🚨  NIS2 is now in effect. Security awareness is now legally required in the EU.

Check compliance
Start your free trial
Back to Resource Center

NIS2 and board liability: What every director needs to know

With NIS2, cybersecurity is no longer something a board can delegate and forget about. The directive places responsibility squarely at the management level and, in specific circumstances, holds individual directors personally liable. Underestimating that is not just an organisational risk; it is a personal legal one.

What NIS2 says about the role of directors

Article 20 of the NIS2 directive is explicit: the governing bodies of organisations that fall under the directive must approve cybersecurity measures and actively oversee their implementation. That is a fundamental shift compared to the original NIS1 directive, under which cybersecurity in practice largely rested with the IT department.

NIS2 requires board members to have sufficient knowledge of cybersecurity risks to fulfil their supervisory role meaningfully. The directive even explicitly mandates that management undergo training in this area. Pointing to a CISO or an external security firm is not enough; final accountability rests with the board.

Personal liability: what it means in practice

In the Netherlands, NIS2 has been transposed into the Cybersecurity Act (Cyberbeveiligingswet, Cbw). That act establishes a liability regime that goes beyond organisational fines. Where demonstrable negligence on the part of a director can be established, the supervisory authority may temporarily prohibit that person from exercising management functions. The measure targets the individual, not the organisation.

In concrete terms, a director who has persistently failed to ensure adequate cybersecurity measures, or who has ignored or concealed a serious incident, can be temporarily removed from office. This power is expressly designed as a lever to compel directors to take their responsibilities seriously.

The personal liability provision in the Cybersecurity Act applies only where demonstrable negligence by an individual director can be established. It is not an automatic consequence of every incident, but reserved for situations in which a board has structurally failed in its supervisory role.

Which organisations fall under these rules

NIS2 distinguishes between essential and important entities. Essential entities are large organisations in critical sectors such as energy, transport, healthcare, drinking water and digital infrastructure. Important entities are medium-sized organisations in those same sectors, supplemented by industries including chemicals, food production and digital service providers.

The board-level obligations from Article 20 apply to both categories. The difference lies in the intensity of supervision: essential entities may be subject to proactive audits by the competent authority, while supervision of important entities is in principle reactive, triggered by reports or incidents.

Category Size Supervision Max. fine
Essential entity Large (250+ employees or 50M+ turnover) Proactive 10 million euros or 2% of global turnover
Important entity Medium (50 to 250 employees) Reactive 7 million euros or 1.4% of global turnover

What is actually expected of directors

The law sets no specific technical requirements for board members, but it does set organisational and process requirements. In practice, those come down to four responsibilities:

  • Approving policy: the board must formally adopt and periodically review the cybersecurity policy, not merely receive it for information.
  • Allocating budget: adequate security measures require resources. The board is responsible for making those resources available.
  • Exercising oversight: reporting lines must exist that allow the board to assess the organisation’s security posture, even without technical expertise.
  • Following up on incidents: when a serious incident occurs, the board must be actively involved in the response and must meet the notification obligations towards supervisory authorities.

The notification obligation and the board’s role in it

NIS2 imposes strict notification requirements for significant incidents. An early warning must reach the competent authority within 24 hours of discovery. A detailed report follows within 72 hours, and a final report within one month. That timeline assumes the board is informed immediately and can act quickly.

A director who does not know what the internal escalation procedures look like, or who only hears about a serious incident days later, is creating unnecessary difficulties. Both substantively and legally. Compliance with the notification obligation is, after all, one of the areas that supervisory authorities can verify with relative ease.

How to prepare as a director

Preparation starts with insight. A director does not need to be a security expert, but must understand what risks the organisation faces, what measures are in place and how the organisation responds when something goes wrong. That calls for periodic security reporting at board level, clear escalation lines and an incident response plan the board is familiar with.

NIS2 also explicitly requires directors to undergo cybersecurity training. Not to make them technically proficient, but to enable them to weigh risks and evaluate policy. Organisations that take this seriously also document that training, so that they can demonstrate during an audit that the board has fulfilled its obligations.

Security awareness is an underestimated link in that chain, and not only for employees. A director who recognises a phishing attempt understands what is at stake when a member of staff does not. Guardey helps organisations embed that awareness at every level, from the shop floor to the boardroom.

NIS2 compliance starts here

Build a security culture before the regulator comes knocking.

Request a demo
Dinela Lokvancic
Dinela Lokvancic Marketing Specialist Dinela keeps Guardey's online presence up to date. She creates content that makes complex cyber security topics accessible, and helps organizations understand why security awareness training matters for their teams.
READY TO GET STARTED?

Join 500+ businesses already protecting their teams with Guardey

Start your free 14-day trial
14 days free · No credit card · Full access · Setup in 5 minutes
Or schedule a personalised demo