View Categories

NIS2 liability

1 min. leestijd

In this article we inform you about the NIS2 liability for board members. The recently updated Network and Information Security (NIS2) directive represents a shift in the approach to cybersecurity within the European Union. The NIS2 Directive expands the responsibilities of organizations. In doing so, it imposes requirements on the boards of both essential and important entities.

The NIS2 regulations will come into effect from the end of 2024. This makes it necessary for many companies to take measures and implement cybersecurity. Would you like to know whether your organization is subject to NIS2 liability? Via this link you will find extensive information and you can check whether NIS2 applies to your organization.

NIS2 liabilityNIS2 obligations

One of the most striking changes is the explicit NIS2 liability imposed on management. Boards of essential and important entities are directly liable for compliance.

To meet its responsibilities, management must:

  • adopt cybersecurity risk management measures, as required by Article 18;
  • monitor the implementation of the directive;
  • take responsibility for compliance with the directive.

It is therefore important for directors to be proactive in managing cybersecurity and remain alert to potential threats.

Cybersecurity training

It constitutes a requirement under the NIS2 directive that members of management be trained in cybersecurity risk and management. After all, members of management teams should be well equipped to evaluate cybersecurity risks and understand the impact on business operations. This is achieved by attending cybersecurity training courses. Directors should have demonstrably participated in such training.

Who will be the supervisor of NIS2?

The enforcement of NIS2 lies with national authorities, who have the power to:

  • conduct on-site and remote inspections, including taking samples;
  • conduct regular audits and targeted security audits;
  • initiate information requests to assess an entity’s controls.

Phased approach

Cyber risks have a rapidly escalating nature. They can have a significant impact. That is why national authorities have the power to intervene immediately, with a range of controls. The NIS2 directive takes a phased approach to compliance and sanctions. This starts with warnings. In case of continued non-compliance, binding instructions and fines follow.

NIS2 fines

Non-compliance can result in the following sanctions, among others:

  • warnings and binding instructions to correct deficiencies;
  • requirements to stop certain activities;
  • obligations to adjust risk management measures;
  • disclosure of non-compliance and publication of the responsible individuals or organizations.

Essential entities may additionally face specific controls such as appointing a supervisory officer and, if necessary, temporarily preventing individuals in management positions from carrying out their responsibilities.

NIS2 liability

The introduction of NIS2 liability for the management emphasizes the importance of directors playing an active and informed role in cybersecurity. Due to the potential legal and financial consequences of non-compliance, they must take these responsibilities seriously. It is important that directors take the necessary steps to adequately protect their organizations against cyber threats.