Intuity Logo
National Cyber Security Centre announces new risk management measures for NIS2 Directive, enhancing national cybersecurity protocols.

The Roadmap to NIS2 Compliance: NCSC Unveils New Risk Management Measures

A significant development on June 24, 2025, saw the National Cyber Security Centre (NCSC) publish its proposed Risk Management Measures (RMMs) specifically designed for the NIS2 Directive. Coupled with the launch of the Cyber Fundamentals (CyFun) framework. This new guidance provides a critical roadmap and a defining moment for organisations dedicated to achieving comprehensive NIS2 compliance.

Understanding the NCSC New RMMs

The NIS2 Directive (Directive (EU) 2022/2555) sets a high bar for cybersecurity across the EU. Requiring essential and important entities to implement robust risk management measures. The NCSC’s proposed RMMs provide non-binding, yet crucial, guidance for these Irish entities to demonstrate compliance with Article 21 of the Directive.

These RMMs are categorised to provide a clear roadmap to NIS2 Directive Compliance:

  • Foundation Actions: These are the minimum controls the NCSC considers essential to meet the legislative obligations of NIS2. They form the bedrock of a secure cyber posture.
  • Supporting Actions: These supplemental controls are recommended based on an organisation’s specific risks, allowing for a tailored approach to cybersecurity.

The guidance encompasses 16 categories of RMMs, offering detailed advice, tips, and even suggested evidence for compliance. This comprehensive approach covers everything from governance and incident handling to reporting mechanisms.

It’s important to note that Cyber Fundamentals is a new voluntary certification programme. It enables entities to meet NIS2 technical requirements. It will not be the sole method for demonstrating compliance. The NCSC estimates it will take 18-24 months to establish the national certification system for Cyber Fundamentals. In the meantime, other frameworks like ISO 27001, ISO 62443, COBIT, or NIST standards can also be used. Offering flexibility for organisations already committed to established security practices.

Additionally, it’s worth highlighting that the RMMs generally do not apply to “relevant entities” (such as most digital infrastructure and ICT service management providers). These are primarily subject to Commission Implementing Regulation (EU) 2024/2690. However, “relevant entities” still need to consider RMM001 (registration) and RMM002 (governance) from this guidance.

Reinforcing Our 10-Step Guide to NIS2 Compliance

We’ve been helping our customers navigate the complexities of NIS2 for some time, as highlighted in our 10-Step Guide to NIS2 Compliance. The NCSC new RMMs directly reinforce and expand upon the principles we’ve always advocated.

Our existing guide emphasises crucial areas such as:

  • Risk Assessment: The NCSC’s RMMs underscore the importance of continuous risk analysis. Aligning perfectly with our step to identify vulnerabilities proactively.
  • Incident Response & Business Continuity: The new measures provide more granular detail on handling incidents and ensuring operational resilience, which are core components of our guidance.
  • Access Control & Security Policies: The RMMs provide further emphasis on these foundational security practices.
  • Security Awareness Training: The NCSC continues to highlight the human element in cybersecurity, echoing our focus on comprehensive training programmes.
  • Vulnerability Management, Monitoring & Logging, Supply Chain Security, and Data Protection: These critical areas, which are the foundations of our 10-step guide, are all deeply embedded within the NCSC proposed RMMs.

What This Means for Your Organisation

The release of these RMMs signifies Ireland’s proactive stance in implementing NIS2. For essential and important entities, understanding and adopting these measures has moved on from simply being considered good practice to becoming a clear expectation for demonstrating compliance.

As a technology provider, we are uniquely positioned to assist you in aligning with these new NCSC guidelines.

We can help you:

  • Assess your current security posture against the NCSC’s Foundation and Supporting Actions.
  • Develop and implement necessary technical, operational, and organisational measures to meet the RMMs.
  • Integrate CyFun or leverage existing frameworks to achieve demonstrable NIS2 compliance.
  • Prepare for audits and demonstrate evidence of your compliance efforts.

The path to NIS2 compliance is ongoing, and these new measures from the NCSC provide a valuable framework for Irish organisations. Partnering with an experienced technology provider ensures you have the expertise and support to navigate these requirements effectively, safeguarding your operations and reputation in an increasingly digital world.

For more detailed information, you can refer to the NCSC’s NIS 2 Risk Management Measures Guidance; you can also reach out to us on 0818 987 900 or at hello@intuity.ie if you have any questions.

To have these blog articles delivered to your inbox and stay up-to-date with the latest tech news and solutions, subscribe to our newsletter.

Previous Post
Next Post