AI Governance and Cybersecurity: The New Era of Board Accountability Under NIS2, DORA, and the EU AI Act

The Convergence of AI Governance and Cybersecurity: A Board-Level Imperative

The digital landscape is undergoing a seismic shift. Artificial intelligence (AI) is no longer just a tool for innovation; it is becoming a critical vector for cyber threats and a focal point for regulatory scrutiny. High-profile incidents, such as the data breach at Michelin linked to Oracle E-Business Suite vulnerabilities and the devastating wiper malware attack on medical technology giant Stryker, underscore a harsh new reality. Cybercriminals and state-sponsored actors are increasingly leveraging AI to automate and scale exploitation, turning legacy system weaknesses and AI model vulnerabilities into weapons. For corporate boards and executive teams, this convergence of AI and cyber risk is creating unprecedented personal accountability. Regulatory frameworks like the EU AI Act, the NIS2 Directive, and the Digital Operational Resilience Act (DORA) are explicitly placing governance and oversight responsibilities at the highest levels of an organization. This article explores this critical intersection, analyzes the evolving regulatory pressures, and provides a step-by-step roadmap for integrating robust AI governance with cybersecurity strategies to mitigate risk and ensure compliance.

Recent Cybersecurity Incidents: A Warning from the Front Lines

The nature of cyber threats is evolving, with attacks increasingly targeting both legacy enterprise systems and the AI models themselves. Two recent incidents highlight distinct but equally dangerous patterns.

The Michelin Oracle EBS Breach: Legacy Systems in the Crosshairs

In a widespread campaign, the sophisticated FIN11 threat actor cluster (with the Cl0p ransomware group claiming responsibility) exploited zero-day vulnerabilities in Oracle's E-Business Suite (EBS). Michelin confirmed it was a victim, with over 315GB of archives allegedly containing company files leaked. Metadata analysis suggested the data originated from an Oracle EBS environment. While Michelin stated corrective actions were prompt and only non-sensitive data was accessed, the incident reveals a critical truth: vulnerabilities in foundational enterprise software, often considered 'legacy,' are prime targets for AI-automated scanning and exploitation tools. As noted in our analysis of the Microsoft Copilot security flaw, integration points between new AI tools and existing systems create novel attack surfaces.

The Stryker Wiper Malware Attack: Critical Infrastructure at Risk

The attack on Stryker, attributed to the Iranian-linked hacktivist group Handala, was far more destructive. The group claimed to have stolen 50 terabytes of data and wiped over 200,000 systems across 79 countries, forcing a global shutdown and a reversion to manual workflows. This incident, in the critical medical technology sector, exemplifies the potential for catastrophic operational disruption. It underscores that cybersecurity is no longer just about data confidentiality; it is about the resilience of core business functions—a principle central to regulations like DORA. The scale and impact of such attacks demonstrate why boards can no longer treat vulnerability backlogs as acceptable risks.

These incidents are not isolated. They are symptomatic of a broader trend where AI is dual-use: it powers defensive tools but also enables adversaries to find and exploit weaknesses at machine speed. This creates a compounding risk environment that demands a unified governance approach.

Board Responsibilities and the Mounting Regulatory Pressure

In the age of AI-automated exploitation, passive acceptance of cyber risk is becoming legally and ethically indefensible. Regulatory bodies worldwide are formalizing the accountability of corporate boards and senior management for both cybersecurity and AI governance.

The EU Regulatory Trifecta: AI Act, NIS2, and DORA

European regulations are leading the charge in establishing clear lines of accountability:

• EU AI Act (Regulation (EU) 2024/1689): Entering into force on 1 August 2024, this landmark regulation imposes strict obligations. For high-risk AI systems—a category that explicitly includes AI used in recruitment and HR management under Annex III—providers and deployers must ensure rigorous risk management, data governance, and human oversight. Obligations for these high-risk systems apply from 2 August 2026. Crucially, the regulation establishes governance requirements and holds management accountable for ensuring compliance. Penalties for violations can reach up to EUR 35 million or 7% of global annual turnover. Our EU AI Act compliance roadmap details the steps to meet these obligations.
• NIS2 Directive (Directive (EU) 2022/2555): With a member state transposition deadline of 17 October 2024, NIS2 significantly expands the scope of entities deemed 'essential' or 'important' across 18 sectors, including digital infrastructure and ICT service management. It mandates that the management bodies of these entities approve cybersecurity risk management measures and oversee their implementation. They can be held liable for violations, with penalties up to EUR 10 million or 2% of global turnover. This directive forces boards to actively govern cybersecurity strategy.
• DORA (Regulation (EU) 2022/2554): Applying from 17 January 2025, DORA targets financial entities (banks, insurers, crypto-asset providers) but sets a precedent for operational resilience. It requires the implementation of a comprehensive ICT risk management framework, which must be approved and reviewed by the management body. This includes managing risks related to third-party ICT service providers, a critical consideration when using external AI platforms or models.

As discussed in our article on AI talent and governance gaps, having the right oversight structures is essential. These regulations collectively signal that board oversight must be proactive, documented, and integral to corporate strategy.

The US Landscape and Voluntary Frameworks

While the US lacks comprehensive federal AI legislation, the landscape is evolving. Colorado's AI Act, effective 1 February 2026, requires deployers of high-risk AI to use reasonable care to avoid algorithmic discrimination, implicitly placing accountability on leadership. Furthermore, frameworks like the NIST AI Risk Management Framework (AI RMF 1.0) and the NIST Cybersecurity Framework (CSF) 2.0 provide essential voluntary guidance. The AI RMF's 'Govern' function and the CSF 2.0's new 'Govern' function both emphasize that risk management starts at the governance level. For many organizations, achieving a SOC 2 attestation (an audit report on security controls, not a certification) is also becoming a baseline requirement from enterprise customers, further compelling boards to demand robust security postures from their vendors and internal teams.

Integrating AI Governance with Cybersecurity: A Step-by-Step Action Plan

For boards and compliance leaders, the path forward involves breaking down silos between AI innovation, cybersecurity, and legal/compliance teams. Here is a practical framework for integration.

Step 1: Establish a Unified Governance Structure

Create a cross-functional committee reporting directly to the board or audit committee. This body should include representatives from cybersecurity, data science/AI engineering, legal, compliance, and risk management. Its mandate is to oversee the organization's AI strategy, assess risks, and ensure alignment with cybersecurity policies and regulatory requirements like the EU AI Act and NIS2. Clear accountability charts must define who is responsible for AI model security, data integrity, and incident response.

Step 2: Conduct Converged Risk Assessments

Move beyond traditional IT risk assessments. Implement a process that evaluates risks specific to AI systems throughout their lifecycle, aligned with frameworks like the NIST AI RMF and ISO/IEC 42001. Key questions include:

• Data Security: How is training and operational data secured? Does it contain sensitive information requiring special protection under GDPR or other privacy laws?
• Model Vulnerabilities: Could the model be poisoned, manipulated (adversarial attacks), or exploited to reveal sensitive training data?
• Supply Chain Risk: What are the security postures of third-party AI model providers, data vendors, or cloud platforms? Tools like AIGovHub's vendor risk module can help monitor these dependencies.
• Integration Risks: How does the AI system interact with legacy systems (like Oracle EBS), and what new attack surfaces does that create?

This assessment should feed directly into the organization's overall cybersecurity risk register.

Step 3: Implement Technical and Process Controls

Based on the risk assessment, deploy targeted controls:

• Secure Development & Deployment: Apply secure coding practices and DevSecOps principles to AI model development. For high-risk AI systems under the EU AI Act, implement logging, monitoring, and human oversight mechanisms.
• Continuous Monitoring: Use security tools to monitor AI systems in production for anomalous behavior, data drift, and potential adversarial activity. This is a key component of DORA's operational resilience requirements.
• Incident Response Planning: Update your cybersecurity incident response plan (IRP) to include AI-specific scenarios. Define procedures for a compromised AI model, a data poisoning attack, or the exploitation of an AI system to launch a broader breach. Consider the timelines mandated by NIS2 (24-hour early warning, 72-hour notification) and DORA.
• Vendor Management: Scrutinize the SOC 2 reports and security practices of AI-as-a-Service providers. Contractual agreements must stipulate security standards, breach notification protocols, and audit rights.

Step 4: Foster a Culture of Awareness and Accountability

Board members and executives must be educated on AI-specific risks and regulatory obligations. Regular training should extend to all employees handling data or interacting with AI systems. Furthermore, organizations should cultivate transparency by documenting AI use cases, risk assessments, and mitigation steps—a practice that will be invaluable during regulatory inquiries or audits. For guidance on building this culture, explore our complete guide to AI governance.

Key Takeaways for Compliance Leaders

• Board Accountability is Personal and Legal: Regulations like the EU AI Act, NIS2, and DORA explicitly place governance and oversight duties on management bodies, with significant financial and personal liability for failures.
• AI is a Cybersecurity Vector: AI systems introduce new vulnerabilities and can be weaponized by attackers to automate exploitation, as seen in attacks on legacy systems and critical infrastructure.
• Integration is Non-Negotiable: AI governance and cybersecurity strategies must be developed and executed in unison, with shared risk assessments, incident response plans, and oversight committees.
• Proactive Governance is the Only Defense: Waiting for an incident or a regulatory citation is a high-risk strategy. Implementing frameworks like the NIST AI RMF and pursuing attestations like SOC 2 demonstrate due diligence.
• Vendor Risk is Your Risk: The security posture of third-party AI providers and integrators must be rigorously managed as part of your supply chain security.

Navigating the Future with Confidence

The intersection of AI governance and cybersecurity represents one of the most complex compliance challenges of the decade. The incidents at Michelin and Stryker are not anomalies; they are harbingers of a more dangerous and regulated future. By understanding the specific requirements of the EU AI Act, NIS2, and DORA, and by implementing a converged governance strategy, boards can transform this challenge into an opportunity to build more resilient, trustworthy, and compliant organizations.

Ready to take control of your AI and cybersecurity governance? AIGovHub's platform provides integrated tools for monitoring regulatory compliance, managing AI risk assessments, and tracking vendor security postures against standards like SOC 2. Explore our comparison of leading AI governance platforms or contact us to see how we can help you build a defensible and proactive compliance program.

This content is for informational purposes only and does not constitute legal advice.