Publications & Insights NCSC Publishes Cyber Governance Guidance for Management Boards: What Should Boards of in-scope NIS2 Entities Do Now?
Share This

NCSC Publishes Cyber Governance Guidance for Management Boards: What Should Boards of in-scope NIS2 Entities Do Now?

Wednesday, 08 July 2026

Ireland’s National Cyber Security Centre (NCSC) has published a very useful guidance document on Cyber Governance for Management Board Members in NIS2 Entities. It is directed squarely at board members and senior executives of in-scope entities, rather than technical ICT teams. The central message of the document is that cybersecurity is now a board-level legal responsibility, not an IT matter to be delegated and forgotten, and that entities should prioritise compliance with the legislation as early as possible. 

We are flagging this guidance to clients because it gives a clear, practical view of what boards will be expected to do at a time when the underlying legal obligations are edging closer to enactment in Irish Law.

Legal Status in Ireland

NIS2 (Directive (EU) 2022/2555) is the EU's updated cybersecurity framework significantly widening the range of organisations in scope compared to the original 2016 NIS Directive as well as imposing stricter risk-management and incident-reporting obligations. In addition to this, NIS2 also places direct accountability for cyber risk on the management boards of in-scope entities. 

In Ireland, NIS2 is being transposed through the National Cyber Security Bill 2024. It is important to be clear that this legislation has not yet been enacted: while the General Scheme of the Bill was published on 30 August 2024, the Bill itself remains at an advanced stage of the legislative process. 

Certain steps that depend on the legislation, notably registration with the NCSC and use of the incident-reporting portal, will only become available once the law is in force. In addition, while the identity of the majority of National Competent Authorities charged with the responsibility to oversee and enforce the legislation is known, they will not have any enforcement powers until the Act is signed into law.

The practical point for clients, and particularly those in management positions, is that the direction of travel is settled and the obligations are known. The NCSC's own guidance is explicit that organisations should be preparing now rather than waiting for the final legislative step.

NIS2 - Who is affected?

NIS2 applies to both public and private entities across a broad set of sectors, divided into two categories: 

  • essential entities (sectors of high criticality such as energy, transport, banking, health, drinking water and wastewater, digital infrastructure, and public administration) and
  • important entities (other critical sectors such as postal and courier services, waste management, chemicals, food, manufacturing, and digital providers). The two categories face different supervisory regimes — essential entities are subject to proactive, ongoing supervision, while important entities face reactive supervision triggered by incidents or signs of non-compliance.

Many organisations that were not caught by the original NIS Directive will be in scope of NIS2, so management boards should act now, if they have not already done so, to identify whether their organisations are in scope. 

What does the Guidance Recommend?

The core legal hook in relation to board-level responsibilities is Article 20 of NIS2, which requires management bodies to approve the entity's cybersecurity risk-management measures, oversee their implementation, and which, significantly, allows them to be held liable for the entity's infringements. Members of management bodies are required to undergo training so they can identify and assess cyber risks.

The guidance sets out four headline responsibilities for board members:


The guidance correctly stresses that boards are expected to demonstrate proactive governance rather than reactive compliance, and that cyber risk should be integrated into the organisation's existing enterprise risk-management framework rather than sitting in isolation.

The Guidance also sets out the consequences of failures to comply with the legislation. Enforcement powers available to authorities range from warnings and binding instructions through to administrative fines and, for essential entities only, suspension of authorisation and temporary bans preventing senior individuals from exercising managerial functions. Maximum administrative fines are set at a minimum of €10 million or 2% of total worldwide annual turnover for essential entities, and at least €7 million or 1.4% of turnover for important entities, in each case whichever is higher.

Steps clients should be taking now

Drawing on the guidance and its indicative compliance checklist, the practical priorities that Boards need to action are:


How we can help?

We can advise on NIS2 scoping and applicability, board-level governance arrangements and documentation, director duties and potential personal liability, supply chain contracting, and incident-response and reporting readiness. We also offer bespoke cybersecurity regulation training and cyber-simulation exercises. 

Given that the National Cyber Security Bill is expected to be finalised imminently, the prudent action is to use the current window to prepare so that compliance is a matter of activation rather than a standing start.

For further assistance please contact a member of our cybersecurity team