This page is under construction
Dev Blog
NIS2 · Compliance · Regulatory · Access control · SME · Ireland · EU

NIS2 and Your Network: Where Arbiter Fits

04 June 2026 6 min read

NIS2 in Ireland has moved from a distant EU directive to a near-term obligation. The directive should have been in national law by October 2024. Ireland missed that deadline and is now transposing it through the National Cyber Security Bill 2024, with the National Cyber Security Centre named as both competent authority and CSIRT. The Bill is a government priority and expected to progress through 2026.

When it lands, the pool of in-scope organisations widens sharply, from a few hundred under the old NIS rules to several thousand. Senior management carry personal accountability for compliance failures. This is no longer only an enterprise concern.

You can be in scope without being a target

The part that catches smaller businesses out is the supply chain.

NIS2 supplier requirements mean essential and important entities must manage the security of their suppliers. So even if your own headcount and turnover keep you below the direct thresholds, your larger customers now have to assess you. That assessment arrives as a security questionnaire, a contract clause or an audit. "We don't really control what connects to our network" is no longer an answer that keeps the contract.

The same pressure is already arriving from cyber insurers at renewal. NIS2 simply makes it law for a much wider set of companies.

Where Arbiter actually helps

Arbiter is not a NIS2 compliance product. NIS2 is a programme: governance, risk management, incident reporting, training, the lot. No single tool delivers it.

What Arbiter can carry is a specific and load-bearing slice of the technical outcomes NIS2 expects organisations to achieve. On access control, asset visibility and network security in particular, the overlap with the measures highlighted by the NCSC is direct:

  • Access control. Arbiter can enforce a default-deny approach, where unknown devices remain off the network unless explicitly permitted.
  • Asset management. You cannot secure what you cannot see. Every authenticated device is classified by vendor and type, so the inventory builds itself.
  • Basic cyber hygiene. Segmented guest and IoT access, quarantine for devices that fail policy, no flat network where one compromised laptop reaches everything.
  • Cryptography. Authentication traffic is encrypted in transit, rather than being sent across the internet in clear text. Managed devices use certificate-based 802.1X.
  • Incident handling. A clean, per-decision audit trail of who connected, when, from where and what verdict they got. That is the raw material for the 24-hour and 72-hour reporting NIS2 expects.
  • Continuity. Authentication continues locally during a cloud or WAN outage, so staff can still connect even when the internet link is unavailable.

A supplier audit may ask whether unmanaged devices can connect to your corporate network. With Arbiter, every connection attempt is authenticated, logged and tied to a policy decision, providing evidence rather than assumptions.

What Arbiter brings to that

Arbiter is a cloud-hosted RADIUS and 802.1X platform, built and run in Ireland with data resident in the EU. For a regime written in Brussels and enforced in Dublin, where your authentication data sits is not a footnote. It is one less cross-border transfer to assess. It also makes the supplier questionnaire materially shorter to answer.

A few things matter specifically for the buyer working through NIS2:

  • EU residency by design. Authentication and audit data remain within the EU, helping reduce cross-border data transfer considerations. Designed with NIS2 and DORA security control objectives in mind.
  • Encrypted authentication. Credentials and MAC addresses tunnel to the cloud over RadSec rather than crossing the public internet in the clear.
  • An audit trail you can hand over. Every authentication logged with the policy that matched, queryable when an auditor, insurer or customer asks for evidence.
  • Every feature on every tier. Segmentation, device profiling, certificate-based auth, guest isolation and SIEM forwarding are not behind an advanced licence. The control you need for NIS2 is not the expensive tier.
  • Monitor mode first. Roll it out and watch what your policies would do before you enforce anything. You move from hoping it works to having evidence it works, without denying a single device on day one.

What it does not do, plainly

Arbiter will not write your risk management policy, train your board, run your incident reporting process or make you compliant on its own. Anyone selling you a single product as "NIS2 compliance in a box" is overselling.

What it does is close one of the gaps that supplier audits and insurer questionnaires probe hardest, the one most SMEs cannot currently answer: can you control and evidence what connects to your network. Get that part right and a large, awkward section of the assessment becomes straightforward.

NIS2 compliance is ultimately about risk management and evidence. Network access control is one of the most effective ways to demonstrate both.

The question is no longer whether someone will ask for evidence of your access controls. The question is whether you will have that evidence ready when they do.

Get ahead of it

The Bill is coming, the supply-chain pressure is already here and the evidence either exists or it does not on the day someone asks.

If network access is the gap, it is a solvable one and not on enterprise timelines. You can stand up device discovery and a working policy set in hours, in monitor mode, with no payment and no sales call.