Half of these risks aren't about hackers. They're about you.
DORA, NIS2 and the EU AI Act make directors personally accountable for digital resilience — fines, enforcement, even suspension from management functions. "I relied on my IT team" is no longer a defence.
Ask: If the regulator called tomorrow, could I evidence my oversight?
How we can help
CyberPrism maps one assessment to every obligation on the management body through its DORA, NIS2 and EU AI Act regulatory lenses — and records the board's oversight challenges to controls alongside the evidence behind them. When the regulator asks "show me your oversight," the answer is a defensible trail built as you governed, not reconstructed after the incident.
NIS2 makes board cyber training a legal obligation, not a nicety. A board that cannot challenge the CISO cannot govern any risk on this list — and this gap silently multiplies every one of them.
Ask: Can every director here interrogate a cyber report — and prove they were trained?
How we can help
NIS2 doesn't just require boards to be trained — it requires proof. The EU Cyber Academy delivers certified education paths for executives across DORA, NIS2, NIST CSF, CyFun and AI Resilience, with certified training records that satisfy the obligation. CRI and the ICTTF also deliver board briefings and private team training.
Most of what boards are told about their digital posture comes from the people responsible for it — self-assessments and green dashboards, verified by no one. Assurance you cannot independently evidence is not assurance. It is hope, formatted.
Ask: Who, independent of the people responsible, has validated our posture?
How we can help
Self-assessment tells you what your team believes. An Independent Validation Assessment (IVA) tells you what a regulator, court or acquirer would find. CRI's experts independently validate your posture — so the assurance your board receives is evidence, not optimism.
Ransomware is no longer a technology story — it is a business continuity event with a criminal negotiator attached. Survival is decided by preparation, not luck.
Ask: Could we run this business without our systems — and for how long?
How we can help
Generic lists say ransomware is "very high likelihood" — for everyone. CyberPrism's STRIDE+ Threat Vector Assessment analyses your assessment results — agnostic of technology and regulation — to measure your readiness against the ransomware vector specifically: which defences hold, which are partial, and which are absent, before the criminals run the same analysis.
Stolen credentials, MFA fatigue and deepfaked executives have merged into a single attack path: manufactured urgency aimed at human judgement. The perimeter is now every employee's decision under pressure.
Ask: Would our people stop a payment ordered by a convincing fake of me?
How we can help
This defence is measured twice: in the controls and in the people. CyberPrism measures identity, access and awareness control maturity against the spoofing and privilege-escalation threat vectors. CRI hardens the human side with specialised executive and team training — including the Certified AI Resilience Professional (CAIRP) for the deepfake era.
Your organisation runs on providers you don't control — and so does your entire sector, often on the same ones. One systemic outage takes down you, your competitors, and your regulator's patience. Outsourcing the function never outsources the accountability.
Ask: Which critical services depend on a single provider — and what is our tested exit?
How we can help
Concentration risk hides in the seams between entities and suppliers. CyberPrism's scoped assessments let you assess each entity, business area, value chain or supply chain — then chain scopes together and aggregate the scores, so the board sees the risk across the whole dependency chain: the basket, not just the eggs.
AI entered your organisation twice: once through strategy, once through the side door — staff pasting sensitive data into tools nobody approved. The EU AI Act now regulates systems many boards don't know they are running.
Ask: Do we have an inventory of every AI system in use — including the unapproved ones?
How we can help
You cannot govern an inventory you haven't taken. CyberPrism's AI Readiness Module assesses your readiness against the EU AI Act, NIST AI RMF and ISO/IEC 42001 in one pass — with AI control profiling that surfaces agentic AI, third-party model dependencies and black-box risk running ahead of your oversight.
While boardroom attention moved to newer acronyms, the data protection authorities kept issuing fines. One incident can now trigger GDPR, NIS2 and DORA simultaneously — separate regulators, separate penalties, one bad day.
Ask: If we are breached tonight, how many regulators do we owe notifications — and do the fines stack?
How we can help
Stacked regulations punish fragmented compliance. CyberPrism analyses your control framework holistically across every applicable regime — DORA, NIS2, the AI Act, and the related privacy controls GDPR never stopped caring about — so the same evidence answers every regulator, and nothing falls between the acronyms.
Most breaches involve no genius — they walk through vulnerabilities that were publicly known, actively exploited, with fixes available for months. Foundational hygiene. No sophisticated adversary to blame; an embarrassment with a paper trail.
Ask: How fast do we close the doors attackers are already using?
How we can help
The red-face breach is always visible in advance — if anyone is looking. CyberPrism surfaces foundational failures instantly and lets you drill from any red rating to the specific gaps and vulnerabilities behind it, prioritise remediation, and record progress over time. Embarrassment, pre-empted.
NIS2's 24-hour early warning starts on the worst day your organisation has had — systems down, facts scarce, lawyers cautious. Failing to report properly is a separate offence on top of the incident itself.
Ask: Have we rehearsed hitting a 24-hour regulatory deadline mid-crisis?
How we can help
A 24-hour reporting clock is survivable only with rehearsed capability. CyberPrism identifies the strengths and weaknesses in your incident response and regulatory communication readiness — handling, reporting, escalation, post-incident review — and drives maturity over time, with the trend evidence a regulator asks for after the fact.
| Risk | Likelihood | Priority |
|---|---|---|
| 1. Liability Has Landed | High | ● Critical |
| 2. Governing Blind | Very High | ● Critical |
| 3. Marking Your Own Homework | Very High | ● Critical |
| 4. The Inevitable Bad Day | Very High | ● Critical |
| 5. The CEO Isn't the CEO | Very High | ● High |
| 6. Someone Else's Basket | High | ● Critical |
| 7. Ungoverned Intelligence | High | ● High |
| 8. GDPR Never Left | High | ● High |
| 9. The Red-Face Risk | High | ● High |
| 10. The Clock Starts Early | Medium | ● High |
Indicative ratings. Your real exposure is a function of measured control maturity against live threat activity — not a poster.
- Evidence, not assertion — measured maturity, not traffic lights
- Independent validation of the assurance you are given
- Risk rating and trend — is it improving?
- Controls tested against live threat activity, not last year's audit
- Residual risk after mitigation, in business terms
- One incident mapped to all obligations — GDPR, NIS2, DORA, AI Act
- Remediation with owners, dates and budget implications
- Proof the board itself is trained — and can evidence it
You can no longer delegate the accountability.
Talk to us about an Independent Validation Assessment, a CyberPrism demonstration, or certified board education — and see your real exposure measured, not asserted.
Cyber Risk International — trusted by boards across financial services, and the team behind the ICTTF community of 30,000+ professionals.