NIS2 liability for board members

In this article we inform you about the NIS2 liability for board members. The Network and Information Security (NIS2) directive represents a shift in the approach to cybersecurity within the European Union. The NIS2 Directive expands the responsibilities of organizations. In doing so, it imposes requirements on the boards of both essential and important entities.

The NIS2 regulations have come into effect from the end of 2024. This makes it necessary for many companies to take measures and implement cybersecurity. Would you like to know whether your organization is subject to NIS2 liability? Via this link you will find extensive information and you can check whether NIS2 applies to your organization.

NIS2 obligations

One of the most striking changes is the explicit NIS2 liability imposed on management. Boards of essential and important entities are directly liable for compliance.

To meet its responsibilities, management must:

• adopt cybersecurity risk management measures, as required by Article 18;
• monitor the implementation of the directive;
• take responsibility for compliance with the directive.

It is therefore important for directors to be proactive in managing cybersecurity and remain alert to potential threats.

Cybersecurity training

Board members and management should be trained in cybersecurity so that they can effectively fulfill their responsibilities and liabilities. After all, members of management teams should be well equipped to evaluate cybersecurity risks and understand the impact on business operations. This is achieved by attending cybersecurity training courses. Directors should have demonstrably participated in such training.

Who will be the supervisor of NIS2?

The enforcement of NIS2 lies with national authorities. These aim to achieve a high level of cybersecurity in their country.

However, there are situations where sanctions may be necessary. They have the following powers for this purpose:

• inspections to verify compliance with cybersecurity risk management measures and incident reporting rules;
• conduct regular conformity assessment of essential entities;
• initiate information requests to assess an entity’s controls.

Phased approach

Cyber risks have a rapidly escalating nature. They can have a significant impact. That is why national authorities have the power to intervene immediately, with a range of controls. The NIS2 directive takes a phased approach to compliance and sanctions. This starts with warnings. In case of continued non-compliance, binding instructions and fines follow.

NIS2 fines

Non-compliance can result in the following sanctions, among others:

• warnings and binding instructions to correct deficiencies;
• requirements to stop certain activities;
• obligations to adjust risk management measures;
• disclosure of non-compliance and publication of the responsible individuals or organizations;
• imposing fines ranging from a minimum of €500 to a maximum of €10,000,000.

Essential entities may additionally face specific controls such as appointing a supervisory officer and, if necessary, temporarily preventing individuals in management positions from carrying out their responsibilities.

NIS2 liability

The introduction of NIS2 liability for the management emphasizes the importance of directors playing an active and informed role in cybersecurity. Due to the potential legal and financial consequences of non-compliance, they must take these responsibilities seriously. It is important that directors take the necessary steps to adequately protect their organizations against cyber threats.

Prepare your organization!

Want to learn more about NIS2 and what we can do for you? Our experts are happy to discuss this topic with you.

📞 Contact us today for a free consultation or request more information about a training, certification, or verification.