Skip to content

NIS2 Directive Anchors Cybersecurity as Board Responsibility

On the point: NIS2 makes board members personally liable for cybersecurity and requires annual management documentation – CISOs must establish formal compliance evidence.

The EU’s NIS2 Directive explicitly assigns cybersecurity to senior management, creating direct personal liability for board members regarding data protection measures. CISOs must now document and enforce this responsibility.

The revised Network and Information Security Directive (NIS2) of the European Union shifts cybersecurity responsibility to the top management level. Board members and executives become personally liable for compliance with cybersecurity standards and can no longer invoke “lack of expertise” as a defence.

The regulation primarily affects organisations classified as critical infrastructure (energy, water, transport, health, financial sector and digital services). However, the scope is expanded to connected companies and suppliers. Organisations must demonstrate that senior management has engaged with cybersecurity at least once annually and actively monitors measures.

For CISOs, this means: they need formal mandates and written compliance documentation. Board presentations must transparently present risks, measures and resource requirements. The burden of proof lies with the organisation – absence of evidence of management oversight constitutes a breach of NIS2, regardless of the actual security status.

Fines can be up to €10 million or for larger organisations up to 2 percent of global annual revenue. National implementation deadlines run until October 2024; first audits are expected in 2025.


Source: news.google.com · Published 5 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.4.

Share on: