For many organisations, the most profound change lies not in the controls themselves, but in the personal accountability now placed on directors and senior management.

NIS2 broadens the scope of regulated entities, capturing a wider range of sectors deemed “essential” or “important.” However, beyond scope expansion, the directive introduces a governance standard that forces boards to actively engage in cybersecurity risk management. This is no longer optional oversight, it is a legal obligation.

From Delegation to Ownership

Historically, boards could rely heavily on technical teams or third party providers to manage cybersecurity risk. NIS2 fundamentally disrupts this model. Directors are now explicitly required to approve cybersecurity risk management measures and oversee their implementation. This includes understanding supply chain risks, incident response capabilities, and the organisation’s overall security posture.

Critically, this means that cybersecurity must be treated like financial or legal risk, requiring informed scrutiny, documented decision making, and ongoing review. A lack of technical expertise is no longer a defence; directors must ensure they are sufficiently informed to make sound judgments, whether through training, advisory support, or structured reporting mechanisms.

Personal Liability: A Real Consequence

One of the most impactful elements of NIS2 is the clear introduction of personal accountability. Where organisations fail to comply, supervisory authorities have the power to impose sanctions that may extend beyond corporate penalties. Assuming that the legislation in Ireland will be in line with the EU norm, then directors may be held personally liable for failing to exercise appropriate oversight.

This elevates cybersecurity from a reputational or operational concern to a personal risk for board members. It also increases the likelihood of regulatory scrutiny following significant incidents, particularly where governance failures can be demonstrated. Directors must therefore be confident not only that controls exist, but that they are effective, tested, and aligned with the organisation’s risk appetite.

Risk Management in Practice

To meet NIS2 expectations, organisations must adopt a structured and demonstrable approach to cybersecurity risk. This includes:

• Formal risk assessments that identify and prioritise threats across operations and supply chains
• Documented policies and procedures aligned with recognised frameworks
• Incident detection and response capabilities that are tested and refined
• Board level reporting that translates technical risk into business impact

Importantly, these elements must be more than “tick box” exercises. Regulators are increasingly focused on evidence of active governance, such as minutes, decision logs and audit trails that demonstrate engagement and challenge at board level.

The Role of Managed Service Providers

For many organisations, managed IT service providers (MSPs) will play a crucial role in achieving and maintaining compliance. However, NIS2 does not allow responsibility to be outsourced entirely. While MSPs can deliver technical controls, monitoring, and expertise, accountability remains firmly with the organisation’s leadership.

This makes vendor management and assurance critical. Directors should ensure that their MSPs operate to recognised standards, provide transparent reporting, and support compliance obligations. Contracts, service level agreements and escalation procedures should all reflect the heightened regulatory environment.

A Strategic Opportunity

While NIS2 introduces new pressures, it also offers an opportunity to strengthen organisational resilience. Boards that embrace their role in cybersecurity governance can drive better risk visibility, improve incident readiness, and build trust with customers and partners.

Ultimately, NIS2 signals the maturation of cybersecurity as a boardroom issue. Directors who recognise and act on this shift will not only reduce regulatory risk but position their organisations to operate more securely in an increasingly hostile digital landscape.

Summary

The focus in NIS2 on supply chain compliance effectively widens the net to include companies that may not seem to qualify under the “essential” or “important” designation.

Our National Cyber Security Centre (NCSC) advises that all companies, regardless of size, must prioritize cyber awareness to mitigate operational risks and protect digital assets.

HCS have an assessment process to suit all organisations which reflect the requirements of NIS2 and NCSC’s Cyber Fundamentals program. Please discuss your requirements in this area with your account manager or contact . Cyber attacks make headlines on a daily basis, don’t be the next one!