Is Your Organisation In Scope for NIS2?

If your organisation provides healthcare services, manages patient data systems, or operates clinical IT infrastructure funded or contracted by the HSE, you are very likely in scope as an essential entity. This includes hospitals, primary care centres, and diagnostic services.

Organisations providing residential or day services under HSE Section 38 or 39 arrangements manage sensitive health data and critical care systems. Where these organisations meet medium-enterprise thresholds (50+ employees or €10M+ turnover), they will likely fall within NIS2 scope.

Organisations like Acquired Brain Injury Ireland and similar providers operate clinical IT systems, manage patient records, and coordinate care pathways. These functions place them firmly within the healthcare sector definition under NIS2.

Hospice and palliative care providers operate medication management systems, electronic patient records, and connected medical devices. A breach could directly affect continuity of care for vulnerable patients, making these organisations essential under NIS2.

Nursing homes managing electronic care records, connected medication dispensing, or HSE-contracted services may be in scope. Smaller private nursing homes below the medium-enterprise threshold may be excluded, but those in HSE-funded groups or using connected health platforms should assess carefully.

Large home care providers managing digital rostering, electronic care plans, and mobile health applications may meet NIS2 thresholds. If you hold HSE home care contracts and operate digital care management platforms, you should assess your scope status.

Organisations providing intellectual disability services often manage medication systems, incident reporting platforms, and personal data for vulnerable individuals. Those meeting size thresholds and operating digital health infrastructure will be classified under NIS2.

Charities are not automatically excluded from NIS2. If a charity operates in healthcare, social care, education, or digital infrastructure and meets medium-enterprise thresholds, it falls within scope. Many large Irish charities providing HSE-funded services will need to assess their position.

Individual schools are typically too small to meet NIS2 thresholds. However, university groups, institutes of technology, and large education bodies managing research data or critical digital infrastructure may fall within scope, particularly under the research sector classification.

NIS2 covers public administration entities, but Member States can exclude local government bodies. Ireland’s transposition will determine whether county councils, city councils, and municipal bodies are explicitly included. Those managing critical water, waste, or digital services should prepare regardless.

Electricity generators, gas distributors, district heating operators, and fuel suppliers meeting size thresholds are essential entities. This includes ESB subsidiaries, Bord Gáis, wind farm operators, and energy trading platforms operating in Ireland.

Air, rail, water, and road transport operators meeting size thresholds are in scope. This includes airport operators, port authorities, public transport bodies, and logistics companies managing critical supply chains.

NIS2 covers manufacturers of medical devices, in-vitro diagnostics, chemicals, food products, and other critical goods. Irish pharmaceutical and medtech manufacturers should assess their NIS2 obligations carefully.

Managed service providers, managed security service providers, cloud service providers, and data centre operators are important entities under NIS2. If your clients are in scope, your obligations extend to securing the services you provide to them.