Director responsibilities in 2026: What every Board should be asking right now

I recently joined a panel discussion hosted by the London Stock Exchange's Spark Insights, alongside colleagues from PwC and Sullivan & Cromwell, to talk through the evolving landscape of director responsibilities. It was a wide-ranging conversation covering regulatory change, internal controls, emerging risks, and board effectiveness, and the questions from our audience told me that there is real appetite for practical guidance in this space.

I wanted to pull together the key themes I touched on, because whether you are a company secretary supporting a board, or a director navigating a busier regulatory environment, many of these points are directly relevant to what you are dealing with right now.

ECCTA is a transformation, not a tick-box exercise

Let me start with the Economic Crime and Corporate Transparency Act, because it keeps coming up in boardroom conversations for good reason. ECCTA is a multi-year transformation, not a one-off compliance event. Phased implementation runs through to at least early 2028, with the Failure to Prevent Fraud offence now in force, identity verification ongoing, and further changes to limited partnerships, corporate directors, and software-only filing of accounts still to come.

The risk I see is that company secretaries treat ECCTA as a filing exercise. It is not. It represents a visible shift towards director accountability and transparency, and the priority should be to translate what can be quite technical requirements into practical guidance the board can act on.

On Failure to Prevent Fraud specifically: boards must be able to demonstrate that reasonable fraud prevention procedures are embedded across the organisation. The company secretary should ensure the board has formally considered and approved the fraud prevention framework, and that this is recorded clearly in the minutes. Building a review of this into the annual meeting calendar is a straightforward, practical step.

On identity verification: the regime is now live for new appointments and in its compulsory transition phase for existing directors. If this is something your organisation has not yet addressed, do consider it now. The company secretary is typically the person who manages this process, and it is an area where Companies House accuracy expectations have tightened considerably.

The overarching message for boards: ECCTA significantly extends corporate criminal liability. The company secretary's role is to translate that into clear board obligations, ensure those obligations are tracked, and give the board the assurance it needs that the organisation is not exposed.

Provision 29: From "we have controls" to "we can demonstrate they work"

Provision 29 of the 2024 UK Corporate Governance Code applies to financial years beginning on or after 1 January 2026. Boards are now in their first real declaration cycle, with the first examples coming out early next year, and it is fair to say it has caused a significant stir.

The FRC have done a great deal of work reassuring companies about what is expected, but it remains a hot topic, and rightly so, because it marks a genuine shift. Boards must move from "we have controls and we have reviewed their effectiveness" to "we can demonstrate those controls operated effectively, based on evidence, and here is a detailed description outlining this." The board must declare effectiveness as at the balance sheet date, including disclosing any weaknesses and the remediation actions taken or planned.

So what does genuine embedding actually look like?

Firstly, it is visible in behaviour, not just in documentation. Controls embedded only in policies, without ownership, training, and accountability at an operational level, are controls in name only. When governance principles shape the way decisions are made day to day, not only during the annual reporting cycle, that is when a board can genuinely say its framework is embedded and effective.

Practically, this means regular deep-dives into internal controls, management attestations, and discussions that connect controls to strategic decisions, rather than treating them as a separate compliance topic. Boards should be asking: are control owners identified? Are the consequences of control failure clear? Is there a culture of risk ownership, where people feel comfortable speaking up when something goes wrong?

The 2024 Code explicitly asks boards to report on decisions and their outcomes, not just governance structures. Rather than boilerplate narrative, board reporting should demonstrate what was reviewed, what was found, and what changed as a result.

On the question of grounding declarations in assurance activities: this can include internal audit findings, control testing results, near-miss reporting, and management attestations, not simply a narrative description of processes. One example I genuinely like from our clients is an Audit Chair spending half a day sitting within the business, speaking not just with management but with the teams themselves, seeing controls in action and reporting back honestly to the board on what they observed. That kind of direct engagement is exactly the sort of thing that gives substance to a declaration.

It is also worth noting that the FRC has confirmed in its Mythbuster document that the Code does not require companies to seek external assurance on their controls, though companies can make that decision year on year if they choose.

The company secretary's role here is to challenge the board to ask the harder question: not "do we have a framework?" but "how do we know it is working?"

Cyber, AI, and technology risk: boards need to be informed and curious

Board oversight of technology risk, cyber resilience, and AI governance has moved firmly into the mainstream. The National Cyber Security Centre's 2025 Annual Review opened with the headline that cyber risk is no longer just an IT issue, it is a boardroom priority. Nationally significant incidents were up 50% in 2025, with highly significant incidents also up 50% for the third consecutive year. The NCSC also assessed that AI is being used to increase the efficiency, effectiveness, and frequency of cyber attacks.

On AI governance specifically: the UK has no standalone AI regulation, unlike the EU. But existing frameworks, GDPR, FCA rules, the government's 2023 AI White Paper, collectively shape AI oversight. The FCA takes a principles-based, outcomes-focused approach and has said it does not plan to introduce specific AI regulations, instead relying on frameworks including Consumer Duty, SMCR, the Systems and Controls sourcebook, and operational resilience rules. Notably, SMCR liability now explicitly extends to AI, meaning Senior Managers remain accountable for decisions made by algorithms. The FCA has also recently launched a review into the long-term impact of AI on retail financial services, with findings expected later this year, worth watching closely.

In financial services more broadly, the Cross-Market Operational Resilience Group issued AI baseline guidance in 2025 covering governance, risk management, testing, third-party risk, human oversight, and culture. While not legally binding, it offers a credible benchmark for good practice.

For boards, this means accountability cannot be parked with the technology function. But I want to be clear: boards do not need to be cyber experts or data scientists. They do need to be properly informed and curious.

Good oversight starts with regular, digestible dashboards that show leading indicators, what is changing, what is emerging, what the organisation needs to prepare for. Boards should define clearly which technology, AI, and cyber risk matters sit at full-board level, which at committee level, and which are operational, so there is a clear accountability framework throughout the business.

The quality of the relationship between the board and the Chief Information Security Officer or Chief Technology Officer matters enormously. Directors need regular, direct access,  not just filtered management summaries. It is also essential that boards hear from independent voices: external advisers, third-party assurance, external benchmark data. This prevents over-reliance on internal teams and helps boards challenge assumptions more effectively.

Some of the most valuable questions boards can ask in these conversations are forward-looking ones:

• How quickly could we detect and contain an incident?
• What assumptions are built into our AI tools and how are they validated?
• Where does accountability sit for each element of technology risk?
• Do we understand how AI is used by our key service providers, and what safeguards do they have in place?

Scenario planning and tabletop exercises are also critical — they give organisations the chance to test crisis response, communication approaches, and risk appetite in a controlled environment, without waiting for a real incident to occur.

Finally, oversight needs to balance innovation with responsibility. Boards should not stifle technological advancement. They should encourage responsible experimentation, supported by clear principles, strong controls, and a considered risk appetite.

The company secretary's role in fast-moving risk scenarios

This is a governance challenge that rarely gets sufficient attention outside of a crisis, and by then, it is often too late to address it well.

Boards typically operate at a measured cadence: scheduled meetings, prepared papers, considered decisions. When a fast-moving risk event strikes, a cyber incident, a regulatory investigation, a whistleblower disclosure, a major operational failure, governance can struggle to keep pace. The company secretary's role in those moments is not to manage the crisis, but to ensure that the board's governance remains sound under pressure.

The best preparation is not reactive. It is the work done beforehand: contingency plans, pre-agreed crisis frameworks, and regular testing of those plans in a controlled exercise. If those are in place, the board can spend its time exercising judgement rather than designing a process on the fly. That is what enables long-term stewardship, even when immediate pressure is intense.

In a fast-moving scenario, the temptation is to bypass normal information flows and convene ad-hoc calls for quick decisions. The company secretary should ensure meetings are quorate and should work with the business and external advisers to ensure board papers clearly set out the risks, interdependencies, and strategic implications. A well-structured paper, even a short one, can prevent rushed or narrow thinking.

One of the most common governance failures in these situations is the pull towards immediate fixes at the expense of longer-term thinking. Under pressure, boards can converge too quickly on a consensus. A well-constructed agenda or meeting paper can help the board pause and ask the right questions: Have we heard the dissenting view? Have we considered all options? What assumptions are we making because of time pressure? What are the long-term consequences of the short-term solution being proposed? What precedent does this set? What will shareholders, regulators, and other stakeholders think of this decision in six months?

And critically: all decisions must be properly minuted, both for legal protection and for subsequent review. Boards are often scrutinised in hindsight on the quality of their reasoning, not the quality of their information. Capturing the rationale, the balancing of risks and the options considered — is a critical part of good governance.

A final word for new directors

We had a question during the session that we didn’t have time to cover and I thought it was worth including here: what is the most important thing for a new director to keep in mind?

My honest answer is: keep asking questions, and do not assume something is already being done.

If you have not already had training on Directors' Duties, arrange it. If you are joining a listed company, make sure you understand your listing and disclosure obligations, as well as Market Abuse regulations. Read through the Matters Reserved for the Board and the terms of reference of any Committees you are joining. And on a very practical note: check that you are insured.

There is a lot happening in the governance landscape at the moment, but none of it is unmanageable with the right preparation, the right questions, and a board that is genuinely engaged. I hope some of the above is useful, and if any of it raises questions for your organisation, please do get in touch.

Georgina Gearing Bell is a Senior Manager in the Company Secretarial team at Law Debenture, specialising in listed investment trusts and financial services clients.