Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

Irish NCSC Issues Cyber Governance Guidance for Management Boards Ahead of NIS2 Implementation

By Mark Young & David Brazil on July 10, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

On July 7, 2026, the Irish National Cyber Security Centre (“NCSC”) published guidance for management boards and senior executives of organizations subject to the EU’s Network and Information Security Directive (“NIS2”). Reflecting a central theme of NIS2, the Guidance makes it clear that cybersecurity is no longer solely a technical issue, but a governance and risk-management matter that requires active oversight at “the highest levels of executive management.”  It is a helpful document for organizations that are likely to be subject to NIS2, expect to be supervised in Ireland, and that are considering their governance structures and board-level oversight mechanisms.

Background and Key Content

The EU transposition deadline has already passed and the proposed bill to transpose NIS2 in Ireland (the National Cyber Security Bill) has still not been enacted. Days after the publication of the guidance, the European Commission referred Ireland and three other Member States to the CJEU for their failure to transpose NIS2. In any event, the Guidance provides a detailed indication of how Irish authorities are likely to approach management accountability, cybersecurity governance, and board oversight once the Irish regime enters into force. It also highlights the Cyber Fundamentals Framework (CyFun), which is the NCSC’s preferred risk-based framework for helping organizations put their legal obligations into practice.

We summarize below key aspects of the Guidance that address the role of management bodies under NIS2, how organizations may approach compliance, and practical measures that boards should take to oversee cyber risk and resilience.

Management Body Responsibilities Under NIS2

NIS2 does not define “management body.” The Guidance refers to other EU legislation and indicates that the term encompasses those individuals or bodies who effectively run the organization / occupy key roles. This includes leaders who are responsible for setting organizational strategy, overseeing management decision-making, and directing the organization’s activities.

Reflecting requirements under NIS2 (Article 20), the Guidance states that management bodies are responsible for:

  • approving cybersecurity risk-management measures;
  • overseeing the implementation those measures;
  • undertaking cybersecurity training; and
  • ensuring ongoing oversight of the organization’s cyber risk posture.

The document also reflects NIS2 provisions that state that management bodies may be held accountable for failures to comply with cybersecurity risk-management obligations.

The Guidance does not suggest that board members must become cybersecurity specialists, but emphasizes the importance of the board obtaining sufficient assurance that cyber risks are appropriately identified, managed, and incorporated into broader enterprise risk-management processes. For more information, see Sections 1.3, 2 and 3.

NIS2 Implementation and Governance Expectations

The Guidance provides a model for compliance that a notional in-scope entity could follow, and sets out an indicative implementation program spanning approximately 24 months (see Section 1.5). The model covers foundational scoping activities, the implementation of risk-management measures, together with ongoing review and improvement activities.

In this section, the Guidance suggests that competent authorities may focus their early supervisory attention on governance arrangements and oversight mechanisms (see page 18). The Guidance identifies governance activities that management bodies should oversee, including assigning responsibility for cybersecurity leadership, establishing effective reporting and escalation processes, monitoring the effectiveness of cybersecurity controls, and incorporating lessons learned from incidents.

The NCSC also points organizations to its Cyber Fundamentals (“CyFun”) framework and includes an indicative readiness checklist covering matters such as governance arrangements, risk assessments, remediation activities, training, and supporting documentation. While neither the checklist nor the CyFun framework are mandatory, both provide a useful indication of what the NCSC considers good practice in preparing for the forthcoming Irish NIS2 regime.

Cyber Resilience and Board Oversight

To facilitate board-level engagement, the Guidance proposes that management bodies consider cyber resilience through three lenses:

  • Exposure: understanding the organization’s assets, vulnerabilities, and cyber risks;
  • Defense: assessing the effectiveness of risk management measures and controls, including those relating to supply chain risks; and
  • Consequence: evaluating incident response, recovery capabilities, and overall organizational resilience.

The NCSC does not expect board members to possess or acquire detailed technical expertise. Instead, they should be able to assess whether cybersecurity objectives align with business priorities, whether regulatory requirements are being addressed, and whether cyber risks are integrated into the enterprise’s risk management processes.

Conclusion

The Guidance does not have the force of law but provides a clear indication of how Irish authorities are likely to approach cybersecurity governance under NIS2 once the National Cyber Security Bill is enacted. The focus on management accountability, governance arrangements, and organizational resilience points to a supervisory approach in which boards and management bodies are expected to play an active role in the oversight of cyber risk.

***********

The Privacy and Cybersecurity Practice at Covington has deep experience advising on privacy and cybersecurity issues across Europe, including on NIS2. If you have any questions about how NIS2 will affect your business, or about developments in the cybersecurity space more broadly, our team would be happy to assist.

Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of David Brazil David Brazil

David Brazil is an associate in the Data Privacy and Cybersecurity Practice Group. He advises clients on emerging European regulations related to technology, consumer protection and cybersecurity law (such as the Digital Services Act, AI Act, DORA, Cyber Resilience Act and NIS-2). David…

David Brazil is an associate in the Data Privacy and Cybersecurity Practice Group. He advises clients on emerging European regulations related to technology, consumer protection and cybersecurity law (such as the Digital Services Act, AI Act, DORA, Cyber Resilience Act and NIS-2). David has experience advising clients on their general compliance with these rules, as well as in the context of regulatory investigations for alleged non-compliance. He has experience advising companies in various sectors, including online retail, financial services and software and cloud service providers.

Read more about David BrazilEmail
Show more Show less
  • Posted in:
    Government and Public Policy, Privacy and Cybersecurity
  • Blog:
    Inside Privacy
  • Organization:
    Covington & Burling LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo