When a Dublin-based logistics company director attended a board briefing on NIS2 obligations in early 2026, her first question was whether the legislation actually applied to her personally — or whether it was the company's problem. The answer, under the National Cyber Security Bill Ireland is transposing into law, is unambiguous: it applies to her personally, to the managing director, to the company secretary, and to every other member of the management body, not just to the company as a corporate entity.
This is a fundamental change in how cybersecurity governance works for Irish businesses in scope for NIS2. For the first time in Irish law, individual directors face the prospect of personal financial liability, temporary board bans, and criminal prosecution for cybersecurity failures — not just because they caused a breach, but because they failed to take their oversight obligations seriously.
WHAT: What NIS2 Article 20 Actually Requires of Irish Directors
The NIS2 Directive (EU) 2022/2555 establishes clear personal obligations on board members through Article 20. This provision requires that management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by the entity, oversee the implementation of those measures, and be held liable for infringements of the entity's obligations. Critically, Article 20(2) requires management body members to undergo regular cybersecurity training to gain sufficient knowledge and skills to identify risks and assess their business impact.[^1]
This is not a suggestion. If you are a director and you have never attended a cybersecurity briefing, you are already non-compliant with your Article 20(2) obligations. Cybersecurity training for boards is not an optional enrichment programme — it is a legal requirement under NIS2.
Ireland's General Scheme of the National Cyber Security Bill, published in 2024, sets out how these obligations will be enforced in practice. Head 28 establishes that management board members can be found personally liable where gross negligence is established following a cybersecurity incident. Head 43 creates a criminal offence for officers whose wilful neglect contributes to a corporate infringement. And Head 41 sets the maximum fines: up to €10 million or 2% of global turnover for essential entities, and up to €7 million or 1.4% of global turnover for important entities.
Are you a director of an Irish business and unsure whether NIS2 applies to you personally? Book a free 20-minute strategy call — we run NIS2 board briefings for Irish SMEs every month and can tell you exactly where you stand.
WHAT NOW: The Three Personal Consequences That Cannot Be Insured Away
Most commentary on NIS2 focuses on the organisational fines. The personal consequences for individual directors are arguably more serious, because no insurance policy can fully cover them.
Personal financial liability. Under Head 43 of Ireland's General Scheme, an officer found to have consented to, connived in, or been wilfully negligent about a corporate infringement can be convicted and fined as an individual — separately from and in addition to any fine imposed on the company. The corporate veil provides no protection if you knew about a cybersecurity gap, or should have known, and did nothing about it.
Temporary board ban. NIS2 Article 32(5)(b) gives competent authorities the power to request a temporary ban on any natural person responsible for management duties at CEO or legal representative level in an essential entity. Persistent failure to comply with NIS2 board obligations can result in being barred from serving on any board — not just at the company that was non-compliant.
Criminal prosecution. Head 43 creates a criminal offence for officers whose wilful neglect contributes to a corporate infringement. This is not a civil penalty — it is a criminal conviction that appears on your record. The EU deliberately designed NIS2 to create personal accountability because the original NIS Directive failed to drive board-level engagement with cybersecurity.
The NCSC Ireland has confirmed that the CyFUN framework is the preferred method for Irish organisations to demonstrate NIS2 compliance. Adoption of CyFUN, with documented evidence of board approval and oversight, is one of the most effective ways to demonstrate that you have taken your board obligations seriously.[^2]
WHY IT MATTERS: Who Is Actually in Scope
One of the most common questions Irish business owners ask is whether NIS2 applies to them. The answer captures far more organisations than most expect. NIS2 does not only target large enterprises — it applies to medium-sized businesses and above, generally those with 50 or more employees or annual turnover exceeding €10 million. Certain sectors are captured regardless of size.
Essential entities — those subject to the strictest requirements — include energy, transport, banking, financial infrastructure, health, water, digital infrastructure, public administration, and space. Important entities include postal and courier services, waste management, chemicals, food production, certain manufacturing sectors, digital providers, and research organisations. If your business operates in any of these sectors, or sits in the supply chain of an organisation that does, you are likely in scope.
The personal liability provisions apply to anyone on the management body. In an Irish SME context, this typically means the managing director, company secretary, non-executive directors, and any senior manager with decision-making authority over IT or operations. Cybersecurity board responsibility is not limited to the IT department — it sits squarely with the people who govern the business.
The Data Protection Commission's track record of enforcement under GDPR provides a clear signal about how the competent authority under NIS2 is likely to approach enforcement. The DPC has demonstrated a willingness to investigate and fine organisations where appropriate technical and organisational measures were absent — and to examine the conduct of individuals in positions of responsibility.[^3]
No Irish director can claim they were not warned. The NIS2 obligations are published, the timeline has passed, and enforcement will come.
WHAT NEXT: Three Steps to Reduce Your Personal Exposure
1. Attend a cybersecurity board briefing before the end of this quarter. This fulfils your Article 20(2) training obligation and creates a documented record that you took your responsibilities seriously. Request a certificate of attendance. Keep it on file.
2. Ensure your organisation has a documented cybersecurity risk assessment and an incident response plan. These are the two most fundamental NIS2 Article 21 requirements. If your business cannot produce either document, you have demonstrable governance gaps that will be treated as aggravating factors if an incident occurs.
3. Use the CyFUN framework as your NIS2 compliance baseline. Review the NCSC Ireland's published CyFUN guidance and map your current controls against it. Document where you meet the standard and where you have gaps. The documentation itself demonstrates active oversight — one of the strongest defences against a personal liability finding.
Related Reading
- NIS2 Cost of Non-Compliance: Why Irish SMEs Cannot Ignore It
- NIS2 Compliant Incident Response Plan in One Day
- Irish Government Cyber Security Strategy 2026: What SMEs Need to Know
[^1]: NCSC Ireland — NIS2 guidance and CyFUN framework: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — enforcement and board accountability: https://www.dataprotection.ie [^3]: An Garda Síochána — National Cyber Crime Bureau and criminal liability: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.