Last updated 3rd January 2025

1. What are the objectives of the NIS2 Directive?

Directive 2022/2555 (known as "NIS2") and the Irish NIS2 legislation transposing it, lays down measures that aim to achieve a high common level of cybersecurity across the European Union, with a view to improving the functioning of the internal market. It aims to strengthen cyber resilience by focusing on the following key objectives:

• National strategies: Member States must create national cybersecurity strategies and set up authorities for cybersecurity, crisis management, contact points, and incident response teams (CSIRTs).
• Risk management and reporting: Entities listed in Annex I or II, and critical entities under Directive (EU) 2022/2557, must follow cybersecurity risk management and reporting rules.
• Information sharing: There are rules for sharing cybersecurity information.
• Supervision and enforcement: Member States have obligations to supervise and enforce these rules.

Return to Top

2. What is the scope of the Directive NIS2?

The NIS2 Directive applies to public or private entities which are, in principle, established in Ireland of a type referred to in Annex I or II which qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in paragraph 1 of that Article, and which provide their services or carry out their activities within the Union.

Return to Top

3. What is the difference between Essential and Important entities?

The NIS2 law distinguishes between "essential" and "important" entities. In principle, this distinction is based on the size of the entity and the service provided:

Essential entities include the following:

• Entities in Annex I which exceed the ceilings for medium-sized enterprises provided for in the E.U Commission Recommendation.
• Includes qualified trust service providers and top-level domain name registries as well as DNS service providers, regardless of their size.
• Providers of public electronic communications networks or of publicly available electronic communications services which qualify as medium-sized enterprises in the E.U Commission Recommendation.
• Public administration entities referred to in Article 2(2) of the NIS2 directive.
• Any other entities referred to in Annex I or II that are identified by Ireland as essential.
• Entities which Ireland has already identified as operators of essential services under the NIS1 Directive. Financial entities who come under the scope of the Digital Operational Resilience Act (DORA) are exceptions to this as DORA is Lex Specialis.

Important entities: All medium or large entities from Annex II and entities in Annex I that do not qualify as essential due to their size. This includes entities identified by Ireland as important.

Return to Top

4. What is the difference in the supervision of "essential" and "important" entities?

The primary distinction between essential and important entities lies in supervision and sanctions they’re subject to.

The NIS2 Directive states:

Essential Entities (Article 32)

Essential entities are monitored in a proactive manner, often referred to as “ex ante”. They are defined as organisations providing services critical to public safety and economic stability. Their disruption would have severe societal impacts, warranting the highest level of cybersecurity oversight. Competent Authority powers include:

i. On-site inspections and off-site supervision, including random checks conducted by trained professionals.

ii. Regular and targeted security audits carried out by an independent body or a competent authority.

iii. Ad hoc audits, including where justified on the ground of a significant incident or an infringement of the Directive by the essential entity.

iv. Security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned.

v. Requests for information necessary to assess the cybersecurity risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27.

vi. Requests to access data, documents, and information necessary to carry out their supervisory tasks.

vii. Requests for evidence of implementation of cybersecurity policies, such as the results of security audits conducted by a qualified auditor and the respective underlying evidence.

Important Entities (Article 33)

Important entities, however, are supervised in a more reactive manner, or “ex post.” This means their monitoring is based on evidence or signs that they might not be fulfilling their legal obligations. These Include organisations that, while not as critical as essential entities, still play a significant role in the economy or public services. Competent authorities, when exercising their supervisory tasks in relation to important entities, have the power to subject those entities at least to:

i. On-site inspections and off-site ex post supervision conducted by trained professionals.

ii. Targeted security audits carried out by an independent body or a competent authority.

iii. Security scans based on objective, non-discriminatory, fair and transparent risk assessment criteria, where necessary with the cooperation of the entity concerned.

iv. Requests for information necessary to assess, ex post, the cybersecurity risk-management measures adopted by the entity concerned, including documented cybersecurity policies, as well as compliance with the obligation to submit information to the competent authorities pursuant to Article 27.

v. Requests to access data, documents, and information necessary to carry out their supervisory tasks.

vi. Requests for evidence of implementation of cybersecurity policies, such as the results of security audits conducted by a qualified auditor and the respective underlying evidence.

The targeted security audits referred to in the first subparagraph, point (b), shall be based on risk assessments conducted by the competent authority or the audited entity, or on other risk-related available information.

The results of any targeted security audit shall be made available to the competent authority. The costs of such targeted security audit carried out by an independent body shall be paid by the audited entity, except in duly substantiated cases when the competent authority decides otherwise.

Return to Top

5. What enforcement powers do the Competent Authorities have in relation to Essential and Important entities?

The NIS2 Directive states:

Essential Entities

Competent authorities, when exercising their enforcement powers in relation to essential entities, will have the power to:

• Issue warnings about infringements of this Directive by the entities concerned.
• Adopt binding instructions, including regarding measures necessary to prevent or remedy an incident, as well as time-limits for the implementation of such measures and for reporting on their implementation, or an order requiring the entities concerned to remedy the deficiencies identified or the infringements of this Directive.
• Order the entities concerned to cease conduct that infringes this Directive and desist from repeating that conduct.
• Order the entities concerned to ensure that their cybersecurity risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period.
• Order the entities concerned to inform the natural or legal persons regarding which they provide services or carry out activities which are potentially affected by a significant cyber threat of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat.
• Order the entities concerned to implement the recommendations provided because of a security audit within a reasonable deadline.
• Designate a monitoring officer with well-defined tasks for a determined period to oversee the compliance of the entities concerned with Articles 21 and 23.
• Order the entities concerned to make public aspects of infringements of this Directive in a specified manner.
• Impose, or request the imposition by the relevant bodies, courts or tribunals, in accordance with national law, of an administrative fine pursuant to Article 34 in addition to any of the measures referred to in points (a) to (h) of this paragraph.

Where enforcement measures are ineffective, Member States shall ensure that their competent authorities have the power to establish a deadline by which the essential entity is requested to take the necessary action to remedy the deficiencies or to comply with the requirements of those authorities. If the requested action is not taken within the deadline set, Member States have the power to:

• Suspend temporarily, a certification or authorisation concerning part, or all of the relevant services provided, or activities carried out by the essential entity.
• Request in accordance with national law, prohibit temporarily any person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level from exercising managerial functions in that entity.

More information can be found at article 32 & 33 of the Directive.

Important Entities

Competent authorities, when exercising their enforcement powers in relation to important entities, have the power at least to:

• Issue warnings about infringements of this Directive by the entities concerned.
• Adopt binding instructions or an order requiring the entities concerned to remedy the deficiencies identified or the infringement of the Directive.
• Order the entities concerned to cease conduct that infringes the Directive and desist from repeating that conduct.
• Order the entities concerned to ensure that their cybersecurity risk-management measures comply with Article 21 or to fulfil the reporting obligations laid down in Article 23, in a specified manner and within a specified period.
• Order the entities concerned to inform the natural or legal persons with regard to which they provide services or carry out activities which are potentially affected by a significant cyber threat of the nature of the threat, as well as of any possible protective or remedial measures which can be taken by those natural or legal persons in response to that threat;
• Order the entities concerned to implement the recommendations provided because of a security audit within a reasonable deadline.
• Order the entities concerned to make public aspects of infringements of this Directive in a specified manner.
• Impose, or request the imposition of an administrative fine.

More information can be found at article 32 & 33 of the Directive.

Return to Top

6. How do you calculate the size of an entity?

Under the NIS2 directive, the size of an entity is determined based on staff headcount and financial ceilings as set out in the annex of Recommendation 2003/361/EC. Here’s how it works:

Small & Medium Enterprises (SMEs)

The category of micro, small and medium-sized enterprises (SMEs) is made up of enterprises which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.

To be classed as an SME, an organisation must have less than 250 employees and have a turnover less than €50m and/or balance sheet of less than €43m. This means that if an organisation has a turnover less than €50m or a balance sheet less than €43m they fall below the threshold and are classed as an SME.

• Small-Sized Enterprise:
• Employs less than 50 people (calculated in annual work units, AWU).
• and
• Annual turnover or annual balance sheet total does not exceed EUR 10 million.
• Can use the lesser of either turnover or balance sheet total for classification.
• Medium-Sized Enterprise:
• Employs 50-249 people (calculated in annual work units, AWU).
• and
• Annual turnover: €10-50 million or balance sheet total: €10-43 million.
• Can use the lesser of either turnover or balance sheet total for classification.
• Large Enterprise:
• Employs 250+ people (calculated in AWU).
• or
• Annual turnover: over €50 million and balance sheet total: over €43 million.

Return to Top

7. What sectors and services are covered by the Directive?

Entities must provide at least one of the services listed in annexes I or II of the Directive. These sectors include highly critical sectors such as energy, transport, public health, and others, as well as other critical sectors like postal services, waste management, and food production. The Banking and Financial market infrastructures sector are covered by DORA and are “Lex Specialis”. More information in this table:

Return to Top

8. Are there any entities that are exempt?

The NIS2 directive recognises that certain public bodies may require exemptions from specific provisions of the directive to maintain their independence, confidentiality, or operational effectiveness. For example, judicial bodies or intelligence agencies may be exempted to protect the integrity of their functions. Member States may exempt entities involved in national security, public security, defence, or law enforcement from certain obligations.

Exemptions in this context are limited to provisions that would interfere with the public body’s statutory duties or compromise sensitive operations. Exemptions do not apply to general cybersecurity obligations, such as safeguarding critical networks and reporting incidents. It is likely that any exemption will be subject to periodic review to ensure they remain necessary and do not create undue risks to national cybersecurity.

Return to Top

9. Could the sectors covered by the NIS2 Directive be extended in the future?

The answer is yes, they could. The Irish government holds the authority to include additional sectors or subsectors for regulation.

Return to Top

10. Does the Directive apply to certain entities, regardless of their size?

Yes, regardless of their size, the Directive also applies to certain entities referred to in Annex I or II, where:

• The services that are provided by:
• Public electronic communications networks or publicly available electronic communications services.
• Trust service providers.
• Top-level domain name registries and domain name system service providers.
• Entities providing domain name registration services.
• Sole provider: If the entity is a sole provider which is essential for the maintenance of critical societal or economic activities, especially in sectors listed in Annexes I and II of the Directive.
• Impact on Public Security:If a disruption in the service provided by the entity could have a significant impact on public security, safety, or health.
• Systemic Risk:If a disruption in the service could result in significant systemic risk, particularly in sectors with potential cross-border impacts.
• Critical Importance:If the entity is critical due to its specific importance at the national or regional level for its sector or for interdependent sectors in Ireland.
• The entity is a public administration entity that is central government or an agency that has been defined by Ireland in accordance with national law.
• An entity that has been identified as a critical entity under the Critical Entities Resilience Act.

Return to Top

11. Is it possible for an entity to fall within several sectors?

Yes, entities can fall within several sectors if its activities span multiple areas covered by the directive. If an entity falls under multiple sectors with various levels of obligations, it must follow the strictest rules.

Return to Top

12. What is the territorial scope of the Directive? What about entities operating in several countries (multinationals, etc.)?

For multinational corporations, the scope of regulatory oversight under the NIS2 Directive is determined by the geographical areas where they provide services. If a corporation offers services in Ireland, it falls under the jurisdiction of Irish regulations. However, if the same corporation provides identical services in another Member State (MS), it would also be subject to the NIS2 regulations of that particular MS. For sectors identified as ‘main establishment’ sectors, such as the digital sector, regulatory oversight is determined by the location of the corporation’s headquarters within the Member State. More information at question 13.

Return to Top

13. What is the main establishment rule?

Entities falling within the scope of this Directive shall be considered to fall under the authority of the Member State in which they are established, except in the case of:

• Providers of public electronic communications networks or providers of publicly available electronic communications services, which shall be considered to fall under the authority of the Member State in which they provide their services.
• DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms, which shall be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union.

Under Article 26 of the NIS2 Directive, an entity’s ‘main establishment’ in the EU is defined as the Member State where the decisions related to the cybersecurity risk-management measures are predominantly taken. If such a Member State cannot be determined or if such decisions are not taken in the Union, the main establishment shall be in the Member State where cybersecurity operations are carried out. If such a Member State cannot be determined, the main establishment shall be in the Member State where the entity concerned has the establishment with the highest number of employees in the Union.

If an entity is not established in the Union, but offers services within the Union, it shall designate a representative in the Union. The representative shall be established in one of those Member States where the services are offered. Such an entity shall be considered to fall under the jurisdiction of the Member State where the representative is established. In the absence of a representative in the Union designated under this paragraph, any Member State in which the entity provides services may take legal actions against the entity for the infringement of this Directive.

Return to Top

14. Do critical infrastructures (or critical entities identified under the CER Directive) fall into the scope of the NIS2 directive?

Yes, critical infrastructures or entities identified under the Critical Entities Resilience (CER) Directive do fall under the scope of the NIS2 Directive. This means that entities identified as critical entities under the CER Directive should be essential entities under the NIS2 Directive. Therefore, both pieces of legislation will be applicable to these entities.

Return to Top

15. Do educational establishments and local public administration entities fall into the scope of the Directive?

The NIS2 Directive states that

“Member States may provide for this Directive to apply to:

(a) public administration entities at local level;

(b) education institutions, in particular where they carry out critical research activities”.

A ‘Research Organisation’ means an entity which has as its primary goal to conduct applied research or experimental development with a view to exploiting the results of that research for commercial purposes, but which does not include educational institutions.

These institutions, if in scope, would be required to report incidents as per the directive. However, the entities in scope and the exact requirements would need to be verified in the Irish transposition of the directive.

Return to Top

16. What is the method for determining whether an organisation falls within the scope of the NIS2 Directive?

This section provides a step-by-step guide to help you determine if your organisation falls within the scope of the NIS2 Directive in Ireland. It is important to remember that this method is comprehensive but not exhaustive, and it’s not the only approach you can take.

Here are the key points:

Preliminary Considerations: First, you will need to ask yourself a couple of questions. Is your organisation an operator of essential services under the NIS1 Directive?

Size of Your organisation: Next, consider the size of your organisation. This could influence whether you fall under the scope of the NIS2 Directive.

Services Provided: What services does your organisation provide within the European Union? The nature of these services could determine your obligations under the NIS2 Directive.

Location: Where is your organisation based in Europe? The location could have implications for how the NIS2 Directive applies to you.

Future Identification and Supply Chain Considerations: Could your organisation be identified as a NIS2 entity in the future, or is it part of the supply chain of a NIS2 entity? These factors could bring you within the scope of the NIS2 Directive.




16.1 Preliminary considerations

Before diving into the analysis of the NIS2 Directive, it's important to consider two key aspects that significantly impact the scope of the Directive for organisations in Ireland.

A. Does my organisation operate critical infrastructure?

Under the NIS2 Directive, does my organisation operate in a sector specified in Annex I & II. There’s an automatic application of the directive to entities that are identified as operators of critical infrastructure.

B. Is my organisation an Operator of Essential Services (OES)?

Entities that have been identified as operators of essential services under the NIS1 Directive, are also included within the scope of the NIS2 Directive. This means that the sectors covered by the NIS1 Directive are also encompassed by the NIS2 Directive except for financial entities that come under the scope of (EU)2022/2554 (DORA) which will be considered Lex Specialis when it comes into effect in January 2025.

Return to Top




16.2 What is the size of my organisation?

Determining whether an entity falls under the NIS2 Directive involves assessing its size. The directive refers to the Commission Recommendation 2003/361/EC for definitions of micro, small, and medium-sized enterprises. Typically, only medium-sized, and large enterprises are within the directive’s scope with some exceptions as noted in question 6.

The size of an entity is established based on two factors: the workforce, measured in annual work units (AWUs), and financial amounts, which include annual turnover and/or annual balance sheet total. An entity can choose to meet either the turnover ceiling or the balance sheet total ceiling, and exceeding one of these doesn’t affect its status as an SME.

More information can be found at Commission’s User’s Guide to the definition of SMEs and the SME-Wizard tool.

For instance, a small enterprise with 35 AWUs and an annual turnover of €1,000,000 but an annual balance sheet total of €50,000,000 would still be considered a small or micro enterprise based on its turnover. On the other hand, an enterprise with 80 AWUs and an annual turnover of €1,000,000 but an annual balance sheet total of €70,000,000 would be classified as medium-sized based on its workforce.

When considering the size in relation to the services provided, the scope is as follows:

• A medium-sized enterprise with 50-249 AWUs or an annual turnover/balance sheet total exceeding €10 million generally falls within the scope as an “important entity” if it provides a service listed in Annex I or II.
• A large enterprise with at least 250 AWUs or an annual turnover exceeding €50 million and an annual balance sheet total exceeding €43 million generally falls within the scope as an “essential entity” if it provides a service listed in Annex I. It’s considered an “important entity” if it provides an essential service listed in Annex II.
• For entities grouped as “partner” or “linked” enterprises, the combined data of these entities must be used to calculate size. You can find detailed criteria and examples in the Commission’s User’s Guide to the definition of SMEs and the SME-Wizard tool.

Certain entities fall under the NIS2 Directive regardless of size. These include qualified trust service providers, DNS service providers, TLD name registries, and others as specified.

Return to Top




16.3 What service(s) does my organisation provide in the European Union?

After determining the size of an entity, it’s important to conduct a thorough analysis of all the services it offers to third parties. This should be done by sector or sub-sector. It’s important to map out each service, even if it’s just a secondary activity. The NIS2 Directive provides detailed information about these services in Annexes I and II. This comprehensive approach ensures that all relevant services are considered when determining the applicability of the NIS2 Directive.

See the list of critical sectors in question 7, here.

Next, it is necessary to link the services provided by your organisation to the definitions mentioned earlier. The service provided meets the condition if there is a match between your services and the defined categories. An organisation may offer several of the listed services across different sectors.

In summary, "important" and "essential" entities are classified as follows:

	Medium-sized enterprise	Large enterprise
Annex I services	Important	Essential
Annex II services	Important	Important

Return to Top




16.4 Location

Article 26 of the NIS2 Directive states that “Entities falling within the scope of this Act shall be considered to fall under the jurisdiction of the Member State in which they are established, except in the case of:

• Providers of public electronic communications networks or providers of publicly available electronic communications services, which shall be considered to fall under the jurisdiction of the Member State in which they provide their services.

• DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines or of social networking services platforms, shall be considered to fall under the jurisdiction of the Member State in which they have their main establishment in the Union under paragraph 2.”

Return to Top




16.5 Additional Identification and Supply Chain

The NIS2 Directive, Article 21 states “Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services.”.

It is important to note that the reach of the NIS2 Directive extends beyond its immediate scope. A considerable number of organisations could be indirectly affected by these new legal requirements if they form part of the supply chain for one or more NIS2 entities.

While entities are obligated to secure their own supply chains under the NIS2 Directive, it is important to note that the directive doesn’t necessarily directly apply to their suppliers or service providers. Instead, these entities may indirectly fall under the purview of NIS2 through contractual obligations imposed on them by the entities. This is not a direct requirement of the NIS2 Directive, but rather a potential consequence of its implementation by entities seeking to ensure their supply chain security. Under Article 21 of the NIS2 Directive, supply chain security is one of cyber security risk management measures.

Return to Top

17. What are the responsibilities of the Competent Authorities?

Competent authorities will monitor compliance and take corrective actions against non-compliant entities. The NCSC serves as the primary authority for sectors not explicitly assigned to other regulators.

Return to Top

18. How do I register?

Article 3 of the NIS2 Directive state that Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and, where appropriate, update that list on a regular basis. Member States shall require the relevant entities to submit at least the following information to the competent authorities:

(a) the name of the entity.

(b) the address and up-to-date contact details, including email addresses, IP ranges and telephone numbers.

(c) where applicable, the relevant sector and subsector referred to in Annex I or II; and

(d) where applicable, a list of the Member States where they provide services falling within the scope of this Directive.

The entities shall notify any changes to the details submitted without delay, and, in any event, within two weeks of the date of the change.

Member States may establish national mechanisms for entities to register themselves. (NIS2 Registration Portals).

The NCSC will provide a mechanism for entities to register for NIS2. This will be operational, once the NIS2 Directive has been transposed into Irish legislation.

Return to Top

19. What is a significant Incident?

The NIS2 Directive states that a significant incident is:

“An incident shall be considered to be significant if:

(a) it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;

(b) it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.”

Further guidance on thresholds and reporting of incidents will be provided in due course.

Return to Top

20. Abbreviations & References

The following abbreviations and references are used in this document:

Competent Authority: A “Competent Authority” under the NIS2 Directive is a regulatory entity established by EU member states, responsible for ensuring compliance with the directive by Operators of Essential Services and Digital Service Providers.

CSIRT: A CSIRT (Computer Security Incident Response Team) is a team responsible for information exchange on cybersecurity and cooperation on specific cybersecurity incidents.

DORA: DORA, or the Digital Operational Resilience Act, is an EU regulation that establishes a comprehensive framework for harmonising digital resilience processes and standards in the financial sector and is considered a specific law that takes precedence over the general NIS Directive Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on the digital operational resilience of the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (available on Eur-Lex).

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (available on Eur-Lex).

NCSC: National Cyber Security Centre (Ireland's national cyber security authority & national CSIRT).

NIS1: NIS1, or the Network and Information Systems Directive 1, is the first EU regulation adopted in July 2016 to improve cybersecurity by addressing threats to network and information systems.

NIS1 Directive: Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (available on Eur-Lex) as transposed by Irish legislation.

NIS2 Directive: NIS2, or the Network and Information Systems Directive 2, is an EU directive aimed at enhancing cybersecurity across the EU by setting cybersecurity requirements for critical infrastructure companies. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures to ensure a common high level of cybersecurity throughout the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (available on Eur-Lex) .

NIS2 Regulations: Regulations of 9th June 2024 implementing the Directive of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security.

Recommendation (2003/361/EC): Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (available on Eur-Lex).

Lex Specialis: “Lex specialis” is a legal principle where a specific law (lex specialis) overrides a general one (lex generalis). In the context of NIS2 and DORA, DORA is the “lex specialis”. This means if both could apply, DORA, being more specific, takes precedence. So, for cybersecurity, while NIS2 provides general rules, DORA provides specific rules for the financial sector and thus supersedes NIS2 in this area.

Return to Top