NIS2 Makes Irish Company Directors Personally Liable for Cyber Governance Failures. Here Is What That Means.

Until recently, a cyberattack on an Irish business was primarily a problem for the IT department and the business's insurers. The directors dealt with the fallout — communicating with customers, managing reputation, working through the recovery — but personal liability for the directors themselves was rarely in scope.

NIS2 changes that. Article 20 of the directive creates an explicit personal liability framework for directors and management bodies of entities in scope. It is not the organisation that faces potential personal sanction for governance failures — it is the individuals who were responsible for ensuring that governance was in place.

What Does NIS2 Article 20 Actually Say?

NIS2 Article 20 requires the management bodies of essential and important entities to approve the cybersecurity risk management measures the organisation implements, oversee their implementation, and be held personally liable if they fail to comply with this obligation.

The directive goes further — it explicitly requires member states to ensure that management bodies can be held personally liable for infringements of NIS2 obligations. In Ireland, this is transposed through the European Union (Measures for a High Common Level of Cybersecurity) Regulations 2024 [^1].

This is a material shift. Cybersecurity is no longer a technical matter delegated to IT — it is a governance matter for which directors are personally accountable.

What Personal Liability Means in Practice

NIS2 creates a direct line of accountability from governance failure to individual sanction. If a regulated entity experiences a significant incident and an investigation by the NCSC Ireland determines that management had not adequately approved or overseen cybersecurity risk management measures, individual directors and senior managers can be named in enforcement action.

The sanctions available include temporary prohibition from holding management functions — not just fines on the organisation, but restrictions on the individuals involved. For a company director in Donegal or Sligo, that is a serious personal consequence.

The liability is specifically for governance failure — the failure to ensure that appropriate measures were approved and implemented. It does not require the director to be a cybersecurity expert. It requires them to have engaged with the subject, to have asked the right questions of their technical teams, and to have satisfied themselves that the organisation had adequate controls in place relative to its risk profile.

Can you demonstrate, if asked by a regulator today, that you have personally reviewed and approved your organisation's cybersecurity risk management measures? If not, that gap is a personal exposure, not just an organisational one. Book a free 20-minute strategy call — we work with Irish directors on exactly this question.

What Directors Are Expected to Do

NIS2 sets out the categories of cybersecurity measures that management must approve and oversee. These include risk analysis and information system security policies, incident handling procedures, business continuity measures including backup and disaster recovery, supply chain security measures, network security and access control policies, multi-factor authentication policies, and staff awareness training.

None of these are technical decisions. They are governance decisions — judgements about the appropriate level of investment, the acceptable level of risk, and the accountability structures that ensure controls are maintained. This is precisely the kind of decision-making that falls squarely within a director's remit.

The practical implication for an Irish company director in scope for NIS2 is that they need to be able to show — in documentary form, not just verbally — that they have reviewed the organisation's security posture, approved the measures in place, and ensured that those measures are regularly reviewed and updated. Board minutes, approved policies, risk register entries, and evidence of management oversight are the artefacts that demonstrate this engagement.

Who Is Actually at Risk

The personal liability provisions apply to directors of essential and important entities under NIS2. In Ireland, this includes entities in healthcare, energy, transport, water, digital infrastructure, financial services, and food production sectors, as well as digital providers above certain thresholds.

It also flows through supply chains. An Irish SME that supplies services to a regulated entity — and that SME's own operations are brought into scope as a result — has directors who are now personally accountable for cybersecurity governance in a way they were not before. For the directors of a Letterkenny IT service provider whose clients include Letterkenny University Hospital, or a Sligo logistics company whose clients include pharmaceutical manufacturers, this is a live question today.

NIS2 director liability is not theoretical. The NCSC Ireland has enforcement powers and the political mandate to use them. The organisations most at risk from early enforcement action are those whose directors cannot demonstrate any engagement with cybersecurity governance — not those who have imperfect controls, but those who cannot show they tried.

What Next

1. Put cybersecurity on the board agenda. If your organisation's board or management team has not formally discussed cybersecurity risk, controls, and governance in the past six months, schedule it now. Document that the discussion took place and what was decided.

2. Commission a risk assessment. A board cannot approve measures it does not understand. A structured cybersecurity risk assessment — even a lightweight one appropriate for an SME — gives directors the information they need to make governance decisions and documents that the process happened.

3. Approve a cybersecurity policy. Even a one-page board-level cybersecurity policy that sets out the organisation's approach to risk, its commitment to the measures NIS2 requires, and the individual responsible for implementation is a meaningful governance artefact. Approve it formally. Minute the approval.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• NIS2 and GDPR: How the Two Regulations Work Together
• 10 Questions Every Irish Director Should Ask Their IT Team About Cybersecurity
• NIS2 Incident Reporting: The 24-Hour Deadline Irish Businesses Must Meet

[^1]: European Union (Measures for a High Common Level of Cybersecurity) Regulations 2024 [^2]: NCSC Ireland — NIS2 Directive Guidance [^3]: ENISA — NIS2 Management Bodies

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.