Director Liability in the Age of NIS2 and GDPR: A Briefing for Irish Company Directors.

Your company can survive a fine. Your reputation may not. This striking fact, often whispered in boardrooms, now carries the weight of personal liability for Irish company directors under new cybersecurity regulations.

The Shifting Sands of Director Responsibility

For years, cybersecurity was often seen as an IT department concern, a technical challenge far removed from the strategic decisions of the boardroom. This perception has fundamentally changed. The digital landscape has evolved, and with it, the legal and ethical obligations of company directors. Cyber threats are no longer just operational risks; they are existential business risks that demand board-level attention and oversight.

New legislation, particularly the NIS2 Directive and the existing GDPR, places explicit duties on directors to ensure robust cybersecurity postures. This means that ignorance is no longer a viable defence. Directors must actively engage with their organisation's cyber risk, understand its implications, and ensure appropriate measures are in place to protect sensitive data and critical systems.

NIS2: A New Era of Accountability

The NIS2 Directive, soon to be transposed into Irish law, significantly broadens the scope of cybersecurity obligations and introduces stringent enforcement mechanisms. It targets a wider array of entities, including many Irish SMEs that previously fell outside the original NIS Directive's reach. Crucially, Article 20 of NIS2 explicitly introduces personal liability for directors for non-compliance. This means that directors can be held directly accountable for failures in their organisation's cybersecurity governance.

This liability extends beyond mere financial penalties for the company. It can impact a director's professional standing, future career prospects, and even personal assets. The reputational damage alone from a significant cyber incident, especially one linked to directorial negligence, can be catastrophic, much like a stain on a pristine white shirt that no amount of scrubbing can fully remove.

GDPR's Enduring Bite: Article 82 and Data Breaches

While NIS2 focuses on network and information system security, the General Data Protection Regulation (GDPR) continues to impose significant responsibilities regarding personal data protection. Article 82 of GDPR allows individuals to claim compensation for material or non-material damage suffered due to a GDPR infringement. This provision opens the door for individuals to pursue claims against organisations, and potentially their directors, for data breaches.

Consider a scenario where a Sligo-based financial services firm suffers a data breach due to inadequate security controls. Under GDPR, affected customers could seek compensation. If it's found that the board failed to approve necessary security investments or oversee their implementation, directors could face scrutiny and legal challenges. The Data Protection Commission (DPC) in Ireland has already demonstrated its willingness to impose substantial fines for GDPR violations, underscoring the seriousness of these obligations.

What Directors Can Be Held Liable For

Directors' personal liability under NIS2 and GDPR typically stems from a failure to demonstrate due diligence in three key areas:

| Area of Failure | Description

---

Not sure where your business stands on cyber risk? Download the Irish SME Cyber Survival Guide — a free, plain-English guide to the 10 controls every Irish business needs. No jargon, no sales pitch.

---

Demonstrating Due Diligence and Documenting Oversight

To mitigate personal liability, directors must actively demonstrate due diligence and ensure robust documentation of their oversight of cyber risk. This isn't about becoming cybersecurity experts, but about understanding the strategic implications and ensuring the right expertise is in place. Directors should regularly receive clear, concise briefings on cyber threats, risk assessments, and the effectiveness of security measures. These briefings should be digestible, avoiding excessive technical jargon, and focus on the business impact of potential incidents.

Furthermore, board meetings should include dedicated agenda items for cybersecurity, with minutes reflecting discussions, decisions, and assigned actions. This creates an auditable trail of board engagement. Directors should challenge management, ask probing questions, and ensure that cybersecurity is integrated into the overall business strategy and risk management framework. Engaging a vCISO (virtual Chief Information Security Officer) can provide independent expert advice and help bridge the gap between technical teams and the board, ensuring that critical information is communicated effectively and understood at the highest level.

The Action Plan for Irish Directors

Given the heightened stakes, Irish company directors must take proactive steps to safeguard themselves and their organisations. Firstly, understand the specific applicability of NIS2 to your organisation and identify any gaps in your current cybersecurity framework. Secondly, ensure regular, board-level training on cyber risk and regulatory obligations. This training should be tailored to directors, focusing on governance, oversight, and legal responsibilities, not just technical details. Thirdly, establish clear reporting lines and metrics for cybersecurity performance, ensuring the board receives timely and accurate information on the organisation's cyber posture. Finally, review and update your organisation's incident response plan, ensuring it is robust, regularly tested, and understood by all relevant stakeholders.

By embracing these responsibilities, Irish directors can transform cybersecurity from a potential liability into a strategic advantage, protecting their companies, their reputations, and their personal standing in an increasingly digital world. The National Cyber Security Centre (NCSC) Ireland provides valuable resources and guidance for organisations navigating this complex landscape, which directors should actively consult ¹.

Related Reading

• NIS2 Fines and Penalties: The Numbers That Should Keep Every Irish Director Awake.
• The 12-Month Cyber Governance Roadmap for a Donegal SME: From Zero to NIS2-Ready.
• DORA vs NIS2: What Is the Difference and Which One Applies to Your Business?

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Footnotes

1. National Cyber Security Centre (NCSC) Ireland ↩