NIS 2 Checklist: Compliance Basics for the CxO and Board of Directors

There’s a bit of confusion around the coming NIS 2 legislation. Petri Kuivala, CISO, keeps this breakdown short and sweet to help you understand your main accountabilities as a corporate leader. Make sure you have a word with your CIO and CISO to apply this guidance to your company’s specific context.

Post hero image

Table of contents

Reduce your human cyber risk
Hoxhunt's adaptive security training dramatically increases engagement and security resilience.
Learn more

As a long-time Chief Information Security officer and lawyer by training, I'm here to break down the NIS 2 regulation to help other cybersecurity professionals understand the main accountabilities as a corporate leader.

I've served as the Chairman of the Board of Directors with a publicly listed company, plus worked at Nokia, Microsoft, NXP Semiconductors and overseen the M&A activities of leading companies like Qualcomm and Siemens. That being said, please make sure you consult your CIO and/or CISO before applying this guidance, to account for the specific context of your company.

NIS 2 liability: Who, What, Why, and When

What is the NIS 2 regulation?

The revised Network and Information Systems Directive (NIS 2) is European legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU.

Why is the NIS 2 regulation coming into effect?

  • The more we digitalize our lives the more important it is that we ensure our systems operate reliably, and free of disruption from cyber-attacks.  
  • The NIS2 and the recent SEC regulations that expects companies to have proper Cyber Security governance, processes, and reporting in place.

When is the NIS 2 coming into effect?

  • The deadline for the EU member states to transpose NIS 2 into national law is October 17, 2024.

Who is affected by the NIS 2 regulation?

Is our company within the scope of the regulation?

  • NIS 2 applies to a broader scope of sectors and entities than those covered by the current NIS Directive.  
  • Critical infrastructure industries in the EU are regulated. See the images below
  • These players are divided into Essential--those whose governance is more rigorous-- and into Important—those who are also in scope of the regulation.
  • NIS 2 applies also to certain Small & Micro entities that are specified in the directive.
Image derived from NCSC NIS 2 Quick Reference Guide
Image derived from NCSC's NIS 2 Quick Reference Guide

Is the NIS 2 regulation valid only for companies operating in the EU?

  • On this question, I would direct you to discuss with your legal team as the answer is “it depends….”  

Am I liable as a CxO and what penalties are involved?

  • Yes, you are liable. The C-level cannot transfer NIS 2 liability to the CISO or anyone else. The C-level is, however, expected to drive the necessary cybersecurity improvements through the CISO and other relevant teams.  
  • The maximum liability is at least 10M€ or up to 2% of the total world-wide annual turnover of the company.
Want to learn more?
Be sure to check out these articles recommended by the author:
Download the checklist
Get more cybersecurity insights like this