Privacy, Cyber & Data Strategy Advisory | Cybersecurity Resources for Boards in the U.S., UK, and EU

The National Association of Corporate Directors’ (NACD) Handbook on Cyber-Risk Oversight sets out key principles for board engagement, emphasising the need for directors to understand and manage cyber risks as part of their fiduciary duties.

The NACD’s 2025 Public Company Survey analyses the priorities of over 200 boards of directors and identifies emerging trends in AI and cybersecurity oversight.

The Cybersecurity Law Report, in an article authored by our team, outlines five actionable steps boards can take to prepare for and respond to cyber incidents. 

The Cyber Security Code of Practice outlines governance principles tailored to board-level oversight, while the National Cyber Security Centre (NCSC) Board Toolkit offers practical tools and key questions to guide boardroom discussions. 

Sector-specific guidance is also available: 

• Financial institutions: The FCA’s SYSC Handbook outlines expectations for senior management systems and controls. Although published in 2019, the FCA’s Industry Insights also offers relevant observations on systems and controls that  financial institutions may consider implementing.
• Auditors and actuaries: The UK Corporate Governance Code emphasises accountability and risk management. These materials reflect a broader regulatory trend towards embedding cyber resilience into corporate governance frameworks.

In France, the SME cybersecurity memorandum published by the French Confédération des Petites et Moyennes Entreprises, along with the accompanying executive guidance, provides tailored advice for directors and senior managers, emphasising the strategic importance of cybersecurity. In addition, cloud service providers, under the ‘SecNumCloud’ framework (established by the national cybersecurity regulator, ANSSI), can certify the resilience of their solutions against cyberattacks. The framework establishes broad organisational requirements, including personnel standards that must be addressed by the management body.

Germany’s Cyber Risk Management Handbook and Cyber-Risk Oversight Toolkit offer a comprehensive framework for executive-level risk oversight, emphasising principle-based compliance that aligns with the NACD Handbook on Cyber-Risk Oversight.

Italy’s National Cybersecurity Agency has issued both executive-level guidance and a governance fundamentals guide to help boards integrate cybersecurity into corporate strategy. 

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has developed a comprehensive catalogue of controls, Security and Privacy Controls for Information Systems and Organizations, for entities to consider when developing corporate policies and procedures. NIST has also established its Cybersecurity Framework as a hub of resources for cybersecurity practices more broadly. 

The Center for Internet Security, a nonprofit organisation focusing on controls and benchmarks, has developed its 18 CIS Critical Security Controls as pillars of enterprise information security. 

In the UK, the Information Commissioner’s Office has developed a range of resources and guidance regarding situation-specific cybersecurity measures and broader best practices.

Similarly, the National Cyber Security Centre (NCSC) has published its Cyber Assessment Framework (available as a PDF on the NCSC website) to help organisations assess and improve their cybersecurity and resilience. In addition, the NCSC’s 10 Steps to Cybersecurity offers guidance for medium to large organisations to strengthen their information management protocols.

For financial institutions, the FCA Handbook Chapter 5.1 provides industry-specific guidance regarding data security.

In the EU, the European Union Agency for Cybersecurity provides a repository of best practices and controls for the EU Cyber Security Incident Response Teams network to help manage the responsible reporting, coordination, and remediation of cybersecurity vulnerabilities.

Country-specific resources are also available:

• The French Cybersecurity Agency has published guidance on preventing and responding to ransomware attacks.
• The Belgian Federal Service for Economy has published a comprehensive guide on cybersecurity protocols for corporations. 

The SEC’s rule on Risk Management, Strategy, Governance and Incident Disclosure, which became effective in 2023, governs public disclosures related to material cybersecurity risks, material cybersecurity incidents, and cyber-risk governance. 

The National Association of Corporate Directors has produced guidance as to how directors can align oversight practices with the SEC’s expectations. They have also published a piece exploring how organisations can combine the use of regulatory guidance with AI-driven analysis to help comply with the SEC’s disclosure requirements.

Our team provides a summary of the SEC’s rule and describes how companies should consider updating and revising their protocols in light of the rule. 

The ICO provides detailed guidance on how and when to report incidents, including under the Network and Information Systems (NIS) Regulations. Other UK regulators have also published guidance:

• The UK’s energy regulator, Ofgem, has published guidance for downstream gas and electricity operators of essential services, as has the Department for Energy Security & Net Zero (available on the department’s website). Ofgem’s website also includes reporting templates and resources on applying appropriate security measures using the NCSC’s Cyber Assessment Framework.
• The UK’s communications regulator, Ofcom, has published guidance for companies operating in the digital infrastructure sector, including information on security and incident-reporting duties and how operators of essential services are defined.

Financial institutions face additional obligations, including promptly notifying the Financial Conduct Authority (FCA) of significant cyber events (see Chapter 15 of the FCA Handbook).

The EU continues to advance its cybersecurity framework, including incident-reporting obligations, through several legislative measures:

• The NIS2 Directive expands the scope and enforcement of cybersecurity obligations across EU Member States and requires certain ‘essential’ and ‘important’ entities working in critical sectors to report cybersecurity incidents. As a directive, NIS2 must be transposed into local law by each Member State. Implementation remains fractured, so organisations should continue to monitor local developments.
• The Digital Operational Resilience Act (DORA) targets the financial sector and requires financial entities to report major ICT-related cybersecurity incidents. Our team provides a summary of what DORA means for business inside and outside the EU.
• The Cyber Resilience Act (CRA) targets organisations that manufacture or place products with digital elements (PDEs) on the EU market. Such organisations are required to report actively exploited vulnerabilities and cybersecurity incidents. Our team provides a summary of what the CRA means for manufacturers and distributors of connected devices.

The CISA Known Exploited Vulnerabilities Catalog is an authoritative, regularly updated list of security vulnerabilities that have been actively exploited in the wild, designed to help organisations prioritise remediation efforts and strengthen their cybersecurity posture.

The Government Accountability Office has released a report detailing the types of incidents that the government encounters and the need to address those vulnerabilities. 

The ICO’s Data Security Incident Trends provide insight into the types and frequency of reported breaches, helping boards understand sector-specific risks.

The NCSC’s Annual Cyber Security Breaches Survey offers a broader view of how UK organisations are managing cyber threats, including board-level engagement and investment trends. 

The European Vulnerability Database (EUVD) provides a real-time view of known vulnerabilities affecting European systems, offering boards a technical perspective on emerging risks.

The 2024 ENISA Report on the State of Cybersecurity in the Union presents a comprehensive overview of threat trends, regulatory developments, and strategic priorities across member states – an essential resource for boards operating in or across the EU.

The 2025 ENISA Threat Landscape Report analyses 4,875 cybersecurity incidents recorded between July 2024 and June 2025, highlighting the most significant threats and trends currently impacting the EU.

Our team reviews U.S. law to provide a synopsis of how boards can fulfil their role after a cyber breach. We also provide practical recommendations for boards responding to a cyber incident. In addition, we address how boards should approach cybersecurity regulations and response protocols in an article published by the Cybersecurity Law Report. 

In the UK, Sections 172 and 174 of the Companies Act govern boards’ duties, which apply to cyber risk and oversight. 

In the EU, the European Voice of Directors Association has published its Guide to Directors’ Duties and Liabilities, which offers a helpful overview of the scope of board obligations.

Belgium has also published useful guidance in this area:

• The Federation of Belgian Companies has published an article summarising specific duties that arise in the cybersecurity context.
• The Centre for Cybersecurity Belgium has released a directive for management and leadership on their duties and responsibilities.