Dev Blog
NIS2 · Asset management · Network access control · PKI · SME · Cyber security · Ireland · Cloud NAC · EAP-TLS

NIS2 in Ireland: From Compliance Burden to Cyber Resilience with Arbiter

24 June 2026 7 min read

For many organisations, NIS2 has been talked about for so long that it's easy to assume it's still some distant future requirement.

It isn't.

Although Ireland has yet to fully transpose the Directive into national legislation, the direction of travel is crystal clear. The National Cyber Security Centre (NCSC) continues to publish guidance, FAQs and implementation frameworks, including the recently announced Risk Management Measures (RMM) and Cyber Fundamentals (CyFun) framework.

Whether you're a medium-sized business that expects to fall within scope, or simply want to improve your security posture, now is the time to build the foundations.

The good news?

Many of the technical controls organisations need aren't actually complicated: they've just traditionally required enterprise-grade products with enterprise-grade price tags.

That's exactly the problem Arbiter was built to solve.

Where NIS2 stands today

As of 24 June 2025, Ireland continues work on transposing the NIS2 Directive into national legislation.

Recent developments include:

  • Publication of the draft Risk Management Measures (RMM)
  • Announcement of the new Cyber Fundamentals (CyFun) framework
  • Expanded NIS2 FAQs from the NCSC
  • Continued development of national incident reporting and registration portals

Although legislation is still progressing, organisations shouldn't mistake this for extra time to delay preparation.

NIS2 isn't introducing entirely new security concepts: it's formalising good cyber security governance and making boards accountable for implementing it.

What does NIS2 actually expect?

The Directive focuses on improving organisational resilience through practical security measures such as:

  • Understanding what assets exist
  • Controlling who and what connects to networks
  • Strong authentication
  • Risk management
  • Incident detection and reporting
  • Governance and accountability
  • Supply chain security
  • Business continuity

One theme appears repeatedly throughout the guidance:

You can't protect what you don't know exists.

The challenge for SMEs

Traditional Network Access Control (NAC) platforms were designed for large enterprises.

They typically involve:

  • Six-figure licensing
  • Complex certificate infrastructure
  • Dedicated security teams
  • Lengthy deployment projects

For many SMEs this simply isn't realistic.

Yet they still need to demonstrate that they:

  • Know every connected device
  • Can control network access
  • Maintain an accurate asset register
  • Use secure authentication
  • Reduce cyber risk

That's the gap Arbiter was designed to fill.

How Arbiter helps organisations prepare for NIS2

Rather than being a collection of disconnected tools, Arbiter combines several important security capabilities into a single cloud platform.

1. Complete wired and wireless network access control

Every device connecting to your network is authenticated before access is granted.

Whether users connect through:

  • Wired Ethernet
  • Enterprise Wi-Fi
  • Corporate laptops
  • Printers
  • Phones
  • IoT devices

Arbiter provides a central policy engine using industry-standard 802.1X and RADIUS authentication.

Instead of trusting everything already inside the network, organisations gain visibility and control over every authenticated endpoint.

2. Automatic asset discovery and live asset register

Profiling isn't a side effect of network access control: it happens before any access decision is made. Arbiter was built to profile devices well in the first place, so that access policies can match on what a device actually is, not just the port it connected through.

Arbiter automatically builds a live asset register showing information such as:

  • Device manufacturer
  • Operating system
  • Device type
  • Vendor
  • MAC address
  • First seen
  • Last seen
  • Network location
  • Authentication method
  • Switch or wireless controller
  • Certificate information
  • DHCP fingerprints
  • Device profiling confidence

Unlike spreadsheets that become outdated within weeks, this inventory updates continuously as Arbiter observes devices through authentication, DHCP, network scanning and switch polling.

Because that profiling runs independently of enforcement, Arbiter offers it as a standalone, visibility-only tier. You get the complete asset register, and the confidence of knowing exactly what is on your network, without first taking on the part most organisations find daunting: switching on enforcement. That can follow later, once the visibility is already delivering value.

Executive dashboard

The dashboard provides an immediate overview of the organisation's estate. It includes total endpoints, device categories, operating systems, top vendors, new and departing devices, criticality ratings, site distribution, identification rates and compliance summaries. The result is a living asset inventory rather than a point-in-time audit.

3. Asset registers that satisfy governance: not just IT

NIS2 isn't simply asking organisations to count devices. It expects organisations to understand their importance to the business.

Arbiter allows every discovered asset to be enriched with governance information including asset owner, business function, site or location, criticality, data classification, notes and review status. For example:

This transforms technical discovery into a genuine governance asset register suitable for security teams, auditors and management.

4. Built-in PKI without the operational headache

Certificates are often one of the biggest barriers to deploying secure authentication. Running your own PKI involves certificate authorities, certificate templates, revocation, renewal and lifecycle management. For many SMEs it's simply unnecessary complexity.

Arbiter includes a managed tenant PKI designed specifically for secure network authentication.

Every tenant receives their own certificate authority, enabling secure EAP-TLS authentication without needing to build and maintain Microsoft Certificate Services or another enterprise PKI. That means secure certificate-based authentication, simpler deployment, reduced operational burden and stronger identity assurance.

5. Visibility into every authentication

Each authenticated endpoint generates detailed identity information, including authentication type, network device, authentication history, DHCP fingerprint, device profile, RADIUS attributes, certificate metadata, network location and operating system detection. This information becomes invaluable during investigations, audits and incident response.

Instead of asking "Has this device ever connected?" you already know when it first appeared, where it connected, how it authenticated, which certificate it used, who owns it and whether it is still active.

NIS2 isn't just about compliance

One mistake organisations make is viewing NIS2 as another regulatory checkbox. In reality, most of the measures improve day-to-day cyber security regardless of regulation.

Knowing exactly what devices exist, where they are, who owns them, whether they're still active and how they authenticate makes every security decision easier. Incident response becomes faster. Shadow IT becomes visible. Unknown devices become the exception rather than the norm.

Built for organisations without enterprise budgets

Arbiter wasn't designed to compete by adding more complexity. It was designed by someone who has spent years deploying enterprise NAC solutions and has repeatedly seen the same problem: smaller organisations need the security benefits but cannot justify the cost, complexity or deployment effort.

By combining wired NAC, wireless NAC, managed PKI, continuous asset discovery, live asset registers, certificate-based authentication, multi-site support and cloud management, Arbiter delivers capabilities traditionally reserved for large enterprises.

It is a platform that SMEs and managed service providers can realistically deploy and operate.

Preparing today reduces pressure tomorrow

Whether your organisation ultimately falls within the scope of NIS2 or not, the direction of cyber security regulation is clear: organisations are expected to understand their digital estate, manage cyber risk and demonstrate appropriate controls.

Building a live asset inventory, implementing strong authentication and controlling who and what connects to your network are practical steps that improve security today while also helping prepare for future compliance requirements.

Arbiter makes those capabilities accessible without the cost and complexity traditionally associated with enterprise Network Access Control, giving organisations a straightforward path towards stronger cyber resilience.

Frequently asked questions

Does Arbiter make my organisation NIS2 compliant?

No. Arbiter is not a compliance product. It supports the technical controls NIS2 expects (asset inventory, network access control, strong authentication and audit logging) but does not deliver compliance on its own.

Is NIS2 in force in Ireland yet?

Ireland is still transposing the NIS2 Directive into national law. Even before it fully applies, the controls it expects are practical steps that improve security today, so there is no benefit in waiting.

Do I need on-premises servers or a certificate authority to run Arbiter?

No. Arbiter is cloud-hosted with a lightweight on-site Edge appliance and a managed per-tenant PKI, so there are no NAC servers or Microsoft Certificate Services to build and maintain.

What is an asset register and why does NIS2 care about it?

An asset register is a live inventory of every device on your network with its owner, criticality and data classification. NIS2 expects organisations to know what they have before they can protect it, and Arbiter builds this automatically from network activity.