Guardians of Trust: EMEA Boards Take Ownership of Cybersecurity

Technology and InnovationTechnologyCybersecurityBoard and CEO AdvisoryBoard of Directors
記事アイコン Article
Portrait of Agathe Martin-Gougenheim, leadership advisor at Russell Reynolds Associates
Agathe Martin-Gougenheim
7月 10, 2026
8 記事アイコン
Technology and InnovationTechnologyCybersecurityBoard and CEO AdvisoryBoard of Directors
Executive Summary
As cyber threats grow in sophistication and directors face personal accountability, boards rethink governance, resilience and preparation.
image-real-assets-1453524964.jpg

 

Boards and CEOs consistently rank cybersecurity as one of the most significant risks facing their organizations. It’s indeed often “the defining risk of the moment,” one chair told us, particularly given the rise of AI deployment.

Large organizations face hundreds of attacks each year, with consequences that can have enterprise-wide implications far beyond IT. The recent news surrounding Anthropic's Claude Mythos 5 and Fable 5 models serves as a reminder that AI is lowering barriers to sophisticated cyber activity, potentially amplifying both the frequency and severity of attacks.

The regulatory environment also is raising expectations, with frameworks such as the Network and Information Security 2 Directive introducing elements of personal accountability at the board level. In this context, several directors described the board as the last line of defense on cybersecurity.

“Cybersecurity is top-of-the-agenda right now in all the boards I sit on,” said one director with multiple affiliations across several sectors. 

This raises fundamental questions: How are boards of EMEA publicly listed companies governing cyber risks today, and what gaps remain?

To understand how boards are approaching the issue, we interviewed a dozen board chairs, audit committee members and non-executive directors from publicly listed companies across EMEA. Here’s what we learned.

What’s next? Cybersecurity as a test case for board effectiveness

Cybersecurity is a test of how boards adapt to a new category of risk: one that’s dynamic, technical, and deeply interconnected with strategy, operations and reputation.

The evolution observed across boards reflects a broader shift:

  • From technical risk to enterprise risk.
  • From protection to resilience.
  • From collective responsibility to increasing individual liability.
  • From delegated oversight to board accountability

There’s no one-size-fits-all governance model. The appropriate approach depends on sector, scale and exposure. However, a set of common principles is emerging:

  • Integration of cybersecurity within enterprise risk frameworks.
  • Clear allocation of responsibilities among the board, committees and management.
  • Focus on resilience, preparedness and testing.
  • Continuous development of board capability — training of the full board and appointment of “informed challengers” with cybersecurity experience/savvy.

Effective cybersecurity governance won’t come from turning directors into technical experts or by appointing a swath of new experts to the board. Rather, boards must be equipped to understand the issues, ask the right questions, challenge management and make informed decisions when it matters most. As cyber threats evolve, so too must the boardroom.

 

List of interviewees

  • Jacques Aschenbroich, Board roles: Orange, TotalEnergies, BNP Paribas
  • Yannick Assouad, Board roles: Vinci, Arkema
  • Valérie Beaulieu, Board roles: Orange, ISS A/S
  • Anne Bouverot, Board roles: Safran, Cellnex, Technicolor Creative Studios, Thomson Reuters
  • Fabienne Dulac, Board roles: L’Oréal, FDJ United
  • Catherine Guillouard, Board roles: Airbus, Lottomotica, Air Liquide, Ingenico, Arrive
  • Dominique d’Hinnin, Board roles: Kering, Cellnex, Edenred, Vantiva, Eutelsat
  • Guillaume Poupard, Board role: BNP Paribas
  • Katleen Vanderweyer, Board roles: Vantiva, Euroclear, Ageas, AG Insurance
  • Nathalie Wright, Board roles: Keolis, Quadient, Amundi

 

Authors

Agathe Martin-Gougenheim is a senior member of Russell Reynolds Associates’ Board & CEO Advisory practice and Technology Practice. She is based in Paris.

Yuelu He is a member of the Russell Reynolds Associates’ Commercial Strategy & Insights Board & CEO Advisory team. She is based in Munich.