NIS2 board responsibility: how to avoid personal risk?

Responsibility of board members in NIS2 – how to avoid personal risk?

The EU’s NIS2 Directive significantly changes the approach to cybersecurity responsibility in organisations. Ultimate responsibility for information security rests with the governing body (management board) of the entity, and failure to comply with the new obligations may result in severe sanctions, including personal liability for decision-makers. This is a cultural shift, where cybersecurity is no longer seen solely as an IT issue, but becomes part of corporate oversight, as important as finance or legal compliance. NIS2 introduces formal responsibility for senior management for non-compliance with cyber risk management requirements, forcing boards to permanently include cybersecurity on their agenda. In practice, this means that every member of the board of a medium or large company covered by the directive should ask themselves, ‘Do we have control over this?’

New responsibilities of the board of directors under Article 20 of the NIS2 Directive

The most key changes in NIS2 concern Article 20 of the Directive, which explicitly defines the tasks and responsibilities of the ‘management body’ in cybersecurity. In practice, the management body is considered to be the company’s board of directors or an equivalent decision-making body. The key responsibilities of management board members (‘essential entities’ and ‘important entities’ within the meaning of NIS2) now include, among others:

– Approving cyber risk management policies and measures

The management board must formally approve the implementation of technical and organisational measures to meet the security requirements of Article 21 of NIS2. It is no longer sufficient to simply approve the IT budget – a conscious decision is expected to approve, for example, cybersecurity strategies, information security policies, business continuity plans, etc.

– Supervision under implementation and compliance

The management board is responsible for overseeing the entire process of cyber risk management and NIS2 compliance. In other words, it should monitor progress, enforce the implementation of measures and ensure that the organisation fulfils its obligations (e.g. responds to incidents, removes vulnerabilities, maintains the required documentation). This requires the establishment of reporting and internal control mechanisms.

– Personal liability for breaches

The Directive indicates that members of the management board may be held liable for breaches of the provisions (e.g. failure to comply with the requirements of Article 21 of the Directive). This means that supervisory authorities will be able to impose sanctions not only on the company as a whole, but also directly on members of the management board if they find that they have been negligent.

– Mandatory cybersecurity training

The management board and senior management must regularly improve their cybersecurity skills through training. The aim is to ensure that every director has sufficient knowledge to identify threats and assess risk management practices within their own organisation. Furthermore, the directive also encourages similar regular training to be offered to employees at lower levels.

As a result of these changes, cybersecurity is becoming a matter of corporate oversight. For many boards, this will be a new development, as these matters have previously been delegated to the IT or security department. Now, the law requires the board to be personally involved in cyber issues and take responsibility for them, just as it does for the company’s finances or regulatory compliance. As the European Commission emphasises, this is to ‘bring cybersecurity into the boardroom’ and ensure that management treats it as a priority.

Severe financial and personal sanctions for NIS2 non-compliance

The new obligations introduced by NIS2 come with real consequences for both organisations and board members. The directive sets minimum thresholds for sanctions that Member States must implement and paves the way for personal penalties and, in extreme cases, criminal liability.

Financial penalties for organisations can be very high. For essential entities (critical sectors, e.g. energy, transport, banking, health, digital infrastructure), NIS2 requires a maximum penalty of at least €10 million or 2% of global annual turnover, whichever is higher. For important entities (significant but not critical sectors, e.g. digital services, food production, chemical industry), the penalty ceiling is at least EUR 7 million or 1.4% of turnover. The final amounts of the penalties will depend on national law – the directive specifies the minimums, and countries may set higher ones. For example, the Polish draft law implementing NIS2 provides that a company (entity) may be subject to administrative penalties for breaching its cybersecurity obligations, even if the breach has already ceased, taking into account, among other things, the duration and effects of the incident.

Penalties for managers are a completely new element. The supervisory authority will be able to punish a member of the management board directly for negligence, regardless of the penalties imposed on the company itself. Possible personal sanctions include, among others:

– Fines for managers

New national regulations will allow financial penalties to be imposed directly on members of the management board, even if the company has already remedied the breaches. In Poland, the maximum fine is up to 600% of the person’s monthly salary. Such a high penalty is intended to act as a deterrent and remind people that personal negligence can be costly.

– Temporary suspension or prohibition from performing functions

In the event of serious or repeated breaches, regulators will be able to temporarily suspend a board member or prohibit them from performing managerial functions in entities covered by NIS2. This applies in particular to companies in critical sectors where the systemic risk is greatest.

– Public disclosure of information about the breach and the persons responsible

The regulatory authority may order the disclosure of information about the breach and the persons responsible for it. In other words, the name of a board member who has neglected their duties may be publicly disclosed along with a description of the breach.

– Criminal liability

Although NIS2 does not create a catalogue of offences, it requires countries to ensure effective enforcement of obligations. The Polish draft amendment to the Act on the National Cybersecurity System explicitly indicates the possibility of holding a member of the management board criminally liable for gross negligence, e.g. failure to supervise, falsification of information or failure to report an incident. In extreme cases, this may mean criminal proceedings against the manager.

All of the above measures have one goal: to encourage management boards to actively engage in cybersecurity issues and not leave them solely to technical experts. In practice, this means establishing appropriate oversight structures, compliance mechanisms and a culture of accountability. For board members, this sends a clear signal that ignorance or disregard of their new responsibilities could cost them dearly.

Good practices for cybersecurity oversight by the board of directors according to NIS2

The NIS2 Directive requires boards of directors not only to formally approve security measures, but also to exercise active and documented oversight. Below is a set of recommended practices that help fulfil this obligation and reduce the personal risk to decision-makers.

1. Integrate cybersecurity into corporate governance

Treat cyber threats like any other strategic risk, i.e. define the level of acceptable risk, include cyber in policies and Enterprise Risk Management. Risk and audit committees should also cover information security.

2. Establish a cybersecurity committee or appoint a ‘cyber officer’ on the board

Appoint a person responsible for overseeing cybersecurity or create a cyber committee at the board/council level. This strengthens oversight and avoids blurring of responsibilities, also in the context of Polish regulations.

3. Regular, periodic reports to the board of directors

Periodic (e.g. quarterly) CISO/CIO reports should include incidents, security indicators, NIS2 compliance levels and decision-making recommendations. The board of directors makes informed decisions based on an up-to-date picture of the situation.

4. Minutes and formal resolutions

Minutes and resolutions are proof that the management board exercises real oversight. Every decision concerning security, i.e. policy, budget, and action plan, should be documented and formally approved.

5. Clear structure of responsibility

Define who is responsible for what, from the management board to the technical team. The RACI matrix organises oversight, but does not relieve the management board of responsibility, so it is worth clearly signalling this in the internal structure.

6. Independent audits and compliance assessment

Conduct a comprehensive security audit at least every two years. Regular testing, benchmarking and compliance checks provide the management board with a sound basis for decision-making and proof of due diligence.

7. Efficient response plan and escalation procedures

The management board should be familiar with the general plan of action in the event of an incident and know when and how it will be informed. Simplified, realistic escalation procedures help to avoid chaos in critical situations.

8. Document everything and demonstrate due diligence

Training certificates, reports, decisions, approved budgets – everything should be documented. This is a protective shield for the board in the event of an audit or personal liability after an incident.

In summary, the management board must create a governance framework for cybersecurity and actively participate in it. NIS2 does not dictate exactly how to do this – it leaves organisations some flexibility. However, the practices described above meet the expectations of regulators and are a reasonable minimum to be able to say that ‘our board actually oversees cybersecurity’.

Mandatory NIS2 training for management – how to organise it?

The NIS2 Directive introduces one of the most measurable obligations for management boards, i.e. regular cybersecurity training. This is not about technical expertise, but about the ability to understand cyber threats, risks and their impact on the company’s operations. Informed supervision requires basic knowledge and an up-to-date perspective.

The draft amendment to the Act on the National Cybersecurity System provides for at least one training session per year for each member of the management board of an ‘essential entity’ or ‘important entity’. The training should be formally confirmed, e.g. by a certificate, attendance list or minutes. In practice, however, it is worth going further and implementing a model based on regular, shorter sessions supplemented once a year by strategic training.

Closed training courses, tailored to the organisation, with reference to its specific characteristics, industry and risks, work best. The content should be prepared by an expert (internal or external) who knows the realities of the company and/or the sector in which it operates. High effectiveness requires interactivity, including scenarios, Q&A sessions and joint case studies. The training should cover strategic aspects, i.e. management board responsibilities, response mechanisms, incident management and crisis decision-making.

Documentation is just as important as content. Failure to confirm participation in training may be considered a breach of a board member’s duties. Therefore, each session should be documented and stored as evidence of due diligence.

The management board is also responsible for the organisational culture, including the employee training system. Article 20 of NIS2 obliges countries to promote awareness-raising in companies. In practice, it is worth implementing regular training on cyber hygiene and phishing, social engineering tests and educational campaigns tailored to specific departments. The role of the management board is to provide the budget and support for such activities, including by setting a personal example.

In summary, training is no longer a good practice, but a legal requirement. A well-thought-out, documented and cyclical management training programme is now a key element in limiting personal liability and one of the best proofs of effective cybersecurity oversight.

How to limit personal risk arising from NIS2? – practical recommendations for managers

The prospect of personal liability may be a cause for concern for many board members. However, appropriate preventive measures can significantly reduce the risk of ever finding ourselves in the regulator’s crosshairs. Here is a summary of recommendations that every senior manager should consider to protect themselves and their company in the face of NIS2:

– Know your responsibilities and ensure compliance

Gain a basic understanding of NIS2 requirements and check whether your organisation has conducted a gap analysis and has an implementation plan. If not, initiate this, e.g. by commissioning a compliance audit. Monitor progress, ask for reports, and take an interest in statutory deadlines.

– Ensure adequate resources and budget

Security requires investment. If the CISO or IT department report needs so treat them as a priority. The regulator will not consider a lack of funds as an excuse, but rather as negligence.

– Leverage expert knowledge

You don’t need to be technical, but you do need to be aware. Have an experienced CISO on hand, consult with external advisors, and use independent assessments. Build a relationship with an incident response company, where time will always be of the essence.

– Insure yourself (wisely)

Update your Directors & Officers policy for cyber risks and check that it covers legal support and consultancy costs. Consider an additional cyber policy that can cover the costs of an incident and shorten the time it takes to return to normal.

– Build a culture of security within your organisation

Create an environment where risks are discussed openly, and incident reporting is not subject to sanctions. Set security-related KPIs, reward vigilance, and demand commitment from all levels of the organisation.

– Be prepared for the worst (plan B)

Ensure that crisis procedures are in place and that everyone, including yourself, is familiar with them. Prepare a communication plan, contact lists and emergency access. Regularly review and update these procedures after incidents or simulations.

– Get personally involved regularly

Your interest in the subject is the best safeguard. Ask questions, participate in training, and read reports. An engaged management team makes better decisions and protects the company and itself more effectively.

Summary

The NIS2 Directive presents a challenge for management boards, but also an opportunity. It is a challenge because it forces them to enter an area that has often been unfamiliar to them, imposing new responsibilities and personal risks. It is an opportunity because it will better protect companies from cyberattacks, and incidents will no longer be the result of ignorance or lack of support from management. For board members, this means broadening their horizons, i.e. acquiring knowledge, establishing new supervisory rules, and taking joint responsibility for (seemingly) technical issues.

As we have shown, there are specific steps that can be taken now to avoid personal risk, i.e. from introducing regular reports and procedures, through self-training, to building a culture of security.

It is worth asking yourself the reflective question, ‘Does our board really have control over this?’ If the answer is ‘not entirely’ or ‘I’m not sure,’ then it is a clear signal that it is time to act. NIS2 may raise concerns among management, but with the right approach, it will become a driver of positive change that will ultimately protect both the organisation and its decision-makers.