On July 7, 2026, the Irish National Cyber Security Centre (“NCSC”) published guidance for management boards and senior executives of organizations subject to the EU’s Network and Information Security Directive (“NIS2”). Reflecting a central theme of NIS2, the Guidance makes it clear that cybersecurity is no longer solely a technical issue, but a governance and risk-management matter that requires active oversight at “the highest levels of executive management.” It is a helpful document for organizations that are likely to be subject to NIS2, expect to be supervised in Ireland, and that are considering their governance structures and board-level oversight mechanisms.
Background and Key Content
The EU transposition deadline has already passed and the proposed bill to transpose NIS2 in Ireland (the National Cyber Security Bill) has still not been enacted. Days after the publication of the guidance, the European Commission referred Ireland and three other Member States to the CJEU for their failure to transpose NIS2. In any event, the Guidance provides a detailed indication of how Irish authorities are likely to approach management accountability, cybersecurity governance, and board oversight once the Irish regime enters into force. It also highlights the Cyber Fundamentals Framework (CyFun), which is the NCSC’s preferred risk-based framework for helping organizations put their legal obligations into practice.
We summarize below key aspects of the Guidance that address the role of management bodies under NIS2, how organizations may approach compliance, and practical measures that boards should take to oversee cyber risk and resilience.
Management Body Responsibilities Under NIS2
NIS2 does not define “management body.” The Guidance refers to other EU legislation and indicates that the term encompasses those individuals or bodies who effectively run the organization / occupy key roles. This includes leaders who are responsible for setting organizational strategy, overseeing management decision-making, and directing the organization’s activities.
Reflecting requirements under NIS2 (Article 20), the Guidance states that management bodies are responsible for:
- approving cybersecurity risk-management measures;
- overseeing the implementation those measures;
- undertaking cybersecurity training; and
- ensuring ongoing oversight of the organization’s cyber risk posture.
The document also reflects NIS2 provisions that state that management bodies may be held accountable for failures to comply with cybersecurity risk-management obligations.
The Guidance does not suggest that board members must become cybersecurity specialists, but emphasizes the importance of the board obtaining sufficient assurance that cyber risks are appropriately identified, managed, and incorporated into broader enterprise risk-management processes. For more information, see Sections 1.3, 2 and 3.
NIS2 Implementation and Governance Expectations
The Guidance provides a model for compliance that a notional in-scope entity could follow, and sets out an indicative implementation program spanning approximately 24 months (see Section 1.5). The model covers foundational scoping activities, the implementation of risk-management measures, together with ongoing review and improvement activities.
In this section, the Guidance suggests that competent authorities may focus their early supervisory attention on governance arrangements and oversight mechanisms (see page 18). The Guidance identifies governance activities that management bodies should oversee, including assigning responsibility for cybersecurity leadership, establishing effective reporting and escalation processes, monitoring the effectiveness of cybersecurity controls, and incorporating lessons learned from incidents.
The NCSC also points organizations to its Cyber Fundamentals (“CyFun”) framework and includes an indicative readiness checklist covering matters such as governance arrangements, risk assessments, remediation activities, training, and supporting documentation. While neither the checklist nor the CyFun framework are mandatory, both provide a useful indication of what the NCSC considers good practice in preparing for the forthcoming Irish NIS2 regime.
Cyber Resilience and Board Oversight
To facilitate board-level engagement, the Guidance proposes that management bodies consider cyber resilience through three lenses:
- Exposure: understanding the organization’s assets, vulnerabilities, and cyber risks;
- Defense: assessing the effectiveness of risk management measures and controls, including those relating to supply chain risks; and
- Consequence: evaluating incident response, recovery capabilities, and overall organizational resilience.
The NCSC does not expect board members to possess or acquire detailed technical expertise. Instead, they should be able to assess whether cybersecurity objectives align with business priorities, whether regulatory requirements are being addressed, and whether cyber risks are integrated into the enterprise’s risk management processes.
Conclusion
The Guidance does not have the force of law but provides a clear indication of how Irish authorities are likely to approach cybersecurity governance under NIS2 once the National Cyber Security Bill is enacted. The focus on management accountability, governance arrangements, and organizational resilience points to a supervisory approach in which boards and management bodies are expected to play an active role in the oversight of cyber risk.
***********
The Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS2. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.