring a new business, onboarding a high-volume data processor, or expanding remote working arrangements. Each of these changes alters the threat surface and may require the IRP to be updated.

For organisations subject to the GDPR, the DPC expects that a process for assessing, recording, and reporting suspected personal data breaches is in operation at all times. Where a cybersecurity incident results in a data breach and the organisation cannot demonstrate it had a functioning response plan, the DPC may treat the absence of such a plan as an aggravating factor in any enforcement action.

Financially, cyber insurance providers in Ireland increasingly require evidence of a documented IRP as a condition of coverage. Organisations without one may find their claims disputed or their premiums significantly higher.

What to Include in Your Cybersecurity Incident Response Plan (Ireland)

A thorough Cybersecurity Incident Response Plan for Irish organisations should include the following key elements.

The purpose and scope section defines what types of incidents are covered, which systems and data are in scope, and which legal frameworks the plan is designed to address — including NIS2, GDPR, and any sector-specific regulations.

The incident classification matrix provides a severity framework, typically ranging from Severity 1 (critical — full system compromise, active data exfiltration) to Severity 4 (informational — minor anomalies with no operational impact). NIS2 'significant incident' thresholds should be mapped to this matrix.

The response team structure section identifies the Incident Response Team lead, IT security personnel, the Data Protection Officer, legal counsel, the communications/PR lead, and senior management, with 24/7 contact details and clear escalation paths.

The notification obligations section details the dual reporting timelines: 24-hour early warning and 72-hour detailed notification to CSIRT-IE/NCSC for NIS2 reportable incidents; 72-hour notification to the DPC for personal data breaches under Article 33 GDPR; and, where individuals are at high risk, notification to affected data subjects under Article 34 GDPR.

The containment and eradication procedures section provides technical checklists for isolating affected systems, preserving forensic evidence, removing threats, and restoring from clean backups.

The evidence preservation section confirms that logs, system images, and communications are preserved in a forensically sound manner for regulatory investigations and potential litigation.

The post-incident review section mandates a lessons-learned exercise following every significant incident, with documented findings and a plan update cycle — typically annual or after any major incident. The forms-legal.com Cybersecurity Incident Response Plan (Ireland) template covers the mandatory elements under Companies Act 2014.

Additional compliance elements for a Cybersecurity Incident Response Plan (Ireland) used in Ireland include: Data Protection — the Data Protection Act 2018 and GDPR Article 6 require a lawful basis for processing personal data; Governing Law — specify Irish law and the jurisdiction of Irish courts; Dispute Resolution — parties may refer disputes to the Workplace Relations Commission (WRC) for employment matters or initiate proceedings in the Circuit Court or High Court of Ireland for civil claims. Under the Companies Act 2014, the Companies Registration Office (CRO) maintains the register of Irish companies. Section 343 of the Companies Act 2014 sets annual confirmation obligations. The Competition and Consumer Protection Commission (CCPC) enforces the Consumer Rights Act 2022. The Central Bank of Ireland regulates financial services under the Central Bank Act 1971. The High Court of Ireland has jurisdiction under Section 212 of the Companies Act 2014. Revenue Commissioners require appropriate tax treatment of payments made under the agreement, including VAT under the Value-Added Tax Consolidation Act 2010 where applicable.

Sources & Citations

Statutory citations link to official government sources.

GDPR Article 6EU – GDPR

Cite this page

Reference this free template in an article, syllabus, or research note:

APA

Forms Legal. (2026). Cybersecurity Incident Response Plan (Ireland) (Ireland) [Legal document template]. Forms Legal. https://forms-legal.com/ireland/business/policies/cybersecurity-incident-response-plan-ireland

MLA

"Cybersecurity Incident Response Plan (Ireland) (Ireland)." Forms Legal, 2026, https://forms-legal.com/ireland/business/policies/cybersecurity-incident-response-plan-ireland.

BibTeX

@misc{formslegal-cybersecurity-incident-response-plan-ireland,
  author       = {{Forms Legal}},
  title        = {Cybersecurity Incident Response Plan (Ireland) (Ireland)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/ireland/business/policies/cybersecurity-incident-response-plan-ireland}},
  note         = {Free legal document template. Based on Companies Act 2014}
}

Also available for these jurisdictions:

Frequently Asked Questions

Based on Companies Act 2014 — Template last modified June 2026Verify the source →

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know