A recent poll hosted by Ireland’s National Cyber Security Centre (NCSC) revealed a significant divide in how organizations manage cybersecurity risk: approximately 50% handle it at the management board level, while the other half delegate responsibility to chief information officers, chief information security officers, or IT managers. This seemingly simple question has taken on new importance with the implementation of the EU’s NIS2 Directive, which places greater legal and regulatory responsibility on senior management for cybersecurity preparedness.
NIS2, formally Directive 2022/2555, mandates that senior managers are ultimately responsible for approving and overseeing their organization’s cybersecurity risk management measures, potentially facing personal liability for compliance failures. Ireland is preparing to transpose NIS2 into national law through the forthcoming National Cyber Security Bill. While the draft legislation hasn’t been published, a government framework document, the General Scheme of the National Cyber Security Bill 2024, includes provisions mirroring Article 20 of NIS2.
The bill, currently in development, defines the “management board” as “a body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity.” This definition, as outlined in Head 28 of the General Scheme, is intended to grant the management board legal power and authority over cybersecurity outcomes, encompassing the board of directors and key executives. The legislation also specifies enforcement mechanisms targeting CEOs and company directors of essential entities.
Determining who constitutes the “management board” can be complex, particularly for multinational organizations. The General Scheme acknowledges that other senior managers with delegated decision-making authority may also be considered part of the board. Organizations must assess their corporate governance structures – including constitutions, risk resolutions, supplier assessments, role descriptions and board minutes – to accurately define their management board. Failure to properly identify the responsible body is itself a breach of NIS2.
For organizations with distributed operations or decision-making outside the EU, the scoping exercise becomes more challenging due to differing corporate laws. Companies must consider the definition of the “management body” in each relevant jurisdiction and account for situations where cyber strategy is determined at a global or regional level rather than locally. Once identified, the composition of the management board should be documented and regularly reviewed.
NIS2 requires management boards to possess sufficient knowledge and skills to understand and assess cybersecurity risks. The Irish General Scheme mandates that board members, and employees, attend cybersecurity education programs and training on a regular basis. Organizations should ensure the board understands NIS2’s impact, their specific obligations, third-party dependencies, and the cybersecurity frameworks adopted – such as ISO27001, the U.S. National Institute of Standards and Technology’s Cybersecurity Framework, or the Irish NCSC’s recommended Cyber Fundamentals Framework (CyFun).
The NCSC has released draft NIS2 Risk Management Measures, which it considers the minimum standard for compliance. Training sessions must be documented and repeated as necessary, and boards should receive regular briefings on current cyber threats.
Failure to comply with NIS2 carries significant consequences. Under the General Scheme, essential entities could face administrative fines of up to €10 million or 2% of worldwide group turnover, while important entities could be fined up to €7 million or 1.4% of turnover. Head 43 of the General Scheme proposes personal liability for management board members if an infringement occurs with their consent, connivance, or due to willful neglect.
The draft legislation also introduces the concept of “gross negligence,” potentially leading to personal liability following a cybersecurity incident, though the legal definition of this term remains unclear. Organizations may consider contractual solutions, such as indemnities, to mitigate personal liability risks for board members, though the legality and effectiveness of such measures require careful consideration.
Organizations should prepare for potential engagement with competent authorities, which may include information requests or full security audits. Documentation of management board approvals related to NIS2 compliance – such as board resolutions and meeting minutes – will be crucial. Competent authorities may also request formal attestations from senior managers regarding their organization’s cybersecurity risk management.
The National Cyber Security Bill is expected to be introduced before the Irish Parliament this year. The European Commission has already issued a formal notice to Ireland for failing to transpose NIS2 by the October 2024 deadline, raising the possibility of referral to the Court of Justice of the European Union. Despite the delay, several competent authorities, including the Commission for Communications Regulation, have begun informal engagement with in-scope entities.
