NIS2 · Article

Management liability: what boards must know

NIS2 moves cybersecurity from the IT department to the boardroom. Leadership must approve risk measures, oversee them, and can be held personally accountable. Here is what that...

NIS2 makes a deliberate change: cybersecurity is no longer something the board can delegate and forget. Management bodies must approve the risk-management measures, oversee their implementation, and can be held personally liable for failures. Security has become a governance obligation.

For many boards this is uncomfortable, because it requires understanding controls well enough to approve them. The directive does not expect directors to be engineers — but it does expect them to engage, decide and document.

A board-level duty

Under NIS2, the management body is explicitly responsible for the organisation’s cybersecurity posture. That responsibility cannot be fully outsourced to a CISO or a vendor. The board owns the decision; others execute it.

”NIS2 did not make boards responsible for writing controls. It made them responsible for knowing the controls exist and work.”

What boards must approve

At minimum, leadership should formally approve the risk-management measures and the overall security strategy. That means the board sees, understands and signs off on:

  • The organisation’s risk assessment and risk appetite.
  • The set of technical and organisational measures in place.
  • The incident-response and reporting process.
  • The supply-chain and third-party security approach.

Ongoing oversight, not a one-off

Approval is not a single meeting. Boards are expected to maintain oversight — regular updates on posture, open risks, incidents and remediation. Build a standing agenda item rather than an annual surprise.

Common pitfall

Treating board approval as a signature on a document nobody read. If a regulator asks, the board should be able to describe the key risks and the measures they approved — not just point to a PDF.

Personal liability

NIS2 allows member states to hold members of management bodies personally accountable for breaches of their cybersecurity duties. The exact mechanisms vary by national transposition, but the direction is clear: negligence at the top has consequences for the people at the top.

Evidencing the sign-off

Because liability attaches to the board’s decisions, those decisions need a clean record: what was presented, what was approved, when, and by whom. Keep this alongside your control evidence so the governance trail and the operational trail tell one consistent story.

Key takeaways

  • NIS2 makes the board responsible for cybersecurity — it cannot be fully delegated.
  • Leadership must approve risk measures and maintain ongoing oversight.
  • Directors can be held personally liable, per national transposition.
  • Keep a clean record of what the board was shown and approved.

Want board-ready reporting out of the box? Book a 30-minute demo and we will set up your governance view.

This article is general guidance, not legal advice. Verify obligations and deadlines for your organisation with qualified counsel.

NIS2GovernanceLiability
Put it into practice

Give your board
the oversight it needs

Book a 30-minute demo and we will set up the reporting that keeps leadership informed and accountable.