Skip to content
Is your leadership team prepared?
One of the more significant changes NIS2 introduced was the extension of personal liability to the management bodies of in-scope organisations.
This is not a procedural footnote.
Under the directive, senior leaders can be held individually accountable for cybersecurity failures; not just the organisation as a whole, but the individuals responsible for governance decisions.
Personal liability: not just the organisation
The practical implication is that approving a budget cut to IT security, or signing off on a cybersecurity programme without adequate oversight, carries personal risk for the people involved. Regulators can require management to complete cybersecurity training. Following a serious breach, they can impose temporary bans on individuals from performing senior management functions. The organisation faces financial penalties; the people running it face professional and reputational consequences.
€10M
Maximum penalty for essential entities or 2% of global turnover
€7M
Maximum penalty for important entities or 1.4% of global turnover
The shift at board level
This shift changes the conversation at board level. Cybersecurity has historically been positioned as a cost centre, delegated to the IT team, and reviewed occasionally in an audit committee report. NIS2 makes that approach untenable for any organisation in scope.
What management must do
The obligations on management under NIS2 include approving cybersecurity risk management measures, overseeing their implementation, and ensuring staff receive adequate security awareness training. These cannot be delegated entirely to an IT function and treated as resolved. Management must be able to demonstrate active, documented involvement.
Incident reporting timelines
Incident reporting timelines add another layer of urgency. In-scope organisations are required to submit an early warning to the relevant competent authority within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours. Meeting those deadlines requires processes that are planned, documented, and tested in advance. Senior leaders who have not ensured those processes exist are exposed when something goes wrong.
“It’s not the business that could get fined with NIS2. It’s the director’s responsibility to ensure they’re doing the right things to protect that data and the organisation. That’s the jaw-dropper moment in most conversations.”
Sean Lucas
Chief Technical Engineer, DNA IT Solutions
The point for directors
The financial penalties for non-compliance are set out in the directive itself: up to €10 million or 2% of global annual turnover for essential entities, whichever is higher; €7 million or 1.4% of global turnover for important entities. Actual penalties will depend on the circumstances, but the figures indicate the level of seriousness regulators are expected to bring to enforcement.
NIS2 compliance is a governance matter, not a technical matter. Boards and senior leadership teams that treat it otherwise are misreading their obligations under the directive.