Cybersecurity governance is moving to the highest levels of organizational leadership, a shift highlighted by the European Union’s NIS2 Directive and Ireland’s forthcoming National Cyber Security Bill. At a recent conference hosted by Ireland’s National Cyber Security Centre, attendees were asked: “Where are cybersecurity risks managed in your organization?” Results showed roughly half of organizations assign cyber risk oversight to the management board, while the remainder delegate responsibility to CIOs, CISOs, or IT managers.
This distinction has become legally significant. The NIS2 Directive (Directive 2022/2555) places accountability for cybersecurity squarely on senior management. Article 20 of NIS2, as transposed into national legislation across EU member states, mandates that management boards approve, oversee, and ultimately take responsibility for their organization’s cybersecurity risk measures. Failure to comply can result in personal liability, regulatory sanctions, and administrative fines.
Ireland’s National Cyber Security Bill and NIS2 Implementation
Ireland plans to transpose NIS2 into national law via the National Cyber Security Bill. While the draft legislation has yet to be published, the government has released the General Scheme of the National Cyber Security Bill 2024, which includes Article 20 obligations under Head 28. Under this framework, senior management may face consequences for noncompliance, including temporary bans, fines, and potential personal liability.
For legal and compliance teams, ensuring management boards are fully briefed on NIS2 and the National Cyber Security Bill is critical. Boards must understand not only organizational obligations but also their individual responsibilities under the legislation.
Identifying the Management Board
A foundational step for organizations is determining which individuals fall within the scope of Article 20 under NIS2. While the Directive references “management bodies,” the General Scheme defines the term “management board” as a group vested with authority for oversight, direction, and control of the entity. This includes boards of directors and key executives, though in practice, other senior managers with delegated authority may also be encompassed.
Proper scoping requires reviewing corporate governance documents, board minutes, organizational charts, role descriptions, and risk resolutions. Multinational organizations face added complexity because corporate structures vary across jurisdictions, and global cyber strategy may not be determined locally. Documenting the rationale for board membership and revisiting it regularly is essential to maintaining compliance with NIS2 obligations.
Educating Boards on Cybersecurity Risk Management
Management boards are expected to possess sufficient knowledge to assess cybersecurity risk. Under the National Cyber Security Bill and NIS2, boards will need to participate in ongoing cybersecurity training and encourage employee training. Organizations should ensure boards understand:
- The impact of NIS2 on the organization.
- Obligations of both the organization and the management board.
- Third-party dependencies.
- Adopted cybersecurity frameworks, such as ISO 27001, NIST Cybersecurity Framework, or Cyber Fundamentals (CyFun), which the National Cyber Security Centre recommends as a preferred method to demonstrate NIS2 compliance.
- Documentation of training and regular briefings on cyber threats will support boards in meeting regulatory expectations.
Understanding Regulatory Consequences
Management boards must also recognize the potential consequences of NIS2 noncompliance. Administrative fines under Ireland’s draft National Cyber Security Bill are substantial: up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% of turnover for important entities.
The draft legislation also includes personal liability provisions under Head 43, holding directors or senior officers responsible for breaches resulting from wilful neglect or consent. Although the term “gross negligence” appears only in explanatory notes, it further signals that personal accountability for cybersecurity failures is a central focus of both NIS2 and Ireland’s National Cyber Security Bill.
To mitigate personal liability risks, some boards may consider contractual solutions, such as indemnities or updated employment contracts, though the legal effectiveness of these measures must be carefully evaluated. Organizations should also prepare for potential supervisory engagement from competent authorities, ranging from information requests to formal audits, ensuring all approvals and decisions are properly documented.
Looking Ahead
The National Cyber Security Bill is expected to be introduced to the Irish Parliament in 2026, amid pressure to comply with the EU’s NIS2 transposition timeline. Ireland received a formal notice from the European Commission for missing the original October 2024 deadline, with the possibility of referral to the Court of Justice of the EU for noncompliance.
Even before formal enactment, regulatory bodies such as the Commission for Communications Regulation have begun informal engagement with organizations likely in scope. Management boards are advised to familiarize themselves with NIS2 requirements and current Irish regulatory guidance to prepare for compliance, governance responsibilities, and potential inspections.
By proactively identifying board members, educating them on cybersecurity risks, and documenting compliance efforts, organizations can reduce legal exposure under the National Cyber Security Bill while aligning with the broader obligations of the NIS2 Directive.
