Ireland invokes NIS2 Article 20, exposing board members to personal cyber liability
- Ireland has not yet enacted NIS2, but its 2024 draft Cyber Security Bill says regulators could ask the High Court to restrict CEOs and directors. - The draft tracks NIS2 Article 20, which says management bodies must approve and oversee cyber controls and can be held liable for breaches. - Ireland missed the EU’s October 17, 2024 deadline, leaving boards to prepare for tougher enforcement before the Bill becomes law. (ncsc.gov.ie)
Ireland has not yet “invoked” NIS2 Article 20 in force, but its draft National Cyber Security Bill would let Irish regulators seek court orders restricting directors and chief executives after cyber non-compliance. (gov.ie) (eur-lex.europa.eu) The European Union’s NIS2 directive says management bodies at covered entities must approve cybersecurity risk measures, oversee their implementation, and can be held liable for infringements of those duties. (eur-lex.europa.eu 1) (eur-lex.europa.eu 2) Ireland’s government published the General Scheme of the National Cyber Security Bill on August 30, 2024, after a Cabinet decision on July 24, 2024 directed priority drafting. (gov.ie) That draft says penalties for non-compliance can include powers to restrict “CEOs and Directors and other senior managers” in essential and important entities, with the High Court providing the safeguard for serious sanctions. (gov.ie) The distinction matters because Ireland’s National Cyber Security Centre still says the NIS2 transposition deadline of October 17, 2024 was missed and that the registration and incident-reporting portals are not yet available. (ncsc.gov.ie) So the immediate story is less about a live Irish penalty already being imposed on named directors and more about the legal architecture Ireland is building to implement the directive’s board-accountability rules. (ncsc.gov.ie) (gov.ie) NIS2 also widens the range of sectors covered beyond the older regime, including public administration, waste management and manufacturing, while tightening rules on risk management, incident reporting and supply-chain security. (oireachtas.ie) An Oireachtas research briefing published in June 2025 tied the push for tougher rules to Ireland’s 2021 Health Service Executive ransomware attack, which affected about 90,000 people and had recovery costs estimated at €102 million by November 2024. (data.oireachtas.ie) As of May 28, 2025, the minister told parliament the Bill was at an “advanced stage” of drafting, but he did not say it had been enacted. (oireachtas.ie) For boards with Irish operations, the practical shift is already visible in the draft: cyber oversight is being written as a director-level governance duty, not just an information-technology problem. (gov.ie) (eur-lex.europa.eu)
