NIS2: What Every Board Needs to Know Before October

The EU's NIS2 Directive has redrawn the line of accountability for cybersecurity. The headline for directors is blunt: management bodies must approve and oversee cybersecurity risk-management measures, and member-state transpositions allow for them to be held personally liable for failures. This is no longer a topic to delegate wholesale to IT.

If your organisation falls within scope, you are classified as either an essential or an important entity. Both carry obligations; the difference lies mainly in supervisory intensity and the size of potential penalties. The sector list is broad — energy, transport, banking, health, digital infrastructure, public administration, and more — and the size thresholds catch many mid-market firms that previously assumed they were out of frame.

Three things the board must internalise

1. The notification clock is fast. A significant incident triggers an early warning to the relevant authority within roughly 24 hours, a fuller notification within 72 hours, and a final report within a month. You cannot improvise this under pressure — the reporting path and decision-makers must be defined in advance.
2. Liability is personal and documented. Boards are expected to receive cybersecurity training and to evidence active oversight. "We trusted the vendor" is not a defence.
3. Supply chain is in scope. You are accountable for the security posture of your key suppliers and service providers, not just your own perimeter.

Practical board actions before October

• Confirm whether you are in scope, and as which class — get this in writing.
• Assign a named executive owner for NIS2 and require a standing agenda item.
• Commission a gap assessment against the directive's risk-management obligations (incident handling, business continuity, supply-chain security, access control, encryption, vulnerability disclosure).
• Stand up — and test — an incident-notification process that can meet the 24-hour window.
• Review supplier contracts for security clauses and breach-notification duties.

The organisations that struggle with NIS2 are not the ones with weak technology. They are the ones where nobody at board level can answer "are we in scope, and who owns this?"

The deadline pressure is real, but the directive rewards substance over paperwork. A board that can demonstrate genuine oversight, a tested response capability, and a credible handle on supplier risk is in a strong position — regardless of how the final national transposition reads. Start with scope and ownership; the rest follows.