As Ireland prepares to assume the Presidency of the Council of the European Union, many organisations are understandably focused on the opportunities that come with having Ireland at the centre of European policymaking for six months.
However, a recent survey by the Institute of Directors Ireland highlights another reality that boards and senior executives shouldn’t ignore. Nearly half of those directors surveyed believe their organisations will face increased cyber risk during Ireland’s EU Presidency. In my view, that figure is probably conservative as we have seen from the experience of previous EU Presidencies where the increased international visibility brings increased cyber activity. Nation states, cybercriminals, hacktivists, and other threat actors often seek to exploit major political events to gain intelligence, disrupt services, damage reputations, or simply attract attention to their causes.
Ireland’s Presidency comes at a particularly challenging time. Geopolitical tensions remain high, cybercrime continues to grow, artificial intelligence is accelerating the sophistication of attacks, and organisations are struggling to keep pace with an increasingly complex regulatory environment.
I have regularly said that “cybersecurity is no longer an IT issue. It is now a boardroom issue.” and the IoD survey reflects this changing reality. Directors identified cybersecurity as one of the key areas where boards face increased risk exposure, alongside geopolitical and regulatory volatility and concerns around AI governance.
Today’s organisations rely on complex ecosystems of cloud providers, software platforms, outsourced services, suppliers, and partners. A cyber incident affecting any part of that ecosystem can quickly become a business issue affecting operations, customers, reputation, finances, and regulatory compliance.
What is changing, however, is the level of personal accountability now being placed on directors and senior executives.
Over the past few years, we’ve seen a significant shift in how regulators view cybersecurity governance. Regulations such as the EU Digital Operational Resilience Act (DORA), EU NIS2, the EU Cyber Resilience Act (CRA), and the EU GDPR, contractual obligations, cyber insurance requirements and sector-specific requirements are increasingly placing responsibility for cybersecurity oversight at board and executive level.
Under NIS2, management bodies are required to approve cybersecurity risk management measures, oversee their implementation, and undertake cybersecurity training. DORA similarly places clear responsibilities on senior management within regulated financial entities for ICT risk management and operational resilience. This is a fundamental change as historically, boards could often treat cybersecurity as a technical matter delegated to IT departments or external providers. Increasingly, regulators are making it clear that cybersecurity governance is a leadership responsibility. Directors cannot simply assume that someone else is managing the risk.
The IoD survey reflects this growing concern. An overwhelming 91% of directors believe their personal liability and risk exposure has increased over the past three to five years. Yet despite this growing accountability, many organisations remain in a difficult position.
Ireland has still not formally transposed the NIS2 Directive into national law. While organisations know that compliance obligations are coming, there remains considerable uncertainty regarding how those requirements will ultimately be implemented through the forthcoming National Cyber Security Bill. This lack of clarity is creating challenges for boards and management teams attempting to make informed decisions about cybersecurity investment, governance structures, reporting obligations, and accountability frameworks.
The reality is that many organisations are trying to prepare for a regulatory destination without having a complete map of the route. But that uncertainty should not be used as an excuse for inaction.
The core principles underpinning NIS2, DORA, GDPR, the CRA, and other cybersecurity regulations are remarkably consistent and apply whether they have been transposed into local law or not. Organisations are expected to understand their risks, implement appropriate controls, manage third-party dependencies, ensure resilience, detect incidents, respond effectively, and demonstrate governance and oversight.
In other words, organisations need to know where they are today before they can determine where they need to go.
This is where boards need to ask some difficult questions.
- Do we understand our current cybersecurity maturity?
- Have we identified our most critical business assets and dependencies?
- Do we understand the cyber risks presented by our suppliers and third parties?
- Have we tested our resilience and incident response capabilities?
- Do board members have sufficient knowledge to challenge management and make informed decisions on cyber risk?
Those questions are becoming increasingly important because cyber risk is no longer simply about protecting technology. It is about protecting business operations, customer trust, shareholder value, and regulatory compliance.
One of the most concerning findings in the IoD survey is not that directors perceive cyber risk to be increasing. It is that many directors continue to feel uncertain about their own exposure and responsibilities.
That highlights the growing importance of board education in relation to cyberrisk. While boards do not need to become cybersecurity specialists. They do, however, need enough knowledge to understand the risks facing their organisation, ask the right questions, interpret the information being presented to them, and fulfil their governance responsibilities. It is important that organisations ensure that cybersecurity awareness training does not stop with just its employees. Increasingly, it must extend to boards and executive leadership teams.
As Ireland assumes the EU Presidency, cybersecurity will undoubtedly receive greater attention. Threat actors will seek opportunities to exploit increased visibility. Regulators will continue to increase expectations around governance and accountability. Customers and stakeholders will continue to expect organisations to demonstrate resilience and trustworthiness.
For many organisations, now is the time for them to take stock and ensure they have the right level of cybersecurity governance and controls in place. Organisations should be conducting cybersecurity maturity assessments, reviewing governance structures, evaluating third-party risk management programmes, educating boards and senior leadership teams, and preparing for compliance with regulations such as NIS2, DORA, GDPR, and the Cyber Resilience Act are no longer optional exercises.
The organisations that will navigate this environment most successfully will not necessarily be those with the largest security budgets or the most sophisticated technology. They will be the organisations whose boards understand that cybersecurity is fundamentally a business risk and who take their governance responsibilities seriously.
Ireland’s EU Presidency may only last six months. The accountability facing boards and senior executives will last considerably longer.
Brian Honan is CEO of BH Consulting
