The NCSC Cyber Governance Code

NIS2 Article 20 makes Irish directors personally liable for cybersecurity failures. The NCSC's cyber governance code sets out exactly what they must do. Here's what it means in practice.

The NCSC Cyber Governance Code: What Irish Directors Are Now Personally Responsible For

Something fundamental changed for Irish directors with the transposition of NIS2 into Irish law. Cybersecurity is no longer a technical concern delegated to the IT department. It is a board governance obligation with personal liability attached.

This article explains what NIS2 Article 20 requires of management bodies, what the NCSC's cyber governance code adds, and what that means for directors who want to fulfil their obligations without becoming cybersecurity experts.


The Legal Change: Article 20 of NIS2

NIS2 Article 20 is explicit and unprecedented in EU cybersecurity law: "Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities... and can be held liable for infringements by those entities."

Personal liability for directors. Not just organisational fines. Directors who fail to adequately oversee cybersecurity risk-management — and whose organisations then suffer a significant incident — are personally exposed.

This is a fundamental shift from the pre-NIS2 world, where cybersecurity accountability sat with the CISO or IT manager. It does not mean directors must become security professionals. It means they must exercise informed, active governance over cybersecurity — the same way they exercise governance over financial risk or regulatory compliance.


The NCSC's Cyber Governance Code

The National Cyber Security Centre has published a cyber governance code that operationalises what Article 20's requirements look like in practice for Irish organisations in scope. The code is structured around five core obligations for management bodies.

1. Knowledge: The Board Must Understand the Risk

Management bodies are required to ensure they have sufficient understanding of cybersecurity risks to exercise meaningful governance. This does not mean every director needs technical depth. It means the board, collectively, must have access to competent cybersecurity advice and must use it to understand the organisation's actual risk exposure.

In practice, this means: regular cybersecurity briefings for the board from someone competent to give them; board-level awareness of the organisation's key digital assets, critical dependencies, and threat environment; and the ability to ask informed questions of management rather than simply ratifying what they are told.

2. Governance Structures: Clear Accountability

The board must ensure that clear accountability for cybersecurity is established within the organisation. Someone must own cybersecurity — and the board must know who that is, what their mandate covers, and what escalation paths exist.

For most Irish SMEs, this means identifying whether cybersecurity accountability sits with the CEO, a Director, a Head of IT, or an external vCISO — and formalising that accountability so it does not fall into no-man's-land.

3. Active Oversight: Cyber Is a Standing Agenda Item

Management bodies must actively oversee the organisation's cybersecurity posture on an ongoing basis. This is the most significant change for most Irish boards. Cybersecurity cannot be a once-a-year item reviewed at the annual risk committee and otherwise ignored.

Active oversight means cybersecurity appears on the board agenda at a meaningful frequency — at least quarterly for most organisations. It means management provides the board with regular updates on the risk posture, significant threats, incidents, and the status of improvement programmes. And it means the board actually engages with that information rather than receiving it passively.

4. Incident Escalation: The Board Is Notified of Significant Incidents

Management bodies must ensure that significant cybersecurity incidents are escalated to board level promptly. This requires pre-defined escalation criteria and processes — the board should not learn about a significant incident from a news article.

Practically, this means your organisation needs a documented escalation policy: what constitutes a significant incident, who is responsible for notifying the board, within what timeframe, and what information is required.

5. Annual Review: Regular Assessment of the Cybersecurity Programme

Management bodies must ensure the organisation conducts a regular review — at minimum annually — of its cybersecurity risk management measures. This is distinct from operational monitoring. It is a structured review that asks: are our security measures still appropriate? Have the risks changed? Are we meeting our NIS2 obligations?

The annual review should produce documented evidence of what was assessed, what was found, and what actions were taken. That documentation is what an auditor or regulator will ask to see.


What "Personal Liability" Actually Means

The liability provisions in NIS2, as transposed into Irish law, allow regulators to impose sanctions including fines on individuals — not just organisations. For Essential Entities, maximum fines for the organisation run to €10 million or 2% of global annual turnover, whichever is higher. For Important Entities, €7 million or 1.4%.

Directors of organisations that failed to meet Article 20's governance obligations — particularly if that failure contributed to a significant incident — can be held personally accountable.

The liability is not automatic. It depends on whether the management body fulfilled its obligations under Article 20. A board that can demonstrate it actively governed cybersecurity, received regular briefings, had clear accountability structures, and exercised meaningful oversight is in a substantially better position than one that cannot.


What This Looks Like for a Practical Irish SME Board

You do not need a board-level CISO. You need:

A named owner. Someone — internal or external — who owns cybersecurity on behalf of the organisation and reports to the board. For most SMEs, this will be a vCISO or Head of IT with a defined cybersecurity mandate.

A quarterly briefing rhythm. A short, structured briefing at each board meeting covering: current threat environment, significant incidents or near-misses, status of any active security programme, and any regulatory developments. This does not need to be long — 15-20 minutes with a one-page briefing note is sufficient.

A documented annual review. A formal annual review of the cybersecurity programme against NIS2 requirements, producing a written record of what was assessed and what actions were agreed.

An escalation policy. A clear, written policy defining what constitutes a significant cybersecurity incident, who is responsible for notifying the board, and within what timeframe.

Evidence you can show. Board minutes that record cybersecurity discussions, approved risk management measures, and actions agreed. An auditor or regulator will ask for this.


How a vCISO Supports Board Governance

Most Irish SMEs do not have a full-time CISO. A virtual CISO provides:

  • Periodic board briefings, pitched at the right level for a non-technical audience
  • Maintenance of the organisation's cybersecurity programme and its alignment with NIS2
  • Documentation of the annual review and ongoing compliance evidence
  • A single point of accountability that the board can rely on for expert guidance

A vCISO does not replace board governance. It supports the board in fulfilling its Article 20 obligations with the right level of expertise without the cost of a full-time senior hire.


If you would like to discuss what your board's governance obligations look like under NIS2 and what practical structures are needed to meet them, get in touch.


James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He provides vCISO services to Irish organisations and supports boards in meeting their NIS2 governance obligations.