Cybersecurity regulatory expectations have shifted significantly: what used to be primarily an IT concern has evolved into a board-level governance obligation. Directors now need to actively oversee cyber resilience, risk management, and organisational preparedness.
I have witnessed this shift firsthand in my work supporting organisations in implementing the Network and Information Security Directive (NIS1) and subsequently advising public and private sector entities across multiple EU locations for NIS2.
NIS2 notably expands the scope of critical infrastructure entities to include specific industries such as manufacturing, food processing, and chemical production and distribution. This updated framework signals the end of an era where cybersecurity could be delegated solely to technology teams. For Irish management boards, cyber risk has become a core fiduciary, operational, and legal responsibility.
This reflects a broader European movement to embed digital resilience within corporate governance structures, ensuring they treat cybersecurity as a strategic business risk rather than a technical issue. From my experience of organisations across Europe, a consistent theme has emerged. Regulators increasingly expect demonstrable leadership engagement, documented decision making, and clear accountability for cyber risk. The organisations best positioned for compliance are those that understand, challenge, and govern cybersecurity risk exposure at a board level.
Decoding the Irish 2024 National Cyber Security Bill
Under the new Irish regime, delegation without active board oversight is no longer a legally viable strategy. The Irish National Cyber Security Bill 2024 mandates a level of board accountability that wasn’t required under NIS1. Although the EU’s transposition deadline passed in October 2024, boards must recognise that this is a period of legal transition, not a reprieve. Even while domestic legislation progresses, insurers, investors, regulators, and stakeholders are increasingly assessing organisations against NIS2.
Decoding the specific Irish National Cyber Security Bill is strategically vital for directors. This Bill explicitly introduces personal liability risks, moving cybersecurity into the realm of individual legal exposure. Under Article 20 and Head 28, the board holds a mandatory duty to approve and oversee cybersecurity risk management measures. This requires directors to critically challenge the effectiveness of security measures, not just passively receive high-level reports. Furthermore, the board must be satisfied that the organisation’s posture is adequately funded and sufficient to meet an ‘all hazards’ requirement of NIS2.
Irish boards must therefore move from reactive security measures to active, documented governance. The delay in domestic legislation does not shield directors from evolving expectations of oversight and accountability. While NIS2 provides the framework, the specific legislative environment in Ireland introduces nuances regarding personal liability that require immediate strategic attention.
By the way, the same management accountability mandated in the Cybersecurity Bill is also part of the NIS2 Directive and, as such, it applies to all EU Member States.
Identifying personal liability
A critical component of the Irish Bill is Head 43, which outlines a system of shared responsibility. However, this shared responsibility does not shield the individual. The Bill allows for individual prosecution where there is a fundamental failure of oversight. We can take learnings from international precedents, such as the German prima facie evidence rule. If the board can’t produce a documented trail of critical challenge and risk assessment, a regulator may presume negligence. To mitigate this, Irish boards must:
- Perform a rigorous review to identify individuals with the final say on cybersecurity outcomes
- Formally map these individuals in a responsibility matrix for legal record keeping
- Document every instance where the board has reviewed, challenged, or approved cybersecurity investments and risk acceptances and risk management measures.
Demonstrating compliance through frameworks
NIS2 requires board members to possess the knowledge and skills necessary to identify and assess cybersecurity risk. Training must be regular and documented. Specifically, this education must move beyond just phishing awareness to cover third party dependencies and the cybersecurity frameworks the organisation has adopted. Training sessions should also be recorded for regulatory audit purposes.
To demonstrate that they have met the required standard of care, organisations should adapt recognised international and local frameworks. Ireland’s National Cyber Security Centre recommends the Cyber Fundamentals Framework (CyFun), and ISO 27001/ISO 27002 remains the gold standard for establishing a robust Information Security Management System (ISMS).
While the Irish Bill establishes the framework, continental enforcement trends provide a stern warning regarding the intensity of future regulatory scrutiny.
EU enforcement: lessons from Poland and Germany
Irish boards must look to European neighbours to anticipate the rigour of future enforcement. The precedents being set in Poland and Germany provide a clear roadmap for the level of scrutiny Irish firms will face.
- Mandatory ISMS Poland’s transposition of NIS2 explicitly imposes an obligation on in-scope entities to deploy a formal ISMS. Crucially, the Polish management board is not merely an overseer; it is legally required to make the final decisions regarding the preparation, implementation, application, and review of the ISMS. This eliminates the plausible deniability of directors regarding technical implementations.
- The German enforcement model serves as a warning for Irish leadership. From June 30, German regulators will begin audits where executives will be held personally accountable for compliance failures. Germany is adopting an ‘all hazards’ approach, treating missing safety documentation and implemented controls as evidence of negligence.
To protect management from penalties, evidence of risk analysis and control application is mandatory. These continental trends highlight the need for Irish organisations to take proactive and positive steps towards compliance today.
A strategic action plan
Irish boards should treat compliance not as a checkbox exercise, but a continuous cycle of maturity improvement and active governance. A watertight defence rests on four critical pillars:
- Readiness, governance and accountability: Management must actively oversee risk, attend training, receive regular reporting, and formally approve key decisions, including risk acceptance and investment in controls. Documented decisions and meeting minutes are essential evidence.
- Asset and risk visibility: Boards must gain visibility into business critical assets and associated risks. This requires ensuring documented controls are in place for access management, incident detection, encryption, and business continuity planning.
- Incident response rigour: NIS2 mandates a strict 24-hour reporting window for significant incidents. Boards must ensure clear internal escalation procedures are defined and tested to meet these deadlines.
- Supply chain integrity: Organisations are now responsible for the risks posed by third party providers. Boards must ensure cybersecurity requirements are embedded in contracts and that supplier compliance is actively monitored as part of the organisation’s overall risk exposure.
Cultivating a culture of resilience
I remember discussing with leaders at the Irish Institute of Directors that cybersecurity must be a top boardroom priority. That was back in 2020; since then, NIS2 has transformed that recommendation into a reality. So, the strategic imperative for Irish boards is clear: action is required now.
The key lesson from our European neighbours is that documentation, governance, and evidence of control implementation are the strongest defences against personal liability. Under the incoming regime, a fundamental failure of oversight may be judged by the absence of a documented decision-making trail as much as by the incident itself.
Furthermore, the role of the board is no longer simply to just fund cybersecurity, but to lead it. By embracing active oversight, fostering a culture of resilience, and demonstrating accountability through documented governance, Irish management boards can navigate the NIS2 frontier with confidence, protecting both their organisations and their directors from unnecessary risk.
Sarah Hipkin is a senior consultant with BH Consulting