NIS2 | When the Board Becomes the Weakest Link
NIS2 delivers a clear message: cybersecurity is no longer just an operational concern, it is a board-level responsibility. Under the directive, the “management body” of essential and important entities must approve, oversee, and understand cybersecurity risks.
This marks a major shift. Cyber can no longer be delegated to IT. It must be treated as a core governance issue with real consequences, including personal liability.
Read on to explore what this means for your organisation and how to prepare effectively.
Cybersecurity in the Boardroom
NIS2, the EU’s new Network and Information Security Directive, is unambiguous: ultimate accountability rests with “the management body” of every essential and important entity within the union. Boards must approve cybersecurity risk‑management measures, oversee their implementation and ensure that every director has sufficient knowledge to assess cyber risk. Failure to do so carries the oft noticed sanctions – but notably – also in personal liability.
For many boards, this is a cultural shock. Cybersecurity can no longer be delegated to IT; it must be governed like any other strategic, enterprise‑wide risk.
The Mistake: Disconnected Leadership in Cybersecurity Strategy
When we are advising organisational leadership we frequently see the same patterns. Cybersecurity is often viewed as a technical issue rather than a strategic priority. The leadership is not inherently involved in actual risk-based cybersecurity efforts. This disconnect results in unclear governance, delayed decision-making, and an underestimation of regulatory responsibilities like those under NIS2.
These are the most common pitfalls:
Disconnected leadership
The board receives sporadic, jargon‑laden updates and has no clear view of exposure while NIS2 expects demonstrable oversight and informed decision making based on documented, systematically managed risks.
Overly technical reporting
Directors must be able to assess risk in business terms to make defensible decisions.
Disinterested leadership
A negative spiral of disconnection between the leadership and strategic cybersecurity efforts grows.
Lack of focused governance
The operational part of the organisation is overworked and incapable to align cybersecurity efforts with the overarching strategic goals.
Fragmented or overly complicated incident plans
With the increasingly intricate reporting requirements from the European legislative mass and high-level cyber-attacks occurring, in times of stress from incidents and disruptions, an organisation is required to be concise, clear and quick with reporting to authorities.
Decision paralysis
As always, any delay in mitigating cyber threats increase harm and may breach statutory timelines.
Boards that fall into these traps become the weakest link – even when the technical security controls are strong.
Why It Happens: Complexity Clouds Accountability
So why do these mistakes commonly occur if they are so important? The reasons are oftentimes simple and straightforward but can be challenging to counter.
Disconnected leadership – The board receives sporadic, jargon‑laden updates and has no clear view of the actual exposure and there is no clear reference nor integration of the reporting and actual business risk.
Overly technical reporting – Metrics from cybersecurity professionals often focus on patch counts or firewall logs, while strategic risk and business impact factors are often overlooked.
Disinterested leadership – Due to the complexity of cybersecurity and the lack of clear reporting, the leadership often finds that interest and involvement in the overarching cybersecurity efforts fades.
Lack of focused governance – Due to the points above and the lack of focused engagement there is no clear visibility to the needs of integrated cybersecurity in the operational business. Hence, the operational business has a lack of adequate resources for cybersecurity efforts.
Fragmented or overly complicated incident plans – Plans dive into playbook detail but omit high‑level triggers, roles and escalation paths.
Decision paralysis – Without a pre‑agreed risk appetite, decisions on downtime, ransom payments or disclosure stall.
How to Get It Right: Close the Gap
As is often repeated by cybersecurity specialists, and always worth mentioning, cybersecurity is a matter for top management. Without gaining the support from key decision makers within the organisation any cybersecurity risk management effort is at risk of not being mandated and systematically implemented.
Start by:
Integrating cybersecurity risks in the overarching enterprise risk management
- Cybersecurity risks should be treated like any other business risk. Align consequence categories to prioritise risk management efforts more effectively.
- Systematically work with risks, risk management is not a one-time task. Instead, it should be a living, breathing organism within the organisation fostered by a risk-based approach.
- Involve key leadership in cybersecurity risk discussions. Clearly define their roles and responsibilities in managing and accepting cyber risks.
Building an executive‑friendly reporting chain
- Map critical processes and assets in business language, not technical inventory codes. There is a reason why ISO 27001 has gone the way of translating information security to people, processes and technology (with the added physical security spectrum, of course).
- Visualise the cybersecurity status and cyber risks through understandable means, for example a dashboard with red‑amber‑green thresholds aligned to risk appetite.
- Require quarterly board review and minute the discussion to prove oversight.
Building Board competence – fast
- Provide focused training on NIS2 obligations, threat landscape and decisionmaking under pressure.
- Run scenario based tabletop exercises that force tradeoffs between speed, cost and resilience. Keep the exercises varied; cybersecurity incidents, business continuity exercises, crisis exercises to name a few.
- Make training recurring, not one-off; Article 20 in NIS2 requires continuous competence.
Embedding security into corporate culture
- Incentivise secure behaviour in KPIs and performance reviews – from the CEO down. According to ISO 27001, cybersecurity roles must be clearly documented and regularly assessed for training and experience needs.
- Celebrate “near‑miss” reporting to encourage transparency. A real-life example of this from our own experience is at an organisation where the CISO offered a small piece of candy to any employee who reported an envisioned vulnerability or risk.
Stress‑testing and iterate
- Simulate a 24‑hour early‑warning drill: can you identify, classify and escalate within the deadline?
- After every drill or real incident, hold a blameless post‑incident review and update governance documents
Next Step
NIS2 further enhances and highlights cybersecurity as a leadership discipline. Management and Boards that step up will make faster, better‑informed decisions, strengthen resilience and win stakeholder trust – and, of course, avoid fines and personal liability. Boards that hesitate, risk becoming the organisation’s single point of failure.
Schedule your session today and take a proactive step toward NIS2 compliance.
Resilience by Design: Leading NIS2 from the Top
We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.
Learn more through our dedicated NIS2 resource hub—or dive into the article: NIS2 | Why Many Get It Wrong.
