AI Data Governance Failures: Why Boards Must Act on NIS2, DORA & AI Act Risks

Introduction: AI Data Governance – The Board’s New Frontier

When a data breach makes headlines, the immediate focus is often on the incident itself—the ransomware demand, the exposed records, the operational disruption. But as recent incidents at Odido and Stryker demonstrate, the breach is frequently just the symptom of a deeper failure: inadequate AI data governance. AI systems, with their complexity, opacity, and capacity to process vast datasets, introduce unique risks that traditional data governance frameworks cannot adequately address. For board members, this isn’t merely a technical issue; it’s a strategic compliance imperative. Regulations like the EU AI Act, NIS2 Directive, and DORA are raising the stakes, holding leadership accountable for AI-related failures. This article explores how poor AI data governance leads to incidents, the regulatory implications, and a practical action plan for boards to mitigate risks and ensure compliance.

Case Studies: When AI Governance Failures Become Headlines

The evidence is clear: AI data governance gaps are root causes of major breaches. Consider two recent incidents:

Odido Data Breach: A Failure in Data Protection and Incident Response

In 2024, hackers leaked personal and bank account details of over six million Odido customers after the Dutch telecommunications company refused to pay a ransom. While refusing ransoms aligns with cybersecurity best practices, the incident exposed critical weaknesses in data protection measures. Under the GDPR (Regulation (EU) 2016/679), which has been in effect since 25 May 2018, such breaches trigger strict notification requirements and potential penalties of up to EUR 20 million or 4% of global annual turnover. The Odido breach underscores how inadequate governance—whether in data encryption, access controls, or incident response protocols—can amplify risks when AI systems handle sensitive customer data. For boards, this highlights the need to integrate AI-specific controls into broader cybersecurity frameworks.

Stryker Incident: AI and Medical Device Vulnerabilities

While specific details of Stryker’s incident are not provided in the evidence, it serves as a pertinent example in the healthcare sector, where AI-driven devices are increasingly common. The EU AI Act classifies AI systems embedded in medical devices as high-risk under Annex I, with an extended transition period until 2 August 2027. Failures here can lead to severe consequences, including patient harm and regulatory sanctions. Boards must recognize that AI governance in such contexts requires specialized oversight, aligning with standards like ISO/IEC 42001 (the international AI management system standard published in December 2023) and ensuring robust data integrity and security measures.

These cases illustrate that AI doesn’t just create new risks; it exacerbates existing ones. Poor governance around data quality, model transparency, and access management can turn minor vulnerabilities into catastrophic breaches.

Regulatory Implications: NIS2, DORA, and the EU AI Act

Boards can no longer treat AI governance as an afterthought. A wave of regulations is imposing direct obligations on leadership, with significant penalties for non-compliance.

NIS2 Directive: Expanding Cybersecurity Accountability

The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive, with a member state transposition deadline of 17 October 2024. It applies to “essential” and “important” entities across 18 sectors, including digital infrastructure and ICT services. Key requirements include risk management measures, incident reporting within 24 hours for early warning and 72 hours for notification, and supply chain security. Crucially, NIS2 emphasizes management accountability, meaning boards must ensure AI systems are secured against cyber threats. Penalties can reach up to EUR 10 million or 2% of global turnover for essential entities. For AI data governance, this means implementing controls that address AI-specific vulnerabilities, such as adversarial attacks on machine learning models.

DORA: Operational Resilience for Financial Entities

The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) applies from 17 January 2025 to financial entities like banks, insurers, and crypto-asset service providers. DORA mandates an ICT risk management framework, incident reporting, and resilience testing, including threat-led penetration testing. For AI systems used in financial services—such as algorithmic trading or fraud detection—governance failures could disrupt critical operations. Boards must ensure AI data governance aligns with DORA’s requirements, particularly in third-party risk management, as many AI tools are sourced from vendors. This is where platforms like AIGovHub can help assess vendor compliance and gaps.

EU AI Act: A Comprehensive Governance Framework

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, with phased applicability. Prohibited AI practices and AI literacy obligations apply from 2 February 2025, while governance rules for general-purpose AI (GPAI) models take effect from 2 August 2025. High-risk AI systems, including those used in recruitment and critical infrastructure, face obligations from 2 August 2026. The Act requires risk assessments, data governance measures (e.g., data quality and documentation), and transparency. Penalties are severe: up to EUR 35 million or 7% of global turnover for prohibited practices. Boards must oversee compliance, especially as AI systems often fall into the high-risk category. For a detailed roadmap, see our EU AI Act compliance guide.

Together, these regulations create a layered compliance landscape. NIS2 and DORA focus on cybersecurity and resilience, while the EU AI Act addresses AI-specific risks. Boards need an integrated approach, as failures in one area can trigger violations across multiple frameworks.

Board Action Plan: Practical Steps for AI Governance and Compliance

Addressing AI data governance requires a proactive, board-led strategy. Here’s a practical action plan based on industry frameworks and regulatory requirements.

1. Establish AI Governance Oversight at the Board Level

Boards should designate a committee or individual (e.g., a Chief AI Ethics Officer) responsible for AI governance. This aligns with the NIST AI RMF 1.0 (published January 2023), which emphasizes the “Govern” function to ensure accountability. Key duties include:

• Reviewing AI risk assessments and compliance with regulations like the EU AI Act and NIS2.
• Overseeing incident response plans for AI-related breaches, as highlighted by the Odido case.
• Ensuring alignment with standards such as ISO/IEC 42001 for certifiable AI management systems.

2. Implement Robust AI Data Governance Controls

Traditional data governance isn’t enough. Boards should advocate for AI-specific controls, including:

• Data Quality and Integrity: Ensure training data is accurate, representative, and free from bias to mitigate risks under the EU AI Act.
• Model Transparency and Monitoring: Use tools to track AI decision-making, addressing opacity issues that can lead to breaches.
• Access Management: Limit data access to authorized personnel, reducing insider threats—a lesson from recent incidents.

Vendor tools can streamline this. For example, Securiti AI offers data governance automation, while Holistic AI provides risk assessments for AI models. Vanta helps with compliance readiness for frameworks like SOC 2. When evaluating options, consider our comparison of AI governance platforms.

3. Integrate AI Governance with Cybersecurity Frameworks

AI systems must be secured within broader cybersecurity programs. Boards should ensure:

• Alignment with the NIST Cybersecurity Framework (CSF) 2.0 (published 26 February 2024), which includes a new “Govern” function.
• Adoption of ISO/IEC 27001:2022 for information security management, with its 93 controls updated for modern threats.
• Preparation for SOC 2 attestations, which are increasingly required by enterprise customers for SaaS vendors. Remember, SOC 2 is not a certification but an attestation report based on Trust Services Criteria.

This integration helps address NIS2 and DORA requirements, as seen in our analysis of AI security alerts.

4. Conduct Regular Audits and Training

Boards should mandate regular audits of AI systems for compliance with the EU AI Act and other regulations. Training programs on AI literacy, as required by the EU AI Act from February 2025, are essential for staff handling AI data. Lessons from incidents like Odido show that human error often compounds governance gaps.

5. Leverage Technology for Continuous Monitoring

Invest in tools that provide real-time insights into AI performance and risks. Platforms like AIGovHub offer assessments and vendor comparisons to help boards make informed decisions. For instance, our analysis of AI talent gaps highlights the need for automated governance solutions.

Conclusion: Turning Governance into a Strategic Advantage

The Odido and Stryker incidents are wake-up calls: AI data governance failures are root causes of breaches, not just symptoms. With regulations like NIS2, DORA, and the EU AI Act imposing strict obligations and penalties, boards must act now. By establishing oversight, implementing controls, integrating with cybersecurity frameworks, and leveraging technology, organizations can turn compliance into a competitive edge. AI governance isn’t just about avoiding fines; it’s about building trust, ensuring resilience, and driving innovation responsibly.

Key Takeaways

• AI data governance failures are underlying causes of breaches, as seen in the Odido and Stryker cases.
• Regulations like the EU AI Act (effective from 2025-2026), NIS2 (transposition by October 2024), and DORA (applicable from January 2025) require board-level accountability.
• Practical steps include establishing oversight, implementing AI-specific controls, and integrating with frameworks like NIST CSF 2.0 and ISO/IEC 27001.
• Vendor tools such as Securiti AI, Holistic AI, and Vanta can aid compliance, but organizations should verify their fit through assessments.

Ready to assess your AI governance risks? Use AIGovHub’s compliance checker to identify gaps and explore vendor solutions tailored to NIS2, DORA, and EU AI Act requirements. For more insights, read our complete guide to AI governance.

This content is for informational purposes only and does not constitute legal advice.