NIS 2 – A new era for Management Bodies

There is no doubt that the Network and Information Security Directive (EU) 2022/2555 (“NIS 2”) significantly raises the bar for cybersecurity requirements in the EU. NIS 2 sets out various mandatory requirements for in-scope entities delivering critical or essential goods and services, including the implementation of robust cybersecurity risk management measures and strict incident reporting requirements.

One of the most significant changes introduced by NIS 2 relates to the introduction of an accountability obligation on management bodies.  The traditional approach of allocating responsibility for managing  cybersecurity risks to IT functions is no longer sustainable. NIS 2 makes management bodies directly responsible for approving and overseeing the implementation of cybersecurity risk management measures.  Most importantly, management bodies can be held personally liable for failure to implement those measures.  This is a game changer for the way in which in-scope entities must approach cybersecurity risk management, particularly those that previously would not have fallen within the remit of the original NIS Directive.

Although Ireland has not yet implemented the NIS 2 Directive, the legislation is expected to be transposed into Irish law via the National Cyber Security Bill, in the coming months. Therefore, it is critical that companies operating in Ireland take steps now to assess how NIS 2 will impact their businesses and prepare for compliance.

This article examines the key requirements imposed on management bodies of in-scope entities, and the practical steps which they can take to prepare for NIS2.

What is the scope of NIS 2?

NIS 2 expands the number of sectors covered by the original NIS Directive.  In-scope entities under NIS 2 are now divided into two categories: “essential entities” operating in high criticality sectors such as energy, transport, health and digital infrastructure (eg, cloud computing and data centre providers) and transport, and “important entities” operating in other critical sectors such as food production, manufacturing (eg, medical devices) and online digital providers.

Banks, credit institutions, insurance undertakings and other regulated “financial entities” also come within the scope of NIS2. However, where there is overlap with the requirements of the Digital Operational Resilience Act (“DORA”), then DORA prevails (for further information on DORA, see Matheson’s DORA Toolkit).  In addition, the recently published cybersecurity package proposes to further expand the scope of NIS 2 to other sectors such as digital and business wallet providers (previously discussed here).

Who is the “Management Body” under NIS 2?

One of the key objectives of NIS 2 is the allocation of responsibility for cybersecurity risk management to the senior levels of an organisation. NIS 2 places “management bodies” at the centre of cybersecurity governance, demanding both oversight and personal accountability.

While the term “management body” is not defined in NIS 2, the General Scheme of the National Cyber Security Bill (the “General Scheme”) defines “management board” as a body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity.  Under Irish corporate law principles, the board of directors is the default body responsible for ensuring a company’s compliance with all applicable regulation.  Accordingly, the board of directors of the Irish company will be responsible for ensuring compliance with NIS 2 in respect of in-scope products and services.  This generally aligns with the definition and interpretation of the concept of “management body” included in other EU legislation such as DORA.

However, the General Scheme (as currently drafted) also provides that in certain circumstances other natural persons such as a chief executive officer (who is exercising managerial responsibilities) could also face consequences (such as suspension) for failure to comply.  It is therefore not yet clear how broadly the competent authorities in Ireland will interpret the definition of “management body” and whether they will interpret other senior executives as part of the “management body”.  It is therefore important that in-scope entities put in place appropriate governance structures in respect of NIS 2 compliance to ensure appropriate board oversight, which aligns with their overall decision-making structure under Irish corporate law.

What are the Responsibilities of Management Bodies under NIS 2?

NIS 2 emphasises the need for a high level of responsibility for cybersecurity risk management measures and reporting obligations, requiring that such measures be approved and their implementation overseen by the management bodies of in-scope entities.

Management bodies of in-scope entities should be aware of the specific cybersecurity obligations that will be imposed on them when NIS 2 is implemented in Ireland.

NIS 2 requires Member States to place a legal obligation on management bodies of in-scope entities to approve and oversee the implementation of cybersecurity risk-management measures.

In addition, NIS 2 introduces a cybersecurity training requirement. Management bodies must undertake cybersecurity risk management training, and extend such training to their wider staff on a regular basis, to ensure that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

NIS 2 further provides that Member States shall ensure that members of the management body may face personal liability for their organisation’s failure to comply with the requirement to implement cybersecurity risk management measures required by NIS2.

What are the sanctions for Management Bodies for non-compliance?

NIS 2 requires Member States to ensure that their competent authorities effectively supervise and take the measures necessary to ensure compliance with NIS 2. The supervisory and enforcement measures imposed on essential entities must be effective, proportionate and dissuasive.  Accordingly, the sanctions for failure to comply with NIS 2 will be set out in national legislation. Based on the General Scheme, the consequences resulting from management boards’ failure to comply with their requirements under the national legislation could include: (i) personal liability for individuals; (ii) suspension orders; and (iii) administrative fines for the organisation.  In addition, management may be mandated to publicly disclose instances of non-compliance by their organisation.

Personal liability

The General Scheme provides, in particular, that where an infringement, non-compliance or offence is committed by a body corporate, and it is proved to have been committed with “the consent or connivance of, or to be attributable to any wilful neglect on the part of, any person, being a director, manager, secretary or other officer of the body corporate,” that individual may be held personally liable for the offence.

The General Scheme does not clearly establish the standard required to hold the management body members personally liable, apart from references to “gross negligence” and “wilful neglect”, or set out the consequences for such personal liability. The Irish transposing legislation is expected to provide the relevant detail.

Suspension Orders

In addition, individuals responsible for discharging managerial responsibilities may be temporarily suspended by the Irish High Court from performing such managerial functions in circumstances where they fail to comply with a compliance notice, until the Court is satisfied that the entity meets the requirements of the notice.

Where an in-scope entity operates their business in Ireland under a licence or authorisation from a national competent authority, this licence or authorisation may also be temporarily suspended until there is compliance with the deadline set by the competent authority for taking a particular action.

These sanctions are severe in nature but are intended to reflect the seriousness of the breaches.

Administrative fines

NIS 2 sets out the following maximum administrative fines which the competent authorities can impose on organisations for non-compliance:

• For essential entities: €10 million or at least 2% of the organisation’s total worldwide annual turnover in the previous financial year, whichever is greater.
• For important entities: €7 million or at least 1.4% of the organisation’s total worldwide annual turnover in the previous financial year, whichever is greater.

Practical steps that Management Bodies can take to achieve compliance

In light of the increased responsibilities and liabilities for members of management bodies under NIS 2, it is vital for directors of in-scope entities to ensure that the organisation is taking a proactive approach to cybersecurity compliance and ongoing governance. At a high level, this could include the following steps:

• Scope assessment: Directors should firstly assess whether their organisation falls within scope of NIS 2. Directors will need to consider the sector that their organisation operates in, the financial strength of the overall group and whether the entity is likely to be designated as “critical” under the European Union (Resilience of Critical Entities) Regulations 2024 (which transposes the Critical Entities Resilience Directive ((EU) 2022/2557 into Irish law).
• Board training: Directors of in-scope entities must receive adequate ongoing cybersecurity training in accordance with NIS 2. It is critical that directors understand what their obligations are under NIS 2.
• Gap analysis of cybersecurity risk management measures: Directors of in-scope entities should ensure that steps are being taken to evaluate and carry out a gap analysis of the company’s current cyber security policies and procedures against the draft NIS 2 risk management measures (“RMMs”) set out in the guidance from the National Cybersecurity Centre. The NCSC Guidance outlines the bare minimum RMMs that in-scope entities should have in place to ensure NIS compliance. The level to which each RMM is required to be implemented varies according to the relevant entity’s exposure to risks and the potential societal and economic impacts of a potential cybersecurity incident. In determining whether supporting actions are required, in-scope entities should consider their exposure to risk, the size of the entity, the likelihood and potential severity of an incident, the potential societal and economic impact of an incident and the cost of implementing the RMMs.  In due course, Irish organisations may also be able to become certified under the Cyber Fundamentals Framework to make NIS 2 compliance easier.
• Governance Structures: Directors will have ultimate responsibility for managing cybersecurity risks of an Irish company. Directors will need to adopt the cybersecurity risk management measures as part of their management body obligations under NIS 2 and will need to implement appropriate governance structures to assist them in overseeing the implementation of such measures.

The National Cyber Security Bill is listed for priority publication in the Government Legislation Programme (Spring 2026).  In-scope entities should act now and not allow the delay of Ireland’s transposition of NIS 2 to impact their preparations for compliance.

Contact Us

For more information, please contact any member of our Technology and Innovation Group or your usual Matheson contact. Our NIS 2 FAQs article can also be viewed here.