If you are a director of a mid-sized company with EU operations and you have been paying attention to the regulatory environment over the last twelve months, you have received briefings on at least three significant frameworks: NIS2 (the Network and Information Systems Directive 2, in force from October 2024), DORA (the Digital Operational Resilience Act, in force from January 2025), and the EU AI Act (high-risk provisions in force from August 2026).
The problem is not that three regulations exist. It is that each arrived with its own briefing, its own advisory firm, its own compliance programme, and its own board-level request for budget and oversight attention. The result, for many boards, is regulatory paralysis dressed up as compliance activity: lots of separate workstreams, lots of documentation, and no clear picture of what the combined governance exposure actually is.
The right starting point is not three separate programmes. It is understanding where these regulations overlap, where they diverge, and which one represents your most immediate board-level liability. That question has a specific answer for most mid-sized companies, and it is not the answer most compliance teams lead with.
What each regulation actually requires from the board
Let me be direct about what is board-level and what is executive-level in each framework.
NIS2 imposes personal liability on directors of companies in critical sectors for cybersecurity governance failures. The personal liability provision — Article 20 — is the board-level fact that most briefings lead with, and correctly so. NIS2 requires that management bodies “receive regular training” on cybersecurity, that they approve and supervise cybersecurity risk management measures, and that they can be held personally liable for non-compliance. The “essential entities” in scope include energy, transport, banking, financial market infrastructure, health, digital infrastructure, and public administration. “Important entities” include postal services, waste management, and certain manufacturing sectors.
If your company falls under NIS2 scope, the board has a direct personal liability exposure that is distinct from the company’s compliance liability. That distinction matters.
DORA applies specifically to financial services: banks, investment firms, insurance companies, payment institutions, crypto-asset service providers, and their critical ICT third-party service providers. If your company is not in financial services, DORA is not your primary concern — though if you are a technology supplier to financial services, DORA’s third-party requirements may reach you indirectly.
For boards of financial services companies, DORA’s requirements on ICT risk management, incident reporting, and third-party oversight are substantial. The governance question is whether the board’s existing risk management framework covers digital operational resilience with the specificity DORA requires, or whether it covers technology risk generically and needs restructuring.
The EU AI Act applies to any organisation that develops, deploys, or uses AI systems with EU market reach — regardless of where the organisation is headquartered. The high-risk provisions (Annex III) that come into force on August 2, 2026 are the most board-relevant, because they attach governance requirements to specific AI deployment categories that are common in financial services, healthcare, and professional services.
Where the regulations overlap: the board’s priority question
The overlap between these three regulations is not coincidental. It reflects a consistent regulatory view: the risks that matter most for organisations operating digital infrastructure in the EU are (1) cybersecurity risk, (2) operational resilience risk, and (3) AI decision-making risk. All three regulations are attempting to impose governance accountability at board level for each category.
The overlap creates both a governance opportunity and a governance trap.
The opportunity: the governance structures that satisfy NIS2’s cybersecurity oversight requirements are largely compatible with the oversight structures the EU AI Act requires for AI risk management. A board that builds a functioning oversight mechanism for cybersecurity risk — with clear accountability, regular reporting, tested escalation paths, and documented approval authority — has much of the architecture it needs for AI oversight. It needs adaptation, not duplication.
The trap: most compliance programmes treat each regulation as a separate workstream and build separate governance structures for each. This creates overhead, confusion about which structure takes precedence when they conflict, and a board reporting architecture that is too complex to actually use. The board receives three separate quarterly compliance reports, from three separate workstreams, with no integrated view of the organisation’s combined regulatory exposure.
Where to start: the honest prioritisation
I am going to give you a specific prioritisation rather than the consultancy answer of “it depends.”
For most mid-sized companies with EU operations, the first priority is NIS2 — not because the other regulations are less important, but because NIS2’s personal liability provision is the only one that attaches to individual directors rather than to the company. Personal liability changes the risk calculus. It means the board cannot treat compliance as an organisation-level question and delegate it to the executive team. The board has a direct governance obligation.
If your company is in financial services, DORA sits alongside NIS2 as co-equal priority. The ICT third-party risk requirements under DORA are particularly complex and require lead time to implement properly.
The EU AI Act’s August 2026 deadline is the most visible urgency marker, but for many mid-sized companies the AI Act’s Annex III high-risk provisions will require relatively focused attention: which of your AI deployments, if any, fall under the high-risk categories? For companies without AI deployments in healthcare, employment decisions, credit scoring, or critical infrastructure, the answer may be “none yet” — in which case the governance priority is putting the assessment mechanism in place before high-risk deployments are made, not retrospectively complying with deployments already in production.
The integrated governance question
The question boards should ask their executive teams — once, in a single brief, rather than three times through separate compliance workstreams — is:
“What is our combined regulatory exposure under NIS2, DORA (if applicable), and the EU AI Act? Where do our current governance structures satisfy the requirements across all three? Where are the gaps? What is the prioritised remediation plan, and what does the board need to approve or confirm to implement it?”
The answer should be a single document, not three. If it is three, the governance is siloed and the board’s oversight is fragmentary. The executive team should be able to draw the regulatory obligation map and the governance response map on the same page.
If they cannot do this, the governance architecture is not integrated enough to give the board a coherent view of the organisation’s regulatory exposure. That is a governance problem before it is a compliance problem.
The practical deadline sequence
For a board that needs to work backwards from specific deadlines:
Immediate (if you have not already done this): Confirm whether your company is an essential or important entity under NIS2, and whether any current board members have received the personal liability briefing. If not, commission it.
Before April 10, 2026: Confirm which, if any, of your AI deployments fall under Annex III of the EU AI Act. This requires a written position from legal counsel with EU AI Act expertise, not an internal assessment.
Before June 30, 2026: For any Annex III deployments, confirm that the required risk management, transparency, and human oversight mechanisms are either in place or have a credible implementation plan with a completion date before August 2.
Ongoing: Build the integrated governance reporting structure — a single quarterly board paper that gives the board a coherent view of NIS2 compliance status, DORA compliance status (if applicable), and EU AI Act readiness, from a single source with a single executive owner.
The EU AI Act Compliance Guide for Company Directors covers the EU AI Act’s board obligations in full — including the August 2026 timeline, Annex III classification, and how the Act’s governance requirements interact with NIS2. The Board AI Governance Framework provides the governance structure that satisfies both.
For boards seeking independent advisory support on the combined regulatory picture, contact Steven directly.
