- By Jakob Krabbe Sørensen, attorney
NIS2 for Board of Directors: How to Meet Your Obligations
- August 28, 2024
As a board member of a NIS2-affected organization, you are personally liable and can be held liable for damages if you act negligently or otherwise in violation of the NIS2 requirements.
So, with the rest of the board of directors, you’re not ‘only’ responsible for understanding cybersecurity on a strategic level – where you can assess your organization’s risks – but also on a practical level so you can decide how to protect your organization against cyber threats and crime.
We help you every step of the way by giving you the answers to:
When is my organization affected by NIS2?
We see that both big and small get hit by cyber-attacks. For that reason, cybersecurity should be in everybody’s interest. Yet, it’s not all organizations that are affected by the requirements in NIS2.
To be affected – no matter the size of your organization – you must first and foremost be within one of these 10 categories:
If your organization doesn’t fall into the 10 categories above, it’s affected if it meets all three of the following criteria:
- Has 50 employees or more
- Has an annual turnover or balance sheet of €10 million
- Is an essential or important entity, meaning it’s in one of the 18 sectors we’ve made an overview of here:
There can be legal nuances that decide when an entity is either essential or important in NIS2. If you need help delving into those nuances, feel free to reach out to us.
What are the overall minimum requirements we need to comply with?
As NIS2 is a directive that EU countries must implement by national law, each law may look different from others.
However, NIS2 has defined some minimum requirements that all EU member states must implement. These requirements include:
- 10 minimum requirements to ensure adequate security
- Requirements for training (for management, key staff, and board)
- Requirements for incident reporting
If you want to dive into the details of the general minimum requirements of NIS2, you can do so here.
What are my obligations as a board member?
In general, the board of directors is often responsible for ensuring that the necessary procedures for risk management and internal controls are in place. Further, the executive management is responsible for day-to-day management and for following the guidelines and instructions issued by the board.
Thus, there are several minimum requirements that you, together with the rest of the board and management, are responsible for. You must make sure:
- To approve both a cybersecurity strategy and risk assessment prepared by the executive board
- To decide on your cybersecurity risk appetite based on the above cybersecurity strategy and risk assessment
- To approve security measures (i.e. organizational, technical, and operational measures) that match the risks you have analyzed in the risk assessment
- That the security measures meet the minimum requirements of NIS2
- That management and board of directors ensure adequate reporting and updates from the organization and executive management
- That the executive management and board of directors ongoing monitor that the strategy is being followed in practice.
6 recommendations to meet your obligations in practice
The Danish Board Association’s Center for Cyber Competence and Danish Center for Cyber Security have made a guide on cyber security for you as a board member – also, if you don’t sit on a board in a Danish organization.
In the guide, there are 6 recommendations to help you meet your obligations on a daily basis – we have listed the recommendations here:
#1: Ensure risk assessment
You and the rest of the board should receive and assess an updated cybersecurity risk assessment at least once a year— and as often as necessary.
You should base the risk assessment on the organization’s:
- Key assets
- IT systems
- Business model
- Key vulnerabilities
- Likely threats
- Potential losses from attacks
- Competitiveness and possible impacts on it
#2: Decide on risk appetite
The board should set the company’s cybersecurity strategy, including risk appetite, at least once a year and as often as necessary.
The strategy should take into account your:
- Overall business strategy
- Business objectives
- IT infrastructure
- Overall risk appetite
- Security budget
- Willingness to invest
#3: Ensure policies, processes, and readiness
As the board of directors, you should ensure and continuously check that the cybersecurity strategy is ‘translated’ into policies, processes, and procedures so that the employees can comply with the strategy daily.
You and the rest of the board should also ensure and continuously check that the organization has implemented adequate cyber hygiene, including a relevant backup that is continually tested.
Last, but not least, you should make sure your organization has an emergency and communication plan in place to be prepared and resilient in the event of a hacker attack or power outage.
#4: Ensure reporting
The board should have cybersecurity as a regular task on the annual calendar alongside other key risks.
You should also prioritize discussing cybersecurity every time you meet and ensure you get reporting before the meeting on:
- The current threat landscape
- Incidents
- Security test results
- Awareness and training activities
- Reviews of audits
#5: Set up processes for internal awareness and training
Both the board of directors and executive management should keep their cybersecurity knowledge and know-how up to date.
You can ensure this by taking courses that teach you how to understand and assess cybersecurity risks and delve into practices to manage and protect your information systems and data from cyber threats in day-to-day operations.
To meet the minimum requirement of NIS2, you should also ensure cybersecurity awareness and training to other relevant employees in the organization.
Finally, it’s important that the board and executive management ‘practice what you preach’ by supporting a strong cybersecurity culture.
#6: Ensure good governance
It’s your and the rest of the board’s responsibility to ensure that you have the necessary knowledge and experience in risk management of IT and cyber risks.
The board should also make sure that the security team in your organization is close to management and reports directly to you.
In addition, the board should ensure that your organization has different units (like departments or employees), doing controls of risk management independently from one another, to strengthen cybersecurity.
For example, you can have three lines of defense, where the first line of control can be an outsourcing manager or an employee or department responsible for legal/contracts. The second line of defense could be a department or employee responsible for compliance (e.g. a DPO), and the third line of defense could be an internal audit.
Need more expert help understanding the NIS2 rules and obligations for board members? Feel free to reach out to us.
