Cybersecurity is a standing agenda item and business-critical concern at the highest levels of most organisations.

In most instances, however, responsibility for and oversight of cybersecurity has been given to IT teams, CISOs, and CTOs. The Network and Information Security 2 Directive (NIS2) is a game-changer for in-scope entities because cybersecurity is no longer siloed to IT but instead extends to board members and senior management (referred to as “management bodies”) in certain critical sectors.

NIS2 imposes direct and significant responsibilities on board members and senior management to be involved in cybersecurity. Since October 2024, NIS2 requires board members and senior management to understand, oversee and implement effective cybersecurity risk management practices to ensure their organisations are operationally resilient.

Responsibilities for directors and senior management of in-scope entities:

1) Who is subject to direct responsibilities?

Under Ireland’s draft legislation, “management bodies” means “a body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity”. This is a broad definition which includes senior management and directors.

The rationale for this broad definition is to ensure that responsibility for cybersecurity risk-management measures and reporting obligations is channelled to the highest levels within in-scope entities. Since directors are under a fiduciary duty to mitigate risk, there is little scope for directors to delegate these obligations.

2) What do directors and senior management need to do?

2.1) Cybersecurity risk management

Article 20 of NIS2 imposes a specific obligation on in-scope “management bodies” of essential and important entities to approve implementing and effectively maintaining cybersecurity risk-management measures. It also provides that a management body may be held liable for infringements by an in-scope entity of those cybersecurity risk-management obligations.

NIS2 also introduces a new incident notification regime. Entities must notify the NCSC of significant incidents’ on a three-stage basis. The first, ‘early warning’ notification must be made without undue delay and within 24 hours of the incident occurring. The next notification is the ‘incident notification’, which should also be made without undue delay and within 72 hours of becoming aware of the significant incident. This notification should include an initial assessment of the significant incident, including its severity and impact and an indication of any compromises. A final report should be submitted no later than one month after the incident notification. See our article on incident notifications under NIS2 [here].

 2.2) Training

Under NIS2, management boards of essential and important entities are required to follow cybersecurity risk management training and ensure that employees undertake such training regularly. They must also foster and encourage good cybersecurity hygiene by employees, including ensuring that employees (including members of management boards) can identify risks, are informed of the importance of cybersecurity and can assess cybersecurity risk management practices.

Cybersecurity training should be scheduled periodically so existing employees repeat it and covers new employees. The training should also cover relevant cyber threats, the cybersecurity risk-management measures the organisation has in place, and the contact points and resources for additional information and advice on cybersecurity matters.

3) Are there implications for non-compliance?

 3.1) Yes. Personal liability

Where a body corporate commits an offence under NIS2, and it is proved to have been committed with the “consent or connivance of, or to be attributable to any wilful neglect” of a director, manager, secretary or other officer, they will be guilty of an offence and are liable to be proceeded against and punished as if they were guilty of the offence.

3.1) Fines and other measures

Under NIS2, the maximum administrative fines which can be issued for infringements are:

• For Essential entities, €10 million or at least 2% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater.
• For Important entities, €7 million or at least 1.4% of an organisation’s worldwide group turnover in the previous financial year, whichever is greater.

An entity’s certification or authorisation to perform the relevant service may also be suspended if it has not complied with a deadline set by a competent authority for taking a particular action. In addition, natural persons responsible for discharging managerial responsibilities at CEO or officer level of an entity may be temporarily prohibited from exercising managerial functions until the High Court is satisfied that the entity meets the requirements of the relevant compliance notice.

See our article on NIS2 enforcement and supervision [here] for further details on enforcement measures available to competent authorities.

4) Practical steps that directors can take to achieve compliance and avoid penalties

The increased responsibility and liability for directors and senior management under NIS2 necessitates a proactive approach to cybersecurity governance. For certain in-scope entities, NIS2 requires enhancing existing procedures; for other entities, processes and procedures must be introduced to establish a more formalised cybersecurity framework.

Irrespective of the maturity of an in-scope entity’s cybersecurity framework, directors and senior management should take at least the following steps to facilitate, support and ensure NIS2 compliance:

1. Mandatory Training: Directors and senior management must follow regular training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices, along with any potential impact on the services provided by the entity.
2. Delegation: Carefully consider the skills, expertise, experience and competencies of the individuals responsible for cybersecurity.
3. Board Approval: CISOs and IT teams must ensure that directors and senior management formally approve cybersecurity measures. This can be achieved through regular board meetings where cybersecurity is a standing agenda item.
4. Oversee Internal Incident/Cyber Security Response team: This team should have regular reporting mechanisms to keep the management body informed about the implementation and effectiveness of cybersecurity measures.
5. Conduct Regular Audits: Require the performance of regular cybersecurity audits and risk assessments to identify and mitigate potential vulnerabilities and remediate issues identified.
6. Foster a Cybersecurity Culture: Promote a culture of cybersecurity awareness within the organisation, ensuring all employees are informed of and understand their role in maintaining security.

Conclusion

NIS2 increases responsibilities and potential liabilities for directors, elevating cybersecurity to a board-level responsibility for in-scope entities. By adopting a proactive and informed approach to cybersecurity governance, directors can ensure compliance, thereby avoiding penalties and protecting their organisations from the ever-growing threat of cyber-attacks.

Status of NIS2 transposing legislation in Ireland: At the time of this publication, NIS2 is legally binding in the European Union (since 17 October 2024). However, NIS2 has yet to be transposed into Irish law, and Ireland is subject to infringement proceedings due to late transposition by the European Commission. The General Scheme for the National Cyber Security Bill 2024 (CSB) is the proposed draft legislation to transpose NIS2 into Irish law. The CSB is published on the Government’s priority legislation list. Please visit our website for relevant updates regarding the CSB.  

For more information on NIS2, see William Fry’s NIS2 podcast series here; or access William Fry’s TechReg Connect software solution; or contact Leo Moore, Rachel Hayes, Susan Walsh or your usual William Fry contact.