In advance of the proposed transposition of the NIS 2 Directive in Ireland (currently expected in early 2026), the National Cyber Security Center (“NCSC”) has published its 2025 National Cyber Risk Assessment (the “2025 NCRA”). In addition, Munster Technological University has published a report on the Cyber Resilience of Small and medium Enterprises (“SMEs“), in conjunction with the NCSC (the “Report“).
In this article, we examine the key highlights of the 2025 NCRA and the Report, as well as their implications for Irish businesses.
The 2025 National Cyber Risk Assessment
On 2 December 2025, the NCSC published the 2025 NCRA, which provides a strategic overview of the systemic cyber risks facing Ireland’s critical national infrastructure (“CNI”), and the broader ecosystem of supply chains which underpin same. The recommendations set out in the 2025 NCRA build on the first National Cyber Risk Assessment published in 2022, align with the evolving obligations under the NIS2 Directive and will inform the NCSC’s next National Cyber Security Strategy.
Systemic cyber risks
A “systemic cyber risk” is defined in the 2025 NCRA, as the risk that a cyber event (attack or other adverse event) at an individual component of a critical infrastructure ecosystem will cause significant delay, denial, breakdown, disruption or loss beyond the original component and into the related ecosystem components, resulting in significant adverse effects to public health or safety, economic security or national security.
The 2025 NCRA considers systemic cyber risks to Ireland under three thematic areas, including:
1. Dynamic geopolitical environment
Increased geopolitical tensions at a global level have resulted in new and emerging risks to Ireland’s CNI. State-aligned threat actors (most notably Russia and China) are carrying out a broader range of cyber activities which threaten the digital ecosystem. The 2025 NCRA views these cyber activities from three distinct perspectives: (i) the direct targeting of Irish infrastructure; (ii) the targeting of shared critical infrastructure, such as subsea cables and gas interconnectors; and (iii) the location-agnostic targeting of technology which could lead to Ireland being impacted as a “second-order consequence” of an attack on key technology used in the global digital supply chain.
2. Evolving technology and its implications on security
(i) Artificial Intelligence:
The 2025 NCRA notes that the rapid development of AI is amplifying existing cyber threats, noting the susceptibility of large language models to data attacks.
The 2025 NCRA explains that a digital divide is being created between organisations who can keep up with AI developments and those who cannot. It is purported that this divide will have a significant impact on the vulnerability of critical systems by 2027, potentially impacting sectors such as traffic and transport, key utilities, and public administration.
(ii) Quantum Computing:
The 2025 NCRA cautions that quantum computers may be capable of breaking existing cryptography standards within the next 10 years. This is considered “a disruptive advancement” which requires a new approach to securing information and communications.
Key data with a lifespan exceeding ten years is said to be an attractive target to state-aligned threat actors, who can harvest data now, and decrypt later using quantum computing, presenting a significant risk to national security, international reputation and trust in public and private institutions.
3. Supply chain security
The 2025 NCRA provides that Ireland’s supply chain is also at risk. It explains how threat actors target critical entities by focusing on vulnerable points along the supply chain. CNI providers are reported to be at risk of significant disruption where any of their suppliers or partners become compromised. The importance of mitigating this risk is recognised at EU level, with the NIS 2 Directive providing for coordinated security risk assessments of critical ICT supply chains. The 2025 NCRA highlights how over-reliance on a single supplier, system or process can create a single point of failure and inhibit the organisation’s ability to withstand a disruptive cyber event.
Recommended systemic cyber risk responses
In response to the risks outlined above, the 2025 NCRA brought forward the following recommendations to strengthen national cybersecurity and resilience:
Strengthen visibility and detection
In order to mitigate against systemic risks, it is reported that Ireland must expand its ability to monitor, detect and understand cyber and hybrid threats. This would include the expansion of state monitoring and detection capabilities to ensure adequate reporting and to support information exchanges; the expansion of the scope and scale of the NCSC Sensor Programme; the investing in and implementation of nationwide cyber defense solutions; the anchoring of Ireland’s visibility within European frameworks; and the implementation of a national counter disinformation strategy.
Implement proactive cyber defence capabilities
The 2025 NCRA outlines how difficult it can be to contain damage once threat actors have established a foothold in critical systems. It notes that Ireland should become more proactive as a result, including through the deployment of scanning services; improved use of automation and intelligence-driven tools; collaboration with private sector providers; the provision of proactive threat assessment services; the continuation of large scale cyber exercises; and the maintenance of a continuous “cyber pulse check” to gather and analyse key cyber security metrics.
Enhance national resilience
The risks outlined in the 2025 NCRA showcase threat actors’ efforts to destabilize populations and weaken democratic systems. In order to enhance resilience, The 2025 NCRA recommends the following measures to enhance national resilience in this respect:
(i) The full implementation of the EU cybersecurity regulation package;
(ii) The adequate resourcing of competent authorities;
(iii) The embedding of the Cyber Fundamentals Framework (“CyFun Framework”) as the national cyber security certification scheme;
(iv) The leveraging of EU solidarity measures such as cyber hubs and cable hubs;
(v) The reinforcement of crisis preparedness and public communication mechanisms; and
(vi) The countering of disinformation to protect democracy and ensure public confidence.
Secure critical supply chains
To address the risks to critical supply chains identified above, the 2025 NCRA recommends strengthening procurement rules in government; using the CyFyn Framework to embed security-by-design and risk management practices across suppliers; increasing visibility in relation to the ownership, control and security practices of vendors; ensuring the State has the appropriate legal powers to intervene where necessary; and promoting vendor diversification.
Invest in national cyber capacity
The 2025 NCRA reports that a lack of cyber capacity, i.e. shortages of skills and gaps in research capacity, increases risk exposure. It recommends that Ireland expand cyber education and training pathways, build cyber capacity across industries, establish a national cyber security research center of excellence, provide targeted support for cyber security providers, align skills and research investment with Ireland’s broader economic and digital policies, and ensure Ireland’s vetting and clearance system is well resourced and functioning.
In addition to the above, Minister Jim O’Callaghan has indicated that he will bring forward the National Cyber Security Bill (Ireland’s proposed legislation implementing the NIS 2 Directive) to put in place a strong and effective statutory NCSC with updated mechanisms for the supervision and enforcement of network and information security.
The report on SME cyber resilience: state of the sector 2025
On 1 December 2025, Munster Technological University in collaboration with the NCSC, published a Report on the cyber resilience of SMEs which showcases how underprepared many SMEs are for modern cyber threats.
Cybersecurity levels, which are used to assess how effectively enterprises can withstand, respond to and recover from cyber-attacks and digital disruptions, are reported to be critically low amongst SMEs. The Report found a significant disparity in cyber resilience across different industry sectors. Notably, healthcare scored the lowest, despite having sustained the most expensive data breaches globally of any sector over the past 13 years, while ICT scores the highest with an average score of 5.7 out of 10.
The following 10 key areas are considered in the Report to require significant improvement amongst SMEs: (i) data backups; (ii) multi-factor authentication; (iii) cyber incident response plans; (iv) cybersecurity planning; (v) continuity planning; (vi) password policies; (vii) cybersecurity policies; (viii) network security; (ix) software updates; and (x) secure communications.
The assessment used the CyFun Framework, a voluntary tool to assist entities with meeting NIS 2 obligations, to assess cyber resilience, and the following findings were made across six essential functions of the framework:
- Govern: This function looks at how risk management strategy, risk appetite and policy are established, communicated and monitored. The report notes that 63% of SMEs rely solely on their owner for cyber security responsibilities, while 11% of SMEs lack clarity on who holds such responsibility. Alarmingly, 67% of SMEs never engage in training or participate only on an ad hoc basis, while 87% operate without a tested business continuity plan.
- Identify: Here, the assessment considers organisational risks, assets and vulnerabilities. In this respect the Report found a widespread absence of comprehensive asset identification levels, noting that this leaves many SMEs unable to effectively monitor, manage, or secure their digital landscape.
- Protect: This function involves the implementation of controls to prevent cybersecurity incidents. The Report found that 74% of SMEs have not implemented multifactor authentication, and 69% operate without automated backup solutions. Further, only 24% of remote workers were reported to use VPN when accessing business apps.
- Detect: This function consists of the development of capabilities to recognise and respond to threats. The assessment found that, while 77% of businesses have antivirus software, only 51% ensure the software is fully enabled across all workplace devices. The Report further highlights that 27% of SMEs don’t have any antivirus software deployed at all.
- Response: The response function involves the establishment of incident response and mitigation procedures. The Report found a widespread absence of planning in this regard, noting that employees and employers are often underprepared which leads to confused or delayed responses to cyber incidents.
- Recover This final critical function ensures business continuity and resilience following incidents. The Report highlights deficiencies in data backups and critical oversight, which highlight a widespread absence of recovery strategies thereby prolonging potential downtime after a cyber incident as well as financial loss following the event.
Despite the outlined gaps and deficiencies in the cyber security systems of SMEs, each organisation involved in the above assessment received tailored support through a customized action plan. A full version of the cyber resilience assessment and tailored recommendation is set to be available on the NCSC website in early 2026.
The Report highlights several opportunities to strengthen support for SMEs, including the provision of cybersecurity training by industry bodies, the embedding of cybersecurity requirements across all digital funding streams, clarifying supply chain expectations and supporting SMEs with this, promoting cybersecurity as a business risk, and advancing research into cybersecurity and business implications.
While the above cybersecurity deficiencies within SMEs risk disruption to entire supply chains and sectors, the Report highlights how meaningful action at organisational, industry and national levels can go a long way. By building on the insights and confronting on the challenges reported throughout, the Report states that Ireland’s SMEs is well positioned to enhance its cyber resilience in the future.
Contact Us
If you would like to discuss these developments, NIS 2 or any other related cybersecurity matter concerning your business, please do not hesitate to contact any member of our Technology and Innovation Group, or your usual Matheson contact.