Tech Mandates on the Supervisory Board: NIS2, the EU AI Act, and the Skills Gap

20.05.2026

9 min read

At the latest financial report press conference of a DAX-listed company, one person with an explicit AI mandate sat on the board of directors. Of the remaining thirteen, none did. This is not a statistic; it is a governance reality. Those discussing NIS2 liability, EU AI Act, and supply chain resilience in May 2026 are addressing topics that are rarely addressed with accountability in boardrooms.

Key Takeaways

Tech mandate in the boardroom is not a nice-to-have in 2026: NIS2 business leadership liability, EU AI Act with a sanctions framework from February 2026, and the ongoing CSRD data pipeline will bind supervisory bodies to technical details for which many boards are not staffed.
Skill gap is measurable, not felt: In a DSW analysis of DAX and MDAX supervisory boards, fewer than one in five members reported being able to make responsible decisions on AI-related risks without external consultation.
Audit and risk committees bear the primary responsibility: Those granting tech mandates without structurally equipping the audit committee with tech expertise are shifting the risk to a body that cannot verify it. The result is decision templates that the management and board formally approve without independent validation.

What Has Shifted

Ten years ago, the common argument against a tech mandate in the boardroom was that operational topics belonged in management and the board should focus on strategy, finance, and personnel issues. This argument has lost its validity. The regulatory landscape has pulled the board into technical responsibilities, whether it wanted to or not.

Three shifts are responsible for this. First: NIS2 makes the management personally liable for cybersecurity failures, compelling the board to monitor these obligations. Second: The EU AI Act requires risk management, data governance, and conformity assessments for high-risk systems, which the board cannot delegate as a supervisory body without incurring its own duty of care. Third: CSRD reporting mandates boards to conduct data quality checks that cannot be conducted seriously without IT understanding.

Those experiencing three structural shifts simultaneously and not reacting in the board’s personnel planning will have a gap that will be noted in auditors’ reports in the coming quarters.

What a Tech Mandate Looks Like

A tech mandate is not an additional board position with a vague job description. It is a responsibility embedded in the company’s bylaws, encompassing at least four key elements.

Four Elements of a Credible Tech Mandate

Risk Mandate: Leadership in the IT security, AI systems, and data processing risk committee, with a duty to present proposals to the full board.
Audit Mandate: Participation in the audit committee for reviewing the CSRD data pipeline and internal controls for AI-driven reporting processes.
Investment Mandate: Providing input on IT and AI investments exceeding a threshold defined in the articles of association, including a business case evaluation beyond mere economic considerations.
Escalation Mandate: Direct reporting channel from the CISO and CIO to the tech mandate within the board, bypassing the management layer.

In particular, the escalation mandate is the uncomfortable part. It establishes a direct line between the tech leadership and the board, which has historically not been desired in many companies because it bypasses the traditional reporting hierarchy. Nevertheless, it is the only way to meet NIS2 compliance requirements by 2026.

The Missing Profiles

The honest observation from the exploratory discussions that executive search consultants have led in the past quarters for board appointments: While classic CIO profiles are available, they often do not align with the required skill set. What is sought is a blend of operational tech responsibility, regulatory experience, and the ability to argue effectively in a board setting without relying on PowerPoint presentations.

What Doesn’t Work

Former corporate CIO without experience in EU regulatory compliance.
Tech investor with fund management background but no operational experience.
Academic profile with a KI teaching position but no board experience.
Consultant profile from a Big Four firm without direct responsibility in day-to-day business operations.
Former regulatory authority representative without any business role.

What Works

Former CIO or CISO with experience in regulated industries.
Business leader of a tech subsidiary with board mandate in a corporate structure.
CDO with direct responsibility for AI governance in an international corporation.
Certified public accountant with an IT audit focus and board experience.
COO of a tech company with proven board-level responsibility for cybersecurity.

It is notable that most of these profiles are underrepresented in executive search pools. They are not uncommon in absolute numbers but rarely come forward on their own and must be actively pursued. This prolongs the appointment process and drives the initial search towards external consulting mandates, which may be a transitional solution but is costly as a long-term strategy.

What Should Be in Your Perception Calendar

Timeline: Tech-Mandate Maturity in 12 Months

Month 1-2: Self-Assessment of existing Supervisory Board Competence for AI, Cybersecurity, and Data Architecture
Month 3-4: Adjustment of Bylaws, Definition of Mandate Areas, Decision by the Full Board
Month 5-7: Recruitment, Exploration of existing members for internal solutions, Parallel External Search
Month 8-10: Onboarding, Establishment of Escalation Channel, First Meeting Templates with Tech-Mandate Responsibility
Month 11-12: First quarterly reporting to the Annual General Meeting with Tech-Mandate Statement

Those who do not adopt the bylaws adjustment in Month 3 or 4 will delay the entire process by at least one Supervisory Board cycle. Bylaw changes are rare decisions that are not easily postponed.

Liability Shadows and Silent Risks

An observation that frequently arises in Board Coaching sessions. Board members inquire about D&O insurance, liability exclusion clauses, personal risks. What they ask less about is how insurance can respond in a KI incident if the Board members have formally rejected a proposal whose technical substance they could not evaluate.

D&O contracts in most recent versions contain clauses for due diligence. Those who fulfill the due diligence through external consulting are protected, provided the consulting is documented and the Board can demonstrate having been informed. Those who delegate the due diligence exclusively to the management without their own evaluation capabilities have a blind spot in their insurance coverage.

This exact blind spot is covered by a Tech-Mandate. It is not just a matter of governance hygiene but also of insuring the Board members themselves.

What Looks Different After 12 Months

In the few corporate structures where a Tech-Mandate has been institutionalized for 18 months or longer, three operationally measurable changes become apparent. First: Templates for IT and AI investments are reviewed earlier. The percentage of templates that are initially rejected by the Board decreases significantly, as the management already incorporates the Tech-Mandate perspective.

Second: The response time to cybersecurity incidents that need to be reported to the Board shortens from weeks to days. The escalation channel functions once it has been used.

Third: In the Auditor’s report on governance evaluation, references to IT incompetence in the Board disappear. This is not a cosmetic effect. Board evaluations in Auditor’s appendices are increasingly read by institutional investors as a reputational signal.

Frequently Asked Questions

Is a tech mandate in the board of directors mandatory in the bylaws?

Not directly, but indirectly. NIS2 and the EU AI Act require oversight capabilities that are not practically verifiable without a corresponding person in the board. Incorporating this in the bylaws is cleaner than an informal reference to external consulting, as it can be documented and reviewed in the auditor’s appendix.

Who is considered for the tech mandate position?

Former CIOs or CISOs from regulated sectors, COOs or CDOs with their own AI governance responsibility in international corporations, and auditors with IT audit expertise and board experience. Pure consulting profiles without operational line responsibility do not typically carry the mandate in practice.

What is the additional workload of a tech mandate alongside traditional board duties?

Realistically, 30 to 50 percent more time compared to a standard board mandate, especially in the first 12 months after establishment. This additional workload arises from special meetings to address incidents, familiarization with the company’s specific tech landscape, and establishing the escalation channel.

What is the typical compensation for a tech mandate?

In the DAX environment, the premium over a standard board mandate ranges from 30 to 60 percent, while in the MDAX it is between 20 to 40 percent. In the mid-sized sector, a flat fee for special meetings is often used, as the regular meeting compensation rarely covers the additional workload.

How does D&O insurance respond to a KI incident without a tech mandate?

With limitations. Recent D&O contracts require a reasonable care obligation that can be substantiated. If someone without documented assessment capabilities handles tech topics and a significant incident occurs, the insurance may claim gross negligence. An external consultation with a documented protocol provides formal protection but is more expensive than an institutionalized tech mandate.