Cyber Risk and Legal Liability: What Risks for Boards of Directors?

The context has changed radically: cyber risk has become a real and potentially high-impact business risk, with direct consequences on business continuity, reputation, operations, and—most importantly—personal liability for board members. We are no longer talking about isolated “hacker attacks” to contain, but about systemic events that can shut down production lines, expose sensitive data, cause economic damage, and trigger significant legal repercussions.

And that’s why the question increasingly is not “How protected are we?” but “Who is held accountable if something goes wrong?”

Cyber risk governance is now a board-level responsibility

The most common mistake—even in structured organizations—is to think that cybersecurity is an “IT task” and that approving a budget or appointing a CISO fulfills all duties. This mindset is outdated. Regulatory authorities, lawmakers, and even the courts are making one thing clear: ultimate responsibility for cyber risk governance lies with the board of directors.
This doesn’t mean replacing the technicians, but rather asking the right questions, understanding essential data, and overseeing decisions with a level of engagement that is demonstrable and aligned with the size and criticality of the organization.

A clearer and more demanding regulatory context

There are now explicit regulations that reinforce this principle, clearly identifying the board as responsible for cybersecurity.

Here are the two most relevant:

NIS2 (EU Directive 2022/2555)
Extends the obligation to adopt security measures beyond critical operators to a wide range of strategic sectors. The new central element: senior management (including the board) must directly oversee the measures and their effectiveness, assuming legal responsibility in case of negligence.

DORA (Digital Operational Resilience Act)
Targeted at the financial and insurance sectors, it mandates that digital resilience be handled at a strategic level, requiring the board to approve, monitor, and periodically review ICT risk management policies.

From operational risk to personal liability

This scenario has a very real consequence: in the event of a serious cyber incident, attention is no longer only on the CISO or IT manager, but on the level of oversight exercised by the board. If there is a lack of attention, supervision, or documentation, responsibility may fall directly on board members—in administrative, civil, and even criminal terms.

At the same time, personal reputational risk is also increasing, especially in regulated environments or publicly listed companies, where scrutiny from media, shareholders, and regulators is intense.

Governance and risk culture: the response is not technical

The real challenge is not “installing more security,” but making cyber risk visible, understandable, and governable—even for the board. This requires a cultural shift that brings cybersecurity into strategic business discussions, with tools that facilitate dialogue across technical, legal, and managerial domains.

An informed board should:

• Integrate cyber risk into the Enterprise Risk Management framework;
• Receive business-oriented, non-technical reports: impacts, exposure, priorities;
• Assess the organization’s compliance readiness with NIS2, DORA, and GDPR;
• Request objective, up-to-date, and easy-to-interpret indicators;
• Demand clear governance: who does what, with which tools, and with what accountability.

No one expects board members to become cybersecurity experts. But it’s no longer acceptable for cyber risk to be treated as a purely technical issue to be blindly delegated. Digital threats are now part of core business risks: they have real, measurable, and often irreversible impacts. That’s why the board’s role is not to dive into technicalities but to ensure the organization is structured, informed, and capable of responding effectively, documentedly, and proportionately. In today’s digital world, cyber risk is—without a doubt—business risk.

We’ve created a questionnaire designed for those directly involved in cyber risk, to help assess your organization’s readiness for NIS2.

👉 Discover your compliance level now.