Home » NIS2: New cybersecurity obligations for larger pharmacies
Coming into effect this month, the NIS2 Directive introduces expanded cybersecurity obligations across the EU, targeting a wider range of industries, including community pharmacies. For Irish pharmacies that meet specific criteria — more than 50 employees or annual revenue exceeding €10 million — understanding and complying with NIS2 is essential. Alan Reilly, Head of Information and Digital Strategy at the IPU, explains the directive and supports available from the IPU.
To help pharmacies navigate these new regulations, we have developed the NIS2 Handbook for Community Pharmacies, which builds upon the foundation set by the IPU Cyber Essentials Guide. Below is an overview of NIS2, what it requires, and how pharmacies can ensure compliance using the detailed steps and examples provided in the handbook.
Healthcare providers classified as “essential” or “important” under the NIS2 Directive are those that meet the criteria of more than 50 employees or with annual revenue exceeding €10 million. If your business falls into this category, NIS2 brings additional requirements that go beyond basic cybersecurity best practices.
While the IPU Cyber Essentials Guide provides guidance on essential security practices like firewalls, secure configuration, and malware protection, NIS2 introduces further obligations in several key areas. The NIS2 Handbook for Community Pharmacies provides a practical roadmap to meet these requirements, including:
One of the key aspects of NIS2 compliance is the ability to provide evidence of your cybersecurity measures. The NIS2 Handbook explains what this looks like in a community pharmacy setting, including:
Regulatory bodies such as the PSI will likely oversee NIS2 compliance for pharmacies. Pharmacies should be prepared for audits, inspections, and ad hoc reviews to ensure they are meeting these obligations. The handbook provides step-by-step advice on how to document compliance effectively, from maintaining audit records to preparing for inspections.
It is expected that the PSI will serve as the regulatory authority for community pharmacies subject to NIS2. The PSI will have the power to enforce compliance, which could include audits, issuing warnings, and imposing penalties for non-compliance.
The NIS2 Handbook for Community Pharmacies offers detailed guidance on how to engage with PSI in this regulatory role, including what documentation should be provided during an inspection and how to respond to requests for additional information.
For pharmacies subject to NIS2, preparing for compliance starts now. The NIS2 Handbook for Community Pharmacies provides the tools and examples necessary to meet these new requirements and build on the best practices outlined in the IPU Cyber Essentials Guide.
For full background on the national steps and resources available to pharmacies, visit the National Cyber Security Centre’s dedicated NIS2 page at ncsc.gov.ie/nis2. This page offers further guidance on regulatory requirements and additional resources to help you ensure compliance.
By following the guidance in the handbook, pharmacies can ensure that they not only comply with NIS2 but also strengthen their overall cybersecurity posture, protecting patient data and maintaining the continuity of their services.
For more information and to access the full handbook, visit ipu.ie/cybersecruity.