“Where are cybersecurity risks managed in your organization?”
This question was posed to attendees at a recent conference hosted by Ireland’s National Cyber Security Centre. The live poll confirmed that approximately 50% of organizations manage cyber risk at the management board level, with the other half delegating responsibility for cybersecurity to chief information officers, chief information security officers or information technology managers.
It may seem like an innocuous question, but following the entry into force of Directive 2022/2555, also known as the NIS2 Directive, the location of cybersecurity risk management has become an important legal and regulatory consideration for organizations operating within critical sectors, such as energy, manufacturing and digital services.
Article 20 of NIS2, as transposed into the national laws of EU member states, makes senior managers ultimately responsible for deciding, approving and overseeing their organization’s cybersecurity risk management measures. They may even be held personally liable for the organization’s compliance failures.
In Ireland, NIS2 will be transposed into law via the forthcoming National Cyber Security Bill. The draft legislation has not yet been published, but the government released a framework document called the General Scheme of the National Cyber Security Bill 2024. Article 20 is currently included as Head 28 of the General Scheme. Failure by senior management to comply with NIS2 requirements could result in significant individual and organizational consequences, including personal liability, temporary bans and administrative fines.
It is imperative that in-house counsel and compliance functions properly brief their management boards on the impending responsibilities and liabilities under NIS2.
Identify the ‘management board’
The logical first step is to identify who in an organization will fall in-scope of NIS2’s Article 20, as implemented. Ostensibly simple, this scoping exercise may prove difficult in practice due to complexities in the organization’s management structures and/or conceptual uncertainty in the legislation.
Taking the latter issue first, Article 20 imposes responsibility and liability on “management bodies” to approve and oversee the implementation of cybersecurity risk management measures within their organization. NIS2 does not define the term management body and there is no helpful clarifying description in the recitals.
Recital 137 addresses the level of responsibility of this collective group, so it is at least known that they should be empowered to approve cybersecurity risk management measures and oversee implementation, but it does not throw further light on the description. Consequently, it is important to interrogate the national law treatment of this concept.
Under the General Scheme, Head 28 uses the term “management board,” not NIS2’s descriptor “management body.” It proposes defining management board as: “a body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity.”
The definition indicates a clear expectation that the concept of management board/body under Ireland’s law will hold legal power and authority, have the final say regarding cybersecurity outcomes within the organization and include the board of directors and key executives. This interpretation is supported by the fact that the General Scheme includes supervisory powers which specifically target such office holders — there are specific enforcement mechanisms with respect to chief executive officers and company directors of essential entities, for example.
Due to the breadth of the definition, it may be arguable that other senior managers, such as those with delegated decision-making authority from the board of directors and senior executives, may also form part of an organization’s management board.
To accurately scope an organization’s management board, assess its corporate governance and control structure, taking account of company constitutions, risk resolutions, supplier assessments, descriptions of roles, board minutes, organization charts, etc. Failure to properly identify the management board is a breach of NIS2 in and of itself.
This exercise will likely be more complex for large multinational organizations with distributed operations, intragroup arrangements and/or decision-making located outside the EU due to, among other things, divergent corporate laws between jurisdictions. It will be necessary to consider what the management body is in each of the relevant group of companies in multiple jurisdictions, whether there may be different national law tests to determine the constitution of such bodies. This exercise may be difficult where, in reality, cyber strategy is determined at a global or regional level, rather at a local entity level.
Once the management board, and its membership, have been identified, organizations should document this, and set out the rationale for the determination. This will need to be checked on a regular basis or when changes in the group or cyber management of the organization occur.
Educate the management board on cybersecurity risk management
NIS2 stipulates that management boards must have sufficient knowledge and skills to identify and assess cybersecurity risk management practices. Under Ireland’s General Scheme management boards will be required to attend, and to encourage other employees to attend, cybersecurity education programs and training on a regular basis.
As part of this training, organizations should, at the very least, ensure the management board understands how NIS2 impacts the organization, what obligations apply to the organization and the management board, what third-party dependencies exist and which cybersecurity framework or frameworks the organization has adopted — for example, ISO27001, the U.S. National Institute of Standards and Technology’s Cybersecurity Framework, or the Cyber Fundamentals Framework, also known as CyFun. On this point, it’s pertinent to note the NCSC has publicly recommended CyFun “as the preferred method to demonstrate (NIS2) compliance.”
For now, in Ireland, organizations should regard the NCSC’s draft NIS2 Risk Management Measures when briefing and training the management board. These are considered the bare minimum risk management measures an organization should have in place to be considered NIS2 compliant. In the context of educating the management board, the NCSC stipulates, among other things, that every training session should be documented and repeated as necessary. Additionally, organizations should consider providing regular briefings on known cyber threats to the management board.
Explain the consequences of NIS2 infringements
Related to training, the management board should be made aware of the significant consequences that may arise for the organization from failing to discharge their duties under NIS2. Aside from the potential economic, operational and reputational damage, an infringement of Article 20 of NIS2 will carry significant regulatory risks of sanctions under Ireland’s legislation.
When briefing the management board, advise them of the possibility of fines. The maximum administrative fine for essential entities under the General Scheme is up to 10 million euros or at least 2% of worldwide group turnover in the previous financial year. Important entities can face fines of up to 7 million euros or at least 1.4% of worldwide group turnover.
The management board should also be informed of its personal liability exposure under Ireland’s draft legislation and monitor progress of the legislation for changes. Head 43 of the General Scheme currently provides that where a company has committed an infringement or offense under the General Scheme with “the consent or connivance of, or to be attributable to any wilfull neglect on the part of, any person, being a director, manager, secretary or other officer of the body corporate,” that management board member may also be held personally liable for that infringement or offense.
While Ireland’s legislation is not yet finalized, this provision is expected to be retained as holding senior leaders personally liable for technical and organizational failures is becoming an increasingly common regulatory approach under laws in both Ireland and the EU.
In addition to Head 43, the explanatory notes under Head 28 of the General Scheme state the management board can be found personally liable if “gross negligence” is found following a cybersecurity incident. This concept is only dealt with in the notes and not in the description of the legal provision itself. Gross negligence is not a technical concept under laws in Ireland and there is therefore some uncertainty as to what it will mean if it is used in the final legislation.
Please note there are many more regulatory supervisory and enforcement powers and risks management boards should be fully briefed on — such as licensing restrictions, indirect litigation and criminal liability.
Explore contractual risk management solutions
Some members of management boards may be uncomfortable with this new personal liability risk exposure. Organizations may want to consider implementing various contractual solutions to mitigate the personal liability of the management board. This may result in some organizations revisiting employment or other relevant contracts to include additional protections or indemnities, although the effectiveness and legality of such measures will need to be weighed carefully.
Prepare for regulatory engagement
Finally, prepare the organization and management board for the possibility of supervisory engagement with the competent authority or authorities. Such engagements may range from information requests regarding the organization’s resilience metrics to full-blown security audits.
Among other things, ensure that approvals made by the management board pursuant to Article 20 of NIS2 are recorded appropriately — for instance, in board resolutions or meeting minutes. It is likely competent authorities will ask to see this documentation as part of their compliance assessments, and they may also request relevant senior managers provide formal attestations regarding their organization’s cybersecurity risk management, and NIS2 compliance more generally.
Looking forward
The National Cyber Security Bill is expected to be introduced before Ireland’s Parliament this year. There will be significant political pressure to get the bill passed given the transposition deadline was over one year ago.
The European Commission has sent a letter of formal notice to Ireland for its failure to transpose NIS2 by the original October 2024 deadline and stated the potential to refer the matter to the Court of Justice of the European Union for a finding of noncompliance.
Although NIS2 has yet to be transposed into law in Ireland, certain competent authorities, such as the Commission for Communications Regulation, have already begun engaging on an informal basis with entities that will be in scope. As identifying compliance requirements and putting in place appropriate measures will take time, it is sensible to ensure organizations’ management boards are properly briefed on their prospective new roles and responsibilities under NIS2 and current regulations in Ireland.
Deirdre Kilroy is a partner and Alex Guard is an associate at Bird & Bird.
