Top 5 Board Oversight Failures Under NIS2 — And How to Avoid Them
NIS2 does not require your organisation to have perfect cybersecurity. It requires your board to demonstrate that it exercised reasonable oversight. Across Donegal and Ireland, the difference between a board that survives regulatory scrutiny and one that faces personal liability often comes down to five specific failures — all of which are avoidable.
This article identifies the five most common NIS2 board oversight failures we see in Irish organisations, explains why each one exposes directors to personal liability, and provides the practical fix for each.
Failure 1: "IT Handles Security — The Board Doesn't Need to Be Involved"
The problem: This is the single most dangerous assumption a board can make under NIS2. Many Irish boards still treat cybersecurity as a technical function that belongs entirely within the IT department. Board meetings include financial reports, HR updates, and sales figures — but cybersecurity never appears on the agenda.
Why it triggers liability: Article 20 of the NIS2 Directive explicitly requires management bodies to approve cybersecurity risk management measures and oversee their implementation. Delegation to IT without board oversight is precisely the "wilful neglect" that Head 43 of Ireland's National Cyber Security Bill targets for personal liability.
The fix: Cybersecurity must become a standing agenda item at board meetings — at minimum quarterly, and more frequently during periods of elevated risk or change. The board does not need to understand the technical details. It needs to understand: what are our top risks, are our controls adequate, are we compliant, and what investment is needed.
Failure 2: No Documented Risk Assessment
The problem: The organisation may have informal awareness of its cybersecurity risks — the IT manager knows the firewall is old, the finance team knows they have been targeted by phishing — but there is no formal, documented risk assessment that the board has reviewed and approved.
Why it triggers liability: NIS2 requires organisations to take "appropriate and proportionate" cybersecurity measures based on a risk assessment. Without a documented assessment, the organisation cannot demonstrate that its measures are proportionate — because it has no documented understanding of the risks it is proportioning against. For the board, this means it approved nothing and oversaw nothing.
The fix: Commission a formal cybersecurity risk assessment. It does not need to be a 200-page document. It needs to identify: critical assets, the threats they face, the likelihood and impact of those threats, the controls in place, and the residual risk. The board must formally review and approve it — and this approval must be recorded in board minutes.
Start with our Security Maturity Assessment to benchmark where you stand today.
Free Resource: Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.
Failure 3: Board Members Have Not Completed Cybersecurity Training
The problem: NIS2 Article 20(2) requires management body members to undergo training "to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity." Many Irish boards have not done this. Some have attended a generic "cyber awareness" session designed for all staff — which does not meet the standard.
Why it triggers liability: The training requirement is explicit and personal. It applies to each individual board member, not to the organisation collectively. If a cybersecurity incident occurs and a director cannot demonstrate they completed appropriate training, their ability to claim they exercised reasonable oversight is significantly weakened.
The fix: Every board member must complete cybersecurity training that is appropriate to their governance role — not the same phishing awareness training given to all employees. The training should cover: the organisation's risk landscape, NIS2 obligations, the board's specific responsibilities, and how to interpret cybersecurity reports. Every session must be documented with attendance records and content summaries.
The NCSC Ireland recommends CyFUN as the preferred compliance framework. Board training should be aligned to this framework. Read our CyFUN guide for a practical overview.
Failure 4: No Tested Incident Response Plan
The problem: The organisation may have an incident response plan — perhaps written years ago, perhaps by a previous IT manager, perhaps sitting in a shared drive that nobody has opened since. It has never been tested. Nobody on the board knows it exists. The contact details in it are out of date.
Why it triggers liability: NIS2 requires organisations to have incident handling procedures, including 24-hour reporting to NCSC Ireland. If an incident occurs and the organisation cannot meet reporting timelines because it had no workable plan, the board's failure to ensure one existed is a governance failure — not a technical one.
The fix: The incident response plan must be:
- Current — reviewed and updated at least annually
- Tested — through a tabletop exercise involving senior management and board representatives
- Known — key personnel must know it exists and where to find it
- Board-connected — it must include escalation triggers that bring the board into the response process
| Element | Minimum Standard |
|---|---|
| Plan document | Reviewed within last 12 months |
| Tabletop exercise | Conducted within last 12 months |
| Board escalation triggers | Documented and communicated |
| Regulatory reporting procedures | NCSC, DPC, and sectoral contacts current |
| External support contacts | Incident response firm, legal counsel, PR on retainer or pre-agreed |
Failure 5: Cybersecurity Investment Decisions Made Without Board Involvement
The problem: Cybersecurity budget is set by the IT department or finance team without board input. The board does not know how much the organisation spends on cybersecurity, what it buys, or whether the investment is proportionate to the risk. When a vendor proposes a new tool, IT decides. When a renewal comes up, finance approves or cuts it.
Why it triggers liability: NIS2 board obligations include approving risk management measures — and those measures require investment. If the board has no visibility into cybersecurity spending, it cannot claim it approved proportionate measures. If the budget was cut without the board understanding the risk implications, that is a governance failure.
The fix: Cybersecurity investment should be a board-level decision, informed by the risk assessment. The board does not need to approve every purchase order — but it should:
- Set the overall cybersecurity budget based on risk appetite
- Understand the major categories of spending (people, technology, training, insurance)
- Review whether spending is proportionate to the risks identified in the assessment
- Be informed when significant changes are made to the security programme
Use our vCISO ROI Calculator to understand the cost-benefit of senior security leadership for your organisation.
The Common Thread: Documentation
Across all five failures, the common thread is documentation. Regulators do not have visibility into your boardroom conversations — they have visibility into your board minutes, risk assessments, training records, and investment decisions. If it is not documented, it did not happen — at least as far as the regulator is concerned.
Check your board's current liability exposure with our Board Liability Simulator — it takes 5 minutes.
Related Reading
- How Boards Must Oversee Cybersecurity Under NIS2
- NIS2 Board Liability: Can Irish Directors Be Personally Liable?
- NIS2 Compliance Checklist for Irish SMEs
Ready to Close These Gaps?
If your board has any of these five failures, you are exposed — and the window to fix them before Ireland's National Cyber Security Bill becomes law is narrowing. A structured board governance review will identify exactly where you stand and give you a prioritised action plan.
Book a free 20-minute board governance briefing with our advisory team. We work with boards across Ireland to build proportionate, defensible cybersecurity governance — no jargon, no scare tactics, just clear actionable advice.
Book Your Free Board Governance Briefing
Sources: EU NIS2 Directive — Article 20, Ireland General Scheme — National Cyber Security Bill 2024, Heads 28 & 43, NCSC Ireland — NIS2, NCSC Ireland — CyFUN
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — National Cyber Crime Bureau: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission Ireland: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.