Cyber Threats Facing Ireland's Critical Services, Systems And Infrastructure

In December 2025, the National Cyber Security Centre (NCSC) published its second National Cyber Risk Assessment (NCRA).

The NCRA is not legally binding, yet it provides important context about the cyber threats facing Ireland, its critical national infrastructure (CNI) and the interconnected supply chains that anchor its critical systems and services. In this sense, it is a helpful tool for businesses (particularly those in critical sectors) to inform and benchmark the assessment of cybersecurity risk management measures (RMMs) implemented for NIS2 compliance (to read more about NIS2 RMMs, see here).

The NCRA outlines "observed trends", "threats" and "risks" facing Ireland's digital and operational resilience based on recent global cyber incident activity. These risks are: (1) the dynamic geopolitical environment; (2) evolving technology and its implications on security; and (3) supply chain security. These risks have potentially wide-ranging adverse impacts, which, if realised, could undermine the delivery of essential services / systems and disrupt Ireland's critical sectors (e.g., key utility providers, hospitals, public administration, traffic and transport systems, etc.), as well as erode trust in government, institutions and organisations.

To address these risks, the NCRA makes several recommendations, each of which will shape the NCSC's forthcoming National Cyber Security Strategy, including regulatory supervision as the lead competent authority under NIS/NIS2.

The three systemic cyber risks facing Ireland

The NCRA identifies the following three systemic cyber risks facing Ireland:

(1) Dynamic geopolitical environment

The NCRA outlines that the continued increase in global tensions and rivalries has created new cyber risks for Ireland. Given that Ireland is a hub for key multinational technology providers and research initiatives in global supply chains, the NCRA identifies Ireland as being susceptible to cyberattacks as a "second-order consequence", meaning it is vulnerable to the downstream impacts of such attacks when global players in the technology and critical infrastructure sectors are successfully targeted by threat actors.

In this regard, the risks created by geopolitical tensions and rivalries include:

• Direct targeting of Irish infrastructure: As both public and private CNI entities increasingly use automation, IoT/OT integration and cloud services, systems are becoming increasingly complex, creating more opportunities for sophisticated threat actors to exploit in the current landscape.
• Targeting of shared infrastructure: Ireland depends not only on CNI but also on shared critical infrastructure worldwide (e.g., subsea cables and gas interconnectors). These systems are considered key targets, especially as geopolitical tensions rise.
• Location-agnostic targeting of technology: Due to the nature of virtualised infrastructure, the geographic location of cyberattacks is immaterial for threat actors. Since Ireland plays a key role in the global digital supply chain, there is a risk that systems and services can be disrupted as an indirect result of cyberattacks on systems in other locations (i.e. a "second-order consequence"). To give further context to these risks, the NCRA provides insights into recent global cyberattacks, including cyber-espionage, sabotage and disinformation campaigns.

(2) Evolving technology and its implications on security – AI and quantum computing

According to the NCRA, the growing use of AI has implications for cybersecurity, as integrating large language models into CNI adds complexity to the cyber threat landscape, making these models vulnerable to data-driven attacks. For example, prompt injection and data poisoning attacks target the integrity of models and their underlying datasets.

Furthermore, the NCRA highlights that the rapid growth of AI is creating a gap between organisations that can keep pace with the deployment of AI and those that cannot. By 2027, the NCRA anticipates that this divide could significantly increase the vulnerability of critical systems, providing malicious actors with more opportunities to launch large-scale, disruptive cyberattacks, particularly in certain critical sectors (e.g., key utilities, traffic and transport and public administration).

The NCRA also points out that by 2035, the imminence of quantum computing will likely be sufficiently powerful to break current public key encryption standards. It will also take at least ten years to fully transition to quantum-resistant algorithms. The NCRA highlights the prevalence of "harvest now, decrypt later" (or HNDL) attacks whereby strategically important data with a lifespan of 10+ years is currently an attractive target to threat actors to exfiltrate with the expectation that, as quantum computing capabilities improve, it will be possible to decrypt such stolen data in the future at a point before it loses its value. The NCRA concludes that this presents significant risks to Ireland's national security, international reputation and potentially a broader loss of trust in public and private institutions.

Overall, these risks will require entirely new methods to secure data and communications going forward.

(3) Supply chain security

The NCRA identifies the issue of supply chain security as a (continued) risk. This is due to cybercriminals increasingly exploiting supply chain weaknesses to attack critical sector organisations. Once access has been gained, this can result in direct attacks against an organisation or spread to multiple organisations through shared suppliers. For this reason, the NCRA points out that relying too heavily on a single supplier, system or process weakens an organisation's ability to handle disruptions and increases the risk of widespread operational, financial and reputational damage. This is particularly the case for CNI providers who are considered at risk of significant disruption where any of their suppliers or partners become compromised.

Recommendations

Due to the identified systemic cyber risks, the NCSC makes five targeted recommendations (which are policy directions) to enhance Ireland's national cybersecurity and operational resilience:

1. Strengthen visibility and detection
   Ireland needs to improve its ability to understand cyber and hybrid threats. To do so, it requires expanding State monitoring and detection tools, growing the NCSC Sensor Programme, implementing a national counter-disinformation strategy and using insights from NIS2 incident reporting (once it goes live). Investments in nationwide defence solutions and closer integration with EU cyber hubs will also help protect Ireland's critical infrastructure.
2. Build proactive cyber defence
   The NCRA emphasises the challenges of limiting damage once threat actors gain access to critical systems. For this reason, Ireland must adopt a proactive approach which would include, for example, vulnerability scanning across critical sector entities and using automation and intelligence-driven tools to block malicious activity.
3. Enhance national resilience
   To withstand systemic cyber risks and enhance Ireland's national (operational) resilience, the NCRA recommends the adoption of the following measures: (i) fully implementing EU cyber regulations (such as NIS2); (ii) ensuring competent authorities are properly resourced; (iii) embedding the CyFun certification scheme to guide organisations in building resilience; (iv) reinforcing crisis preparedness and public communications mechanisms; (v) leveraging of EU solidarity measures such as cyber hubs and cable hubs; and (vi) countering of disinformation to protect democracy and ensure public confidence.
   Read more about CyFun here.
4. Secure critical supply chains
   To mitigate the risks identified in complex ICT supply chains, the NCRA recommends that government procurement rules be strengthened to ensure baseline security standards. Additionally, CyFun should be used to embed security-by-design across suppliers, and greater transparency on vendor ownership and security practices is essential.
5. Invest in national cyber capacity
   The NCRA identifies a lack of cyber skills and gaps in research capacity. To address these issues, it recommends that Ireland expands cyber education and training, builds capacity (e.g., skills) across the public and private sectors, and create a national centre of excellence.

Business impacts & NIS2 readiness

As the NCSC is the lead competent authority under NIS2, the NCRA is an important readiness document for businesses to revisit and (re-)assess the RMMs implemented (or yet to be implemented) to ensure that they are prepared for such risks and benchmark baseline standards of cybersecurity governance.

The 2025 NCRA not only highlights the importance of Ireland transposing NIS2 into Irish law but also the business imperative for organisations (particularly those in critical and digital infrastructure sectors) to maintain and implement robust cybersecurity standards, policies and procedures. For example: ensuring vendor security diligence and contractual protections with critical suppliers, conducting regular security risk assessments, incident reporting (for NIS/NIS2 in-scope entities) and cybersecurity training & awareness for staff and boards.

For more information about NIS2, see here.

Status of NIS2 transposing legislation in Ireland

At the time of this publication, NIS2 is legally binding in the European Union (since 17 October 2024). However, NIS2 has yet to be transposed into Irish law, and Ireland is subject to infringement proceedings due to late transposition by the European Commission. The General Scheme for the National Cybersecurity Bill is the proposed draft legislation to transpose NIS2 into Irish law, and an update on the Bill is expected in H1 2026. Please visit our website for updates on the transposition of NIS2.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.