Security

GDPR Article 32 requires controllers and processors to implement appropriate technical and organisational measures to secure personal data. The text lists four illustrative measures: pseudonymisation and encryption, the ability to restore availability, regular testing, and a process to evaluate effectiveness.

What does "appropriate" mean for a small Irish business with a website and a CRM? The DPC has never published a prescriptive checklist, but the enforcement pattern over the last five years tells you what it expects.

Encryption in transit isn't optional. A login form served over plain HTTP or a contact form that posts to an HTTP endpoint is an automatic finding. HTTPS everywhere is the baseline.

Access controls on backend systems. Shared passwords, admin accounts with default names, no MFA on email, are all recurring findings in DPC reprimands.

Incident detection. You need to know within 72 hours whether a breach has happened. That's not the same as fixing it, but it's the trigger for Article 33 notification.

Regular testing. For an SMB this can be as simple as an annual scan, a quarterly review of who has access to what, and a short tabletop exercise on what to do if the CRM is compromised.

The EU NIS2 Directive (Directive 2022/2555) entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it. Ireland, like most member states, missed that deadline. The Irish transposition moved through the Oireachtas during 2025 and is now in force.

Two categories of entity are covered. Essential entities include large organisations in energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space. Important entities include medium-sized entities in postal services, waste management, manufacture of certain products, digital providers, research and food.

The thresholds are 250 employees, €50M annual turnover, €43M balance sheet. Essential status also depends on the sector.

Cloud service providers, managed service providers, data centre operators, DNS providers, CDN providers and online marketplaces are explicitly in scope regardless of size in some cases. An Irish SaaS selling to hospitals or banks should assume it's in scope.

Duties include risk management, incident reporting within 24 hours for early warning, and supply chain security. The Irish National Cyber Security Centre (NCSC) at ncsc.gov.ie is the competent authority.

For a typical Irish SMB website without any of those profiles, NIS2 doesn't apply directly. But if you supply services to an essential or important entity, your contracts will start carrying NIS2 flow-down clauses in 2026.

The Irish DPC has published enforcement decisions that read like a security syllabus. Reading them in order is more useful than any checklist.

The Meta 2023 €1.2B transfer fine, while about Schrems II, also set out what "appropriate safeguards" mean for a very large data controller.

The TikTok 2023 €345M fine on children's privacy included findings on default privacy settings, dark patterns in account setup, and age verification gaps.

The LinkedIn 2024 €310M fine on behavioural advertising identified transparency and legal basis failures at the interface level.

For an SMB the DPC is more proportionate. Typical reprimands cite: no MFA on the admin panel, sensitive data stored unencrypted at rest, backup retained without a deletion schedule, logs retained beyond what's necessary, third-party plugin with a known CVE left unpatched for months.

The through-line is documented process. The DPC forgives some technical shortfalls if the organisation can show awareness, prioritisation and a plan. It penalises harder when the organisation didn't know, didn't check and didn't care.

HTTP security headers are the lowest-effort, highest-impact security measure you can add to any website. They take minutes to configure and block classes of attacks that cost money to clean up after.

Six headers carry most of the protection.

Strict-Transport-Security forces browsers to use HTTPS. Without it, a visitor who types your domain into the URL bar gets routed via HTTP for a split second, long enough to be hijacked on a compromised WiFi.

Content-Security-Policy restricts where scripts, styles and images can load from. A CSP done well makes most cross-site scripting attacks non-exploitable.

X-Content-Type-Options with the value nosniff stops browsers guessing MIME types. Blocks a class of attacks where uploaded files execute as scripts.

X-Frame-Options prevents your site being embedded in a malicious frame for clickjacking. Modern sites should set frame-ancestors in CSP as well.

Referrer-Policy limits what your outbound links leak about the referring URL. strict-origin-when-cross-origin is the sensible default.

Permissions-Policy disables browser APIs your site doesn't use. Camera, microphone, geolocation, payment. If you're not a video chat app, disable the camera API.

Test your configuration with our free headers scanner. No configuration is perfect on day one. Start with report-only CSP for two weeks, read the violations, then enforce.