NIS2 makes a deliberate change: cybersecurity is no longer something the board can delegate and forget. Management bodies must approve the risk-management measures, oversee their implementation, and can be held personally liable for failures. Security has become a governance obligation.
For many boards this is uncomfortable, because it requires understanding controls well enough to approve them. The directive does not expect directors to be engineers — but it does expect them to engage, decide and document.
A board-level duty
Under NIS2, the management body is explicitly responsible for the organisation’s cybersecurity posture. That responsibility cannot be fully outsourced to a CISO or a vendor. The board owns the decision; others execute it.
What boards must approve
At minimum, leadership should formally approve the risk-management measures and the overall security strategy. That means the board sees, understands and signs off on:
- The organisation’s risk assessment and risk appetite.
- The set of technical and organisational measures in place.
- The incident-response and reporting process.
- The supply-chain and third-party security approach.
Ongoing oversight, not a one-off
Approval is not a single meeting. Boards are expected to maintain oversight — regular updates on posture, open risks, incidents and remediation. Build a standing agenda item rather than an annual surprise.
Treating board approval as a signature on a document nobody read. If a regulator asks, the board should be able to describe the key risks and the measures they approved — not just point to a PDF.
Personal liability
NIS2 allows member states to hold members of management bodies personally accountable for breaches of their cybersecurity duties. The exact mechanisms vary by national transposition, but the direction is clear: negligence at the top has consequences for the people at the top.
Evidencing the sign-off
Because liability attaches to the board’s decisions, those decisions need a clean record: what was presented, what was approved, when, and by whom. Keep this alongside your control evidence so the governance trail and the operational trail tell one consistent story.
Key takeaways
- NIS2 makes the board responsible for cybersecurity — it cannot be fully delegated.
- Leadership must approve risk measures and maintain ongoing oversight.
- Directors can be held personally liable, per national transposition.
- Keep a clean record of what the board was shown and approved.
Want board-ready reporting out of the box? Book a 30-minute demo and we will set up your governance view.
This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.