publishing date icon
January 28, 2024
read time icon
5 min. read

NIS 2 Checklist: Compliance Basics for the CxO and Board of Directors

There’s a bit of confusion around the coming NIS 2 legislation. Petri Kuivala, CISO, keeps this breakdown short and sweet to help you understand your main accountabilities as a corporate leader. Make sure you have a word with your CIO and CISO to apply this guidance to your company’s specific context.

Post hero image

Table of contents

share this post

NIS 2 liability: Who, What and When

What: The revised Network and Information Systems Directive (NIS 2) is European legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU.

When: The deadline for the EU member states to transpose NIS 2 into national law is October 17, 2024.

Who: Am I liable as a CxO and what penalties are involved?

  • Yes, you are liable. The C-level cannot transfer NIS 2 liability to the CISO or anyone else. The C-level is, however, expected to drive the necessary cybersecurity improvements through the CISO and other relevant teams.  
  • The maximum liability is at least 10M€ or up to 2% of the total world-wide annual turnover of the company.

Image derived from NCSC NIS 2 Quick Reference Guide

Is our company within the scope of the regulation?

  • NIS 2 applies to a broader scope of sectors and entities than those covered by the current NIS Directive.  
  • Critical infrastructure industries in the EU are regulated. See  
  • These players are divided into Essential--those whose governance is more rigorous-- and into Important—those who are also in scope of the regulation.
  • NIS 2 applies also to certain Small & Micro entities that are specified in the directive.

Image derived from NCSC's NIS 2 Quick Reference Guide

Is the NIS 2 regulation valid only for companies operating in the EU?

  • On this question, I would re-direct you to discuss with your legal team as the answer is “it depends….”  

Why is the NIS 2 regulation coming?

  • The more we digitalize our lives the more important it is that we ensure our systems operate reliably, and free of disruption from cyber-attacks.  
  • The NIS2 and the recent SEC regulations that expects companies to have proper Cyber Security governance, processes, and reporting in place.  

Author: Petri Kuivala; Has served as the Chairman of the Board of Directors with a publicly listed company. He has worked in Nokia, Microsoft, NXP Semiconductors and overseen the M&A activities of leading companies like Qualcomm and Siemens. He is a long time Chief Information Security officer and lawyer by training.

Read the NIS 2 CISO / Executive Primer

Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.