Until recently, cybersecurity was something organisations could largely leave to IT. For a while, that model worked. NIS2 changes that, and it does so fundamentally. It goes well beyond regulatory box-ticking or standard technology initiatives. At its core, it shifts responsibility. Cybersecurity is no longer the domain of technical teams alone; it becomes a direct responsibility of the board. And crucially, the responsibility can be personal as well.
What is the NIS2 Directive?
NIS2 is an EU cybersecurity directive that significantly expands the number of organisations in scope while raising the bar for risk management and incident response. In practice, this means that many entities previously unaffected by such requirements must now take a far more structured, systematic, and measurable approach.
From a board-level perspective, however, the key point is not the wording of the directive itself, but what it changes in how the business operates. NIS2 requires organisations to implement real, effective security measures. The focus shifts to actual capability: preventing incidents and responding to them when they occur.
There’s also a change in how risk is approached. Cybersecurity is no longer a series of one-off projects or isolated initiatives. It becomes an ongoing process. Organisations are expected to continuously identify threats, assess their impact on the business, and make informed decisions about how to mitigate them. In many ways, this mirrors financial or operational risk management. But there’s one difference: the pace of change in the digital landscape is significantly faster.
The NIS2 directive also introduces specific requirements around incident reporting. In practice, this means having clearly defined processes in place to detect incidents quickly, assess their severity, and report them within the required timeframes. It became a regulatory obligation, subject to oversight.
Another critical aspect is the growing importance of the supply chain. NIS2 makes it clear that organisations are responsible not only for their own environments, but also for risks arising from their suppliers and partners. In practical terms, this requires a much better understanding of which relationships are critical to business operations and what risks they introduce.
This is why NIS2 is not a compliance checklist that can simply be ticked off and set aside. It embeds cybersecurity into ongoing, structured risk management.
What’s the Role of the Board in the Context of NIS2?
NIS2 directive introduced an accountability shift. The directive clearly places responsibility for cybersecurity with the board. They are approving risk management measures, overseeing their implementation, and assessing their effectiveness. This is no longer something that can be treated purely as an IT or operational security matter.
In practice, this means the board needs to be actively involved in cybersecurity-related decisions. They require a clear understanding of the risks the organisation faces, their potential impact on the business, and what is being done to mitigate them.
Many organisations still operate under a model where cybersecurity is delegated to IT or an external provider. With NIS2 directive this is no longer sufficient. Execution can be delegated: implementation, system maintenance, monitoring; but accountability for whether those measures are appropriate and effective remains with the board.
This fundamentally changes how cybersecurity should be viewed. It becomes a critical business issue, The board defines the level of acceptable risk, decides on investments in security, and determines how the organisation prepares for potential incidents. These decisions directly affect business continuity, financial performance, and the trust of customers and partners.
What NIS2 Directive Really Changes
Rather than quoting paragraphs from the directive, I’ll focus on actual implications for the business and how they’re managed. And this is where NIS2 introduces a shift that goes deeper than it might initially appear.
First, security can no longer be standardised. Implementing a default set of tools is no longer enough. NIS2 requires security measures to be proportionate to actual risk, tailored to the organisation’s specific context, processes, dependencies, and the potential impact of incidents. This calls for informed decision-making, not simply adopting best practices without context.
Second, cyber risk must be managed in a measurable and continuous way. Organisations need to understand which threats matter most, which ones could have the greatest business impact, and how that impact may evolve over time. Crucially, this risk cannot remain at the operational level. It needs to be reported in a way the board can understand and use in decision-making.
Another major change relates to incident handling. NIS2 introduces requirements for rapid and formal incident reporting, which in practice means having effective mechanisms in place to detect, classify, and escalate incidents. The organisation doesn’t have to just respond, it needs to demonstrate that it responded appropriately and within the required timeframe.
Then there is the issue of the supply chain. Suppliers are no longer a separate concern; they become part of the organisation’s overall risk profile. If a critical supplier fails or is compromised, the impact on the business can be just as severe as an internal incident.
Taken together, these changes lead to a clear conclusion: cybersecurity is no longer an operational concern. It becomes a core part of strategic management.
What Can Go Wrong
Rather than talking about threats in abstract terms, it’s more useful to look at scenarios that have already happened, and still are happening.
The first is a ransomware attack that brings production or critical operations to a halt. Systems stop working, access to data is blocked, and almost overnight the organisation loses its ability to run core processes. It’s a financial problem with losses that can range from thousands to millions, depending on the scale of the business.
The second scenario involves a data breach affecting customers or partners. Information is exposed, and with it comes attention from regulators, clients, and the media. The organisation faces potential financial penalties, but also a loss of trust, which often affects business relationships and sales performance. Reputation takes years to build and can be damaged in an instant. Rebuilding that trust typically takes far longer than resolving the incident itself.
The third, often underestimated, scenario relates to supplier-side incidents. A third-party provider: whether of systems, services, or data, is compromised or becomes unavailable. As a result, your own operations are disrupted, even if everything internally is functioning as expected. This is particularly challenging because the organisation bears the consequences of an event it does not fully control. This is exactly why NIS2 places such strong emphasis on supply chain risk.
All of these scenarios share one thing: their impact is business-critical. Downtime, lost revenue, regulatory penalties, customer churn, and disruption to operations. Their reaches far beyond operations.
The Board’s Responsibilities in Practice
One of the most common misconceptions is that having a capable IT team means cybersecurity is solved. In reality, this often results in limited board involvement, with cybersecurity reduced to occasional updates. NIS2 makes this approach instantly outdated.
The directive makes it clear that the board’s role is to provide informed oversight. In practice, this means approving the organisation’s approach to cyber risk management: including decisions on which risks are acceptable and which need to be mitigated. It also involves regularly reviewing the level of risk to ensure that existing measures remain appropriate as conditions change.
A critical part of this responsibility is ensuring the right resources are in place. Without adequate budget, skills, and tools, even the best-designed approach to cybersecurity remains theoretical. The board determines how much priority is given to security and how it is balanced against other business investments.
Oversight is equally important. It is not enough to know that security measures have been implemented, the board needs to understand whether they are actually effective. This requires access to clear, business-relevant information that links security performance to risk exposure.
In short, the board’s role is strategic governance. It sets direction, makes high-level decisions, and ensures they are carried through. Operational delivery remains with specialist teams, but NIS2 makes board-level oversight essential.
Oversight of Cybersecurity
What does effective oversight actually look like in practice? First and foremost, cybersecurity needs to become a standing item on the board agenda. Not occasionally, not only in response to an incident, but as a regular part of how the business is managed.
The key shift lies in how the topic is presented and discussed. Cybersecurity should not appear as a technical update or a list of implemented tools. What matters at board level are business questions: what risks matter most today, what impact they could have on operations and financial performance, and what is being done to mitigate them.
This reframes the conversation. Instead of focusing on systems and technologies, the discussion centres on operational continuity, revenue impact, and customer relationships. The result is better decision-making: both in terms of risk acceptance and investment in mitigation.
Regular oversight also requires the right information. The board should receive clear, concise reporting that shows not only the current state, but also how risk is evolving over time and what potential scenarios lie ahead. Without this, cybersecurity remains a black box. With it, it becomes something that can be actively managed.
Risk Management Under NIS2 Directive
For many organisations, NIS2 requires a fundamental shift in how risk is managed. It’s no longer about one-off assessments or isolated initiatives, but about establishing a continuous process that directly informs decision-making.
Organisations need to clearly identify their key cyber risks in relation to specific processes, systems, and dependencies that underpin the business. The next step is to determine which of these risks are truly critical: those that could disrupt operations, impact revenue, or expose the company to serious regulatory consequences.
Of course, describing risk is not enough; actions have to go with it. That means implementing controls, adjusting processes, and building the capability to respond effectively. At the same time, you need to know what happens if those measures fail. In other words, it’s not just about prevention, but also about preparedness.
This ability to identify, assess, and consciously manage risk, continuously and in a way that is tied to business impact, sits at the heart of NIS2 compliance.
Legal Responsibility and Sanctions Under NIS2
This part often gets the most attention, and for good reason. NIS2 directive [PU7] introduces clear consequences for non-compliance that go beyond the organisation itself and extend to people in leadership positions.
The directive introduces significant financial penalties. In addition, supervisory authorities are granted more power: from issuing recommendations and formal orders to taking more direct action that can impact how the organisation operates.
The most important shift, however, concerns the personal accountability of board members. NIS2 makes it explicit that they are responsible for overseeing cyber risk management and ensuring the effectiveness of implemented measures. Inaction, or merely superficial action, can lead to consequences that are not limited to the organisation.
The key takeaway is straightforward: a lack of proper engagement in cybersecurity is now both a business and a personal risk. This is one of main reasons why board members become increasingly interested in the topic.
Managing Suppliers and the Supply Chain
This is one of the most underestimated areas of cybersecurity, and at the same time one of the most significant sources of risk. Traditionally, organisations have focused on securing their own systems, assuming that would be enough. NIS2 makes it clear that accountability goes further.
From the directive’s perspective, suppliers and partners form an integral part of the organisation’s risk profile. As mentioned earlier, if a critical supplier fails, is compromised, or does not meet appropriate security standards, the impact is felt by your business; regardless of whether the issue originated internally or externally.
This requires a more structured approach to supplier management. The first step is identifying which suppliers are truly critical: those that could actually affect key business processes. This is followed by a more rigorous assessment of their security posture.
Ongoing monitoring is just as important. Supplier relationships are not static; technologies evolve, processes change, and new threats emerge. A one-off assessment is not enough. Organisations need mechanisms to continuously evaluate whether supplier-related risks remain within acceptable levels.
As a result, supply chain security is no longer just a procurement concern. It becomes part of the broader risk management framework that directly impacts business continuity and overall organisational resilience.
NIS2 – Incident Handling and Reporting
Under NIS2, simply handling an incident is not enough. The organisation needs to detect that something has happened in the first place, assess its impact accurately, and initiate the right actions within the required timeframe.
The starting point is visibility. Organisations need the capability to detect incidents, even the more subtle threats that can remain unnoticed for extended periods. This requires clearly defined responsibilities and processes, supported by fit-dor-purpose technology.
The incident handling process should cover both technical actions and business decisions: when to escalate, how to communicate internally and externally, and how to manage the situation as it unfolds. In practice, this means preparing the organisation for a crisis before it occurs.
NIS2 also introduces formal requirements for reporting incidents within specific timeframes. This means organisations must be ready not only to respond, but also to report incidents in line with regulatory expectations. Timing is critical.
Building a Cybersecurity Culture
Another often underestimated and difficult area is the human factor. Even the most advanced technology and well-designed processes will not work if people do not follow them. In practice, many incidents still start with simple mistakes such as ignoring procedures, clicking on suspicious links or bypassing controls for convenience.
This is why cybersecurity culture is a key part of NIS2 compliance. One-off training sessions or awareness campaigns are not enough. Employees need to understand why certain rules exist, what risks they reduce and what the consequences of ignoring them can be, both for the organisation and for their own work.
Building this kind of culture requires consistency. There must be clear rules and processes, but also an environment that makes it easier to follow them than to bypass them. If security slows people down and workarounds are quietly accepted, even the best policies will fail in practice. Security should therefore be designed into processes from the start, not added later as an extra layer that adds friction.
The board plays a central role in this. It sets priorities and shapes behaviour through its decisions and communication. When cybersecurity is treated as part of how the business is run, it becomes part of everyday practice. When it is not, it remains a formality with limited impact.
Ultimately, cybersecurity culture is a leadership responsibility. IT and HR can support it, but it is the board that determines whether security becomes part of how the organisation actually operates or just another requirement on paper.
NIS2 – Audits and Compliance Monitoring
NIS2 compliance is not a one-off exercise that can be completed once a few measures are in place. It is an ongoing process of verification and adaptation to changing conditions, both internal and external.
In practice, this means regularly checking whether the implemented security measures are actually working and whether they still address current risks. These risks evolve quickly, so what was sufficient yesterday may no longer be adequate today.
For this reason, audits should not be treated as a formality. They are a management tool that helps answer simple but critical questions: are our measures effective, are we keeping up with change, and is our level of risk still under control.
Common Mistakes Organisations Make
Rather than theoretical risks, let’s focus on real-world patterns that continue to cause significant problems under NIS2 directive.
- One of the most common misconceptions is the belief that deploying individual security tools, such as a firewall or antivirus software, is enough. In reality, cybersecurity does not rely on a single solution but on a coherent, organisation-wide approach to managing cyber risk.
- A similar misunderstanding applies to outsourcing. Handing over IT or security to an external provider does not transfer responsibility. The organisation remains accountable for whether security measures are appropriate and effective, regardless of who implements or operates them.
- Another frequent assumption is that smaller organisations are not attractive targets. In practice, many attacks are mass-scale or opportunistic. Threat actors do not select victims manually; they exploit vulnerabilities wherever they find them. As a result, organisational size often doesn’t matter.
Each of these assumptions leads to the same issue: a false sense of security.
What You Should Do in the Next 3–6 Months
At this stage, the most important actions are decisions and plans that set the direction for the entire organisation. These steps will determine whether cybersecurity becomes a real part of how the business is run or remains an operational side topic.
The key steps at this point are:
- approve a cyber risk assessment
- define the organisation’s risk appetite
- secure budget and resources
- assign clear accountability
- introduce regular reporting to the board
- review critical suppliers
These are starting points, not end goals. Their purpose is to build a foundation on which a more mature, NIS2-aligned approach to cybersecurity can be developed.
Conclusion: Cybersecurity as a Strategic Responsibility
The biggest change introduced by NIS2 is the responsibility shift. The board has to set the direction, make decisions, and the board members will be accountable when things go wrong.
Cybersecurity is no longer a project that can be delivered and closed. It is not a one-off implementation, internal audit, or a checklist of tasks to complete. With NIS2, it becomes an ongoing discipline that requires continuous attention, and informed governance.
It’s also no longer optional. The level of risk, regulatory expectations and the direct impact on business operations mean that cybersecurity becomes an integral part of how the organisation is managed. And it is at this strategic level that it needs to be treated.
This shift in perspective is crucial. Because only then can organisations meet NIS2 requirements, and genuinely strengthen their resilience and ability to operate in an increasingly unpredictable environment.
