Imagine a Monday morning. You arrive at the office to chaos - systems aren’t working, phones are ringing non-stop, employees stare helplessly at black screens. A ransomware attack has paralyzed the entire company. Over the next 31 days - the average recovery time after such an incident in many jurisdictions - you’ll fight for business survival. But that’s not the end of the bad news. In a few weeks, you’ll receive a summons from the regulator. And then it will become clear that responsibility for this incident rests directly on you - not on the IT department, not on the administrator, but on the board member.
NIS2 brought a fundamental change in the approach to cybersecurity. The directive, implemented through national cybersecurity legislation across the EU, shifted responsibility for security incidents from the operational level to the management level. Cybersecurity is no longer an “IT problem” - it has become the personal responsibility of those sitting on management bodies.
Why does NIS2 change the rules for boards?
The NIS2 directive is not just another regulation to “tick off.” It’s a fundamental change in the philosophy of cybersecurity responsibility in the European Union. The previous version of the directive (NIS1) focused mainly on technical and organizational requirements. NIS2 goes much further - it introduces the concept of personal liability for members of management bodies.
Article 20 of the NIS2 directive clearly states that management bodies of essential and important entities must approve cybersecurity risk management measures and supervise their implementation. They cannot delegate this responsibility to the IT department or an external provider. It is the board that is responsible for strategy, budget, and the effectiveness of protection.
National laws implementing NIS2 across EU member states provide for the possibility of temporarily suspending managers from their duties in case of serious violations. This is unprecedented - no previous cybersecurity regulation provided for such far-reaching personal consequences.
📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku
What specific obligations does NIS2 impose on board members?
The directive precisely defines the scope of responsibility for managers. First, they must approve security policies and risk management procedures. It’s not enough to sign a document prepared by the IT department - the board must understand its content and consciously accept the level of residual risk.
Second, board members are required to undergo regular cybersecurity training. The law requires documented training that enables managers to understand threats, assess the effectiveness of safeguards, and make informed decisions. “I don’t know IT” is no longer an excuse - it becomes evidence of negligence.
Third, the board must ensure adequate financial resources for cybersecurity. A budget “for IT maintenance” is not enough. NIS2 requires dedicated resources proportional to the identified risk. Lack of such a budget can be treated as evidence of gross negligence.
What financial penalties apply for NIS2 violations?
The financial sanctions provided for in NIS2 are unprecedented. For essential entities, penalties can reach EUR 10 million or 2% of total annual worldwide turnover - whichever is higher. For important entities, the maximum penalty is EUR 7 million or 1.4% of turnover.
Importantly, these penalties apply not only to security incidents themselves but also to failure to meet formal obligations. Lack of appropriate documentation, late incident reporting, or failure to implement post-inspection recommendations - each of these violations can result in severe sanctions.
National authorities responsible for cybersecurity can conduct both planned and ad hoc inspections - particularly after a reported incident or based on information about potential violations.
What does personal liability for board members mean?
The most revolutionary element of NIS2 is the introduction of personal liability. This means that the consequences of violations can directly affect individuals sitting on management bodies - not just the company as a legal entity.
This liability can take various forms. First is administrative liability - the possibility of temporary suspension from management functions. Second is civil liability - compensation claims from the company, shareholders, or affected customers. Third is potential criminal liability - in cases where negligence leads to serious harm.
Particularly important is the issue of D&O (Directors and Officers) insurance. Many policies exclude liability for knowing violations of regulations. If a board member knew about cybersecurity deficiencies and did not take action, the insurer may refuse to pay compensation.
What documentation must the board have under NIS2?
Documentation is a key element in demonstrating due diligence. The basic document is an information security policy approved by the board, containing determination of acceptable risk level, roles and responsibilities, and incident management procedures.
The second essential document is a risk analysis. NIS2 requires a methodical approach to threat identification, vulnerability assessment, and determination of countermeasures. The analysis must be updated regularly and after any significant incident or infrastructure change.
The third element is business continuity and disaster recovery plans. These documents must describe specific procedures in case of an incident, indicate responsible persons, and define response times. Importantly, these plans must be regularly tested - a document without practical verification does not constitute evidence of readiness.
How should boards prepare for new obligations?
The first step is conducting training for all board members. This training should cover cybersecurity fundamentals, NIS2 requirements overview, legal liability discussion, and practical aspects of security oversight. Training must be documented - certificates and attendance lists serve as evidence of fulfilling the obligation.
The second step is reviewing and updating documentation. All security policies and procedures should be analyzed for NIS2 compliance, updated, and formally approved by the board. Special attention should be paid to incident reporting procedures - NIS2 requires initial notification within 24 hours.
The third step is verifying the cybersecurity budget. The board must assess whether allocated resources are adequate to identified risks. In many organizations, it will be necessary to create a separate budget line for cybersecurity, independent of the general IT budget.
Can responsibility be delegated to external providers?
This is one of the most common questions asked by board members. The answer is: partially yes, but with significant limitations. You can outsource operational task execution - monitoring, incident response, security system maintenance. However, you cannot delegate legal responsibility.
The Managed SOC (external Security Operations Center) model is accepted by regulators as an adequate means of meeting NIS2 requirements. For many organizations, this is the economically optimal solution - building your own SOC operating 24/7/365 is significantly more expensive than external services.
However, the contract with the provider must be appropriately formulated. The contract must precisely define the scope of responsibilities, SLA (Service Level Agreement), escalation and reporting procedures. The board remains responsible for selecting a reliable provider and supervising contract execution.
How do you demonstrate due diligence in case of an inspection?
In case of an inspection or incident, demonstrating that the board acted with due diligence is crucial. This means proving that all reasonable steps were taken to ensure security, even if a breach ultimately occurred.
Elements demonstrating due diligence include: documented board member training, regular security policy reviews, adequate cybersecurity budget, conducted risk analyses, business continuity plan tests, and regular security audits.
Documentation of the decision-making process is particularly important. Board meeting minutes should contain records of cybersecurity discussions, decisions made, and their justifications. In case of inspection, this documentation can serve as evidence of a conscious and responsible approach to risk management.
What are the most common mistakes made by boards?
The first and most serious mistake is treating cybersecurity as an “IT problem.” The board delegates all responsibility to the technical department without engaging in strategic matters. Under NIS2, this approach is not only ineffective but also unlawful.
The second mistake is “drawer documentation” - policies and procedures written several years ago that have never been updated or implemented in practice. These documents have no evidentiary value during inspections and may even serve as evidence against the organization.
The third mistake is lack of tests and exercises. Many companies have incident response plans but have never tested them. In a crisis situation, it turns out that procedures are outdated, contacts are invalid, and employees don’t know how to proceed.
Strategic NIS2 compliance map for boards
| Area | NIS2 requirement | Board action | Timeline |
|---|---|---|---|
| Training | Art. 20 - training for management bodies | Organize documented training for all board members | 30 days |
| Policies | Art. 21 - approval of risk management measures | Review and formally approve security policy | 60 days |
| Budget | Art. 21 - adequacy of resources | Allocate cybersecurity budget proportional to risk | Next budget year |
| Risk analysis | Art. 21 - risk management | Commission formal cybersecurity risk analysis | 90 days |
| Monitoring | Art. 21 - incident detection | Implement 24/7 monitoring (own SOC or Managed SOC) | 120 days |
| Reporting procedures | Art. 23 - incident reporting | Develop 24h CSIRT reporting procedure | 60 days |
| Business continuity | Art. 21 - continuity management | Update and test DR/BC plans | 90 days |
Summary
The NIS2 directive fundamentally changes the position of board members in the cybersecurity area. Personal liability, high financial penalties, and the possibility of suspension from duties are the new reality that managers of European enterprises must face.
The key to security - both organizational and personal legal security of board members - is a proactive approach. Training, documentation, adequate budget, and regular oversight are not only regulatory requirements but above all elements building real resilience to cyber threats.
In the face of increasing attacks on enterprises and tightening regulations, cybersecurity has become one of the key areas of management responsibility. Those who understand this change and prepare appropriately will not only avoid sanctions but also build competitive advantage in an increasingly digital economy.
Need support preparing your organization for NIS2 requirements? nFlo experts will help conduct gap analysis, prepare documentation, and implement technical solutions ensuring regulatory compliance. Contact us to discuss your organization’s needs.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
Learn More
Explore related articles in our knowledge base:
- Board Responsibility for OT Cybersecurity Under NIS2
- Key Technologies for NIS2: Comprehensive Cybersecurity Solutions Overview
- KSC and NIS2: why is the board now personally responsible for cyber security?
- Who Does the National Cybersecurity System Cover? Entities, Operators, Providers and Authorities
- Which Sectors Are Covered by the NIS2 Directive? Comprehensive Overview of the Expanded Cybersecurity Scope in the EU
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
