Cybersecurity is Now a Board Matter
NIS2 marks a paradigm shift: cybersecurity is no longer an issue that can be left to the IT department. With the NIS2 Directive implementation deadline of 17 October 2024, boards and senior management have explicit, personal responsibility for organizational cybersecurity.
This isn’t just about avoiding fines. Management teams that take their responsibility seriously build organizations that are more resilient — and more credible to customers, partners, and investors.
Key Question: Can your board today describe the organization’s top three cyber risks and how they’re managed? If not, there’s work to be done.
What Does the Law Say?
NIS2 Article 20 — Management Body Responsibility:
- Management must approve the required cybersecurity measures
- Management must oversee the implementation of these measures
- Management can be held liable for breaches
- Management must undergo training to assess risks
- Training must be regularly offered to personnel
This responsibility cannot be delegated.
Five Key Board Responsibilities
- Approve the Cybersecurity Policy The board must formally approve the organization's overarching cybersecurity policy. The policy should cover risk management, incident management, business continuity, and supplier security. Approval must be documented in board minutes.
- Ensure Risk Management The board is responsible for establishing a systematic risk management process. This means risks are identified, analyzed, treated, and regularly monitored. Reports on top risks must reach the board level.
- Undergo Cybersecurity Training Every board member and senior management personnel must undergo training. The purpose is to identify risks and assess whether security measures are adequate. Training must be relevant to the business operations.
- Monitor Implementation Approval alone isn't enough — the board must also follow up that measures are actually implemented. This requires regular reporting and KPIs showing progress.
- Handle Incidents at Management Level For significant incidents, management must be informed and make decisions. Incident reporting to authorities within 24 hours requires a functioning escalation chain.
What Happens with Non-Compliance?
Fines up to €10 million or 2% of global turnover for essential entities. For important entities, €7 million or 1.4% applies.
Supervisory authorities can require public disclosure of breaches and issue public statements identifying responsible persons.
Management personnel can be held personally liable. In serious cases, individuals can be prohibited from holding management roles in organizations covered by NIS2.
Organizations with poor compliance may be subject to intensified supervision, including regular audits and reporting requirements.
Practical Tips for Board Meetings
Structure Cybersecurity as a Standing Item
Cybersecurity shouldn’t only be discussed when something goes wrong. Make it a standing agenda item:
- Quarterly: Overall status report, top risks, ongoing initiatives
- Annually: Review of cybersecurity policy, approval of annual plan
- As needed: Incidents, major changes, new requirements
Report Structure
A good cybersecurity report to the board contains:
1. Current Status and Maturity
- Where do we stand against NIS2 requirements?
- How do we compare to industry peers?
2. Top Risks
- What are the three to five biggest risks?
- How likely are they? What are the consequences?
3. Actions Taken
- What have we done since last time?
- Have we had incidents? How were they handled?
4. Ongoing Initiatives
- What projects are underway?
- Are we on time and budget?
5. Resource Needs
- Do we need more resources?
- Are there competency gaps?
Questions the Board Should Ask
- What are our most critical systems and data?
- How quickly can we recover from a ransomware attack?
- How do we manage security with our suppliers?
- Have we tested our incident response in the past year?
- Do we meet all NIS2 requirements? If not, what’s missing?
Dashboard and KPIs for Management
An effective management dashboard provides oversight without drowning in details:
| KPI | Description | Target |
|---|---|---|
| Compliance Level | Percentage of NIS2 requirements met | 100% |
| Critical Risks | Number of open critical risks | 0 |
| Incidents | Number of significant incidents | Downward trend |
| Patch Level | Percentage of systems with current patches | >95% |
| Training | Percentage of staff completed training | 100% |
| Suppliers | Percentage of critical suppliers assessed | 100% |
Common Mistakes to Avoid
NIS2 makes it crystal clear: responsibility lies with management. Delegating operational work is fine, but accountability cannot be delegated away.
A one-hour generic presentation isn't enough. Training must be substantial enough for management to actually assess risks and measures.
Only acting when something goes wrong is too late. Proactive risk management and regular follow-up are key.
If it's not in the minutes, it didn't happen. Document board decisions, approvals, and information presented.
Next Steps: Check if your organization falls under NIS2 scope and read more about all NIS2 requirements in our framework overview.
How Securapilot Can Help
Securapilot provides management with the tools needed to meet NIS2 requirements:
- Management Dashboard — Overview of compliance status, risks, and incidents
- Automated Reports — Board reports with appropriate level of detail
- Risk Management — Traceability for all risks and decisions
- Documentation — Evidence of approvals and follow-up
- Incident Management — Escalation and reporting within required timeframes
Book a demo and see how we can help your board take control of cybersecurity.
Frequently asked questions
Can the board delegate cybersecurity responsibility?
No, under NIS2, management's responsibility for cybersecurity cannot be delegated. The board must actively approve measures and oversee implementation. While operational work can be delegated, the ultimate responsibility remains with management.
What training is required for the board?
NIS2 requires management to undergo regular cybersecurity training to identify risks and assess security measures. Training must be tailored to the organization's operations and risk profile.
Can board members be held personally liable?
Yes, NIS2 enables personal liability for management personnel in cases of serious breaches. In extreme cases, individuals can be prohibited from holding management roles. This represents a significant departure from previous practice.
How often should the board address cybersecurity?
While there's no specific requirement, best practice is quarterly reporting to the board plus extraordinary meetings during incidents. Cybersecurity should be a standing item on the board's agenda.
