Ireland's EU Presidency
Security and defence: a critical consideration for boards of Irish companies
March 2026
Ireland's EU Presidency
Security and defence: a critical consideration for boards of Irish companies
March 2026
In an increasingly volatile and reactive business environment, security and defence should be standing agenda items for the leadership teams of Irish companies.
Rising threats, from cyber‑attacks and corporate espionage to geopolitical instability, mean that boards must adopt a proactive approach to safeguarding business continuity and organisational resilience. This publication outlines ten key considerations for Irish boards relating to security and defence. These range from technical IT challenges to evolving regulatory and compliance requirements. Incorporating these areas into 2026 board agendas will help directors identify potential risks early and establish the appropriate processes, governance structures, and safeguards.
Technology
1
Cybersecurity and Ransomware Risk Management:
Cyber-attacks remain the highest‑ranked risk for company directors, with increasingly sophisticated actors targeting critical infrastructure and essential services. Boards must now prioritise strong governance frameworks that evolve in step with rapidly changing threat vectors. Ensuring that cyber risk management, incident response, and resilience testing are embedded within corporate oversight is no longer optional, it is essential.
2
Artificial Intelligence:
The accelerating adoption of AI tools brings new and complex risks, including data leakage, model manipulation, and advanced “deepfake” social engineering that can be used to impersonate senior executives to divert funds or extract sensitive information. This emerging threat landscape requires boards to reassess how executive communications are authenticated, how AI‑related risks are governed, and whether personnel have the necessary training to recognise and respond to AI‑enabled threats.
Regulatory
3
Network and Information Security Directive (EU) 2022/2555 ("NIS2"):
NIS2 imposes explicit obligations on directors, including the requirement to undertake regular cybersecurity training. Senior management must also approve cyber risk management measures and oversee their effective implementation to reduce cyber risk and ensure readiness to respond to incidents. Boards should ensure that director training is scheduled at appropriate intervals and that risk‑mitigating measures are promptly brought forward for consideration, approval, and ongoing review.
4
Regulation (EU) 2022/2554 ("DORA"):
For boards of regulated financial entities, DORA represents a substantial shift in ICT governance expectations. The regulation requires firms to manage ICT risks proactively, report incidents in a timely manner, ensure the resilience of third‑party service providers, and conduct robust cybersecurity testing to identify and remediate vulnerabilities. Directors retain ultimate responsibility for ICT risk management and operational resilience strategy, and must possess sufficient expertise to understand and challenge ICT risk frameworks. DORA compliance should therefore remain a standing agenda item.
5
Sanctions:
Boards must be aware of the potential impact of trade restrictions, tariffs, or sanctions regimes on their business operations, particularly in high‑risk sectors such as financial services, shipping, and technology. Because sanctions are increasingly used by states in response to intelligence assessments and geopolitical developments, the EU Sanctions Map should be monitored regularly. Any proposed investments or commercial transactions should be assessed for existing or foreseeable restrictions that could affect viability, timelines, or profitability.
6
Foreign Investment Screening:
Boards and directors need to be aware of worldwide foreign investment screening rules (across the EU, UK, US etc) which may restrict investments in defence or businesses that are considered ‘critical’ to a country’s national security. The concept of ‘critical’ varies significantly across the world so early identification of potential approvals (and mitigations that might be needed for local governments) is paramount when considering deals in these sectors.
Infrastructure
7
Supply Chain Vulnerabilities:
Supply chain disruption has become a material risk, driven by recent high‑profile shortages, geopolitical tensions, and increased regulatory scrutiny. Boards should regularly review supply chain strategies, examine exposure at each tier, and scrutinise potential points of failure. Where vulnerabilities are identified, alternative sourcing options and contingency scenarios should be evaluated to improve resilience.
8
Operational Resilience:
Boards must maintain a clear understanding of the assets and processes that are critical to their organisation’s operations. A defined process should be in place to identify vulnerabilities within these assets and prioritise remediation. In addition, a documented crisis and incident‑response plan should be agreed at board level to ensure rapid, coordinated action in the event of disruption.
Governance
9
Boardroom Cyber Literacy & Oversight:
Many boards still lack the specialised expertise needed to oversee technology and cybersecurity risks effectively. Ongoing director training is therefore critical, not just to build foundational understanding, but to equip directors to ask the right questions, challenge assumptions, and oversee independent auditing of security measures. Cyber literacy programmes should be continuous and adaptable, enabling directors to keep pace with evolving threats and to meet their oversight duties confidently and competently.
10
Board Governance:
Given the pace of regulatory change and the rapid responses now required to manage matters of security and defence in particular certain cyber and data breach obligations, boards should reassess both the structure and frequency of their meetings. Traditional governance rhythms may no longer be sufficient. It is increasingly clear that cybersecurity must be elevated to the same level of board attention as financial, legal, and operational risks. Clear executive ownership, regular board reporting, escalation protocols, and dedicated time for technology risk oversight should be integrated into governance frameworks. Crisis governance frameworks should be refreshed regularly to ensure board readiness to respond to cyber security incidents.
Security and defence considerations are no longer purely technical issues, they are strategic imperatives that go to the heart of organisational resilience. By prioritising these matters at board level, Irish companies can better protect themselves against evolving threats, strengthen business continuity, and maintain the trust of customers, regulators, and stakeholders.
To discuss any of these matters further, do not hesitate to get in touch with any of the contacts below, or with your usual Matheson contact.
