NIS2, DORA, and the UK Cyber Security and Resilience Bill: what boards need to do
Boards are dealing with a clear shift in cyber and resilience regulation. Three frameworks matter in particular: the European Union’s NIS2 Directive, the Digital Operational Resilience Act (DORA), and the United Kingdom’s proposed Cyber Security and Resilience Bill.
They are not identical, but they move in the same direction. They push more responsibility onto senior management and boards.
The main point is straightforward. Cyber and operational resilience can no longer be treated as something the board delegates fully to the CISO or technology team. The rules differ across these frameworks, but the trend is consistent: wider scope, stronger governance expectations, clearer management accountability, and less tolerance for weak oversight.
For boards, the question is no longer whether cyber appears on the agenda. It is whether the organisation can show that oversight is real, decisions are being made at the right level, and the overall approach is sensible and defensible.
NIS2: wider scope and clearer board responsibility
NIS2 replaced the earlier NIS framework and took effect across European Union member states in October 2024. It covers more sectors than before, and the threshold for inclusion is lower.
For boards, the key change is this: cyber governance can no longer be treated as something passed down entirely to management in practice. Management bodies are expected to approve cyber risk measures, oversee how they are put in place, and be able to show that this oversight has happened.
This is where many organisations are weaker than they think. They may already have cyber reports, committees, policies, and regular updates. But that is not the same as being able to show that the board has reviewed the right issues, challenged management where needed, and followed up properly.
There is also an important structural point. Group-level governance helps, but it does not automatically remove entity-level obligations. A UK-headquartered group with EU subsidiaries should not assume that a central policy is enough on its own. Scope, accountability, and evidence still need to be clear at the right legal-entity level.
DORA: resilience as a management issue
DORA applies to financial entities operating in the European Union, including banks, insurers, investment firms, and other market participants. It has applied since January 2025.
Its focus is operational resilience: the ability to withstand, respond to, and recover from technology-related disruption. In practice, it covers technology risk management, incident classification and reporting, resilience testing, and third-party risk management.
For many firms, third-party risk is the biggest piece of work. DORA requires firms to keep registers of providers, carry out due diligence using defined criteria, and make sure contracts include the required terms. In many organisations, that becomes a coordination issue across legal, procurement, technology, risk, and operations.
For boards and senior management, the key point is not only that technology risk must be reported upwards. It is that responsibility must be clear enough for oversight to be exercised properly.
A common weakness is not missing policy. It is unclear ownership around third-party risk decisions, testing approvals, remediation priorities, and incident escalation.
Boards should also avoid confusing visibility with control. A report may show that testing has happened or that supplier registers exist. That is not the same as showing that management has assessed gaps, made decisions, and acted where resilience is still weak.
The UK Cyber Security and Resilience Bill: similar direction, local differences
The UK Cyber Security and Resilience Bill is intended to update and expand the current UK NIS framework. The direction is familiar: broader scope, more formal incident reporting, and stronger regulatory powers.
For boards, the key point is not whether the UK is copying the EU exactly. It is that the same governance pattern is emerging. Regulators increasingly expect cyber resilience to be managed as a board-level issue, not treated only as a technical matter after something has gone wrong.
For organisations with both UK and EU exposure, the overlap is real. It would be inefficient to build separate compliance programmes for each regime. But moving too quickly to one fully standardised response can also create risk if important differences in scope, reporting triggers, or governance expectations are overlooked.
The better approach is usually a common governance model, with local adjustments where needed.
What proportionate compliance actually looks like
Boards should avoid two common mistakes.
The first is treating compliance as a technology project: buying more tools, producing more dashboards, and assuming that activity proves control. It does not.
The second is over-engineering the response. A well-run organisation does not need a resilience programme built for a systemically important financial institution. These frameworks require governance, accountability, and operational resilience to be real and defensible. They do not require unnecessary layers of process.
In practice, proportionate compliance usually means governance the board can evidence, a risk-management process that is actually used, incident response and resilience testing that management understands, third-party risk management that shapes decisions rather than just documenting them, and clear accountability rather than blurred shared ownership.
One common mistake is to assume that because several functions contribute to resilience, responsibility can safely remain unclear. It cannot.
The practical implication for boards
Boards that treat these frameworks as governance questions usually make faster progress than boards that treat them as compliance checklists.
The useful questions are simple. Who is accountable? Which decisions need board approval? What must be evidenced at entity level, not just group level? What has management delegated in practice, and what responsibility still remains? What could the organisation produce, in concrete terms, if asked to show how oversight has been exercised?
That is where the real work sits.
The legal frameworks matter, but the deeper issue is governance discipline. Organisations with clear accountability, credible reporting, documented decisions, and tested resilience capability will usually find compliance manageable. Organisations without those things will often find that the harder problem is not interpreting the rules. It is fixing the operating model underneath them.
Next in this series: what good cybersecurity maturity actually looks like in practice — and why the quickest test is to follow the money, not the maturity score.