NEW: AI Compliance solution.
As a board member of a NIS2-affected organization, you are personally liable and can be held liable for damages if you act negligently or otherwise in violation of the NIS2 requirements.
So, with the rest of the board of directors, you’re not ‘only’ responsible for understanding cybersecurity on a strategic level – where you can assess your organization’s risks – but also on a practical level so you can decide how to protect your organization against cyber threats and crime.
We help you every step of the way by giving you the answers to:
We see that both big and small get hit by cyber-attacks. For that reason, cybersecurity should be in everybody’s interest. Yet, it’s not all organizations that are affected by the requirements in NIS2.
To be affected – no matter the size of your organization – you must first and foremost be within one of these 10 categories:
If your organization doesn’t fall into the 10 categories above, it’s affected if it meets all three of the following criteria:
There can be legal nuances that decide when an entity is either essential or important in NIS2. If you need help delving into those nuances, feel free to reach out to us.
As NIS2 is a directive that EU countries must implement by national law, each law may look different from others.
However, NIS2 has defined some minimum requirements that all EU member states must implement. These requirements include:
If you want to dive into the details of the general minimum requirements of NIS2, you can do so here.
In general, the board of directors is often responsible for ensuring that the necessary procedures for risk management and internal controls are in place. Further, the executive management is responsible for day-to-day management and for following the guidelines and instructions issued by the board.
Thus, there are several minimum requirements that you, together with the rest of the board and management, are responsible for. You must make sure:
The Danish Board Association’s Center for Cyber Competence and Danish Center for Cyber Security have made a guide on cyber security for you as a board member – also, if you don’t sit on a board in a Danish organization.
In the guide, there are 6 recommendations to help you meet your obligations on a daily basis – we have listed the recommendations here:
You and the rest of the board should receive and assess an updated cybersecurity risk assessment at least once a year— and as often as necessary.
You should base the risk assessment on the organization’s:
The board should set the company’s cybersecurity strategy, including risk appetite, at least once a year and as often as necessary.
The strategy should take into account your:
As the board of directors, you should ensure and continuously check that the cybersecurity strategy is ‘translated’ into policies, processes, and procedures so that the employees can comply with the strategy daily.
You and the rest of the board should also ensure and continuously check that the organization has implemented adequate cyber hygiene, including a relevant backup that is continually tested.
Last, but not least, you should make sure your organization has an emergency and communication plan in place to be prepared and resilient in the event of a hacker attack or power outage.
The board should have cybersecurity as a regular task on the annual calendar alongside other key risks.
You should also prioritize discussing cybersecurity every time you meet and ensure you get reporting before the meeting on:
Both the board of directors and executive management should keep their cybersecurity knowledge and know-how up to date.
You can ensure this by taking courses that teach you how to understand and assess cybersecurity risks and delve into practices to manage and protect your information systems and data from cyber threats in day-to-day operations.
To meet the minimum requirement of NIS2, you should also ensure cybersecurity awareness and training to other relevant employees in the organization.
Finally, it’s important that the board and executive management ‘practice what you preach’ by supporting a strong cybersecurity culture.
It’s your and the rest of the board’s responsibility to ensure that you have the necessary knowledge and experience in risk management of IT and cyber risks.
The board should also make sure that the security team in your organization is close to management and reports directly to you.
In addition, the board should ensure that your organization has different units (like departments or employees), doing controls of risk management independently from one another, to strengthen cybersecurity.
For example, you can have three lines of defense, where the first line of control can be an outsourcing manager or an employee or department responsible for legal/contracts. The second line of defense could be a department or employee responsible for compliance (e.g. a DPO), and the third line of defense could be an internal audit.
Need more expert help understanding the NIS2 rules and obligations for board members? Feel free to reach out to us.