Fines of up to EUR 10 million and personal liability of management boards. European regulations are forcing a revolution in IT Governance [FELIETON]


In the coming years, it will no longer be enough to protect systems against cyberattacks. Boards will have to demonstrate that they manage data in a systematic and auditable way – both sensitive data covered by NIS2 and DORA regulations, as well as non-financial data required by the RED II/III and CSRD directives. At stake are not only fines of up to EUR 10 million, but also the risk of exclusion from international supply chains.
Four areas where investment decisions will need to be made by 2025 at the latest to avoid problems a year later:
1. Convergence of risks: NIS2, DORA and personal liability
For companies covered by the NIS2 directive (key and important operators) and the DORA regulation (financial sector and its ICT providers), 2026 will be the moment of real enforcement of the regulations. The regulations provide not only for high financial penalties, but also for personal liability of management board members for negligence in the area of cybersecurity and business continuity.
In practice, this means the need to have measurable and auditable evidence of due diligence. Integrated GRC (Governance, Risk, Compliance) platforms are increasingly being used to automate audits and monitor compliance in real time. Without such tools, it may be impossible to defend against allegations of lack of due diligence.
2. Segregation of duties and Identity Governance as asset protection
In a hybrid and cloud work environment, user identity has become a prime target for attack and one of the greatest sources of internal risk – from errors to abuse and data leaks.
Regulations and audit standards increasingly emphasize automatic segregation of duties (SoD). Manual checks are no longer sufficient. Identity Governance and Administration (IGA) systems should preventively detect and block the so-called toxic combinations of permissions, e.g. situations in which one person can simultaneously approve and post a payment.
From the management's perspective, this means a simple economic calculation: investing in automatic SoD reduces the risk of fraud and financial losses, which in extreme cases may be many times higher than the cost of implementing the technology.
3. ESG reporting and data access control
Another challenge that will fully emerge in 2026 is the reporting of non-financial data. The RED II and RED III Renewable Energy Directives, as well as broader CSRD requirements, require companies to provide consistent, reliable and auditable information across multiple operating systems.
Data on carbon footprint, energy consumption and the origin of raw materials are scattered and often managed outside traditional financial systems. Meanwhile, regulators expect them to be scrutinized with the same care as financial data.
In this context, the role of IGA systems extends to controlling who modifies the data used in ESG reports and for what purpose. Incorrect or unauditable information may result in allegations of greenwashing, financial penalties and loss of access to green financing.
4. Whistleblowers and AI Governance as an early warning system
The Whistleblower Directive, although formally belonging to the compliance area, increasingly serves as a tool for early detection of operational and technological risks. Reports may reveal gaps in IT Governance, such as abuse of access or circumvention of procedures.
At the same time, a new field of risk is emerging related to the implementation of artificial intelligence. Organizations must answer questions about who has the right to train, modify and run critical AI models. Without clear AI Governance rules and access control at the IGA and GRC level, the risk of data manipulation, regulatory violations and serious operational incidents increases.
Conclusions for business
2026 will not be a time of experimentation, but of consolidation and automation. For technology companies and the broadly understood B2B sector, compliance and IT Governance are no longer a cost, but become a strategic risk management lever.
Investments in integrated GRC and IGA systems are intended to ensure not only compliance with regulations, but also protection of management against personal liability and operational stability in an increasingly restrictive regulatory environment. In the new European regulatory order, organizational resilience must not only be real, but above all, demonstrable.




