It’s not just an IT problem: NIS2 and executive accountability

Cyber threats are growing fast, and governments are stepping up their response. One of the biggest moves in recent years is the European Union’s NIS2 Directive, which came into effect in January 2023. Even though the UK is no longer part of the EU, NIS2 still matters for UK organisations, especially those with operations or suppliers in Europe.

Importantly, the Directive also signals a broader international shift towards regulated cyber resilience, reflected in the UK’s own proposed Cyber Security and Resilience Bill, which is expected to align in principle with many of NIS2’s core obligations. UK organisation’s that fail to prepare risk both regulatory exposure in the EU and falling behind emerging domestic expectations. 

What Is NIS2 and why should organisations care?

NIS2 is the EU’s updated cyber security law. It’s designed to improve resilience across key sectors and applies to essential industries like healthcare, energy and transport, as well as important entities such as digital services, manufacturing and postal services. If your organisation is medium-sized or larger, or provides critical services, its likely you're included.

What makes NIS2 different is its focus on executive accountability. Cyber security is no longer just an IT issue. Senior leaders are now legally responsible for making sure their organisation is secure. That means approving security plans, overseeing implementation and ensuring staff (including themselves) receive proper training.

How does this impact you?

NIS2 introduces several new requirements to be aware of:
Governance: Executives must take ownership of cyber security. They need to be trained, stay informed and be actively involved in decision-making

Security measures: Organisations must put in place key controls like risk assessments, incident response plans, secure access, including multi-factor authentication, encryption and supply chain security

Incident reporting: If a serious cyber incident happens, organisations must report it quickly, within 24 hours for an early warning, 72 hours for a full report and a final update within a month

The consequences for not complying are serious. Fines can reach up to €10 million or 2 percent of global turnover. Executives could face personal penalties, including disqualification or even prosecution depending on national laws. Regulators can also publicly name and shame organisations that fall short - which could be anyone.

What do organisations need to do to be compliant?

A couple of points which could help with NIS2 compliance:

•  Appoint a NIS2 Lead: This could be your Chief Information Security Officer or Data Protection Officer, but they need direct access to the board

• Review your cyber risk plan: Make sure it aligns with NIS2 requirements and is approved at the executive level
• Update your incident playbooks: Include NIS2’s strict reporting timelines
• Train your board: Annual training on cyber risk and governance is now essential  Monitor compliance: Regular updates on gaps, risks and progress should be part of your board agenda

For any assistance on NIS2 compliance, or if you'd like to speak to one of our compliance pros – please reach out via this contact form.