NIS2 and Ireland's National Cyber Security Bill: What management boards must know and do

"Where are cybersecurity risks managed in your organization?" 

This question was posed to attendees at a recent conference hosted by Ireland's National Cyber Security Centre. The live poll confirmed that approximately 50% of organizations manage cyber risk at the management board level, with the other half delegating responsibility for cybersecurity to chief information officers, chief information security officers or information technology managers. 

It may seem like an innocuous question, but following the entry into force of Directive 2022/2555, also known as the NIS2 Directive, the location of cybersecurity risk management has become an important legal and regulatory consideration for organizations operating within critical sectors, such as energy, manufacturing and digital services. 

Article 20 of NIS2, as transposed into the national laws of EU member states, makes senior managers ultimately responsible for deciding, approving and overseeing their organization's cybersecurity risk management measures. They may even be held personally liable for the organization's compliance failures.

In Ireland, NIS2 will be transposed into law via the forthcoming National Cyber Security Bill. The draft legislation has not yet been published, but the government released a framework document called the General Scheme of the National Cyber Security Bill 2024. Article 20 is currently included as Head 28 of the General Scheme. Failure by senior management to comply with NIS2 requirements could result in significant individual and organizational consequences, including personal liability, temporary bans and administrative fines. 

It is imperative that in-house counsel and compliance functions properly brief their management boards on the impending responsibilities and liabilities under NIS2.

Identify the 'management board'