Where information security used to be seen too often as the responsibility of the CIO or IT manager, the NIS2 Directive makes it very clear that ultimate responsibility lies with the board. This does not mean that, as a director, you now need to take a course in cryptography or reverse engineering. However, executives are legally required to follow information security training. They must be able to demonstrate their knowledge with a certificate of participation.
Maturity of information security
The purpose of the NIS2 Directive is to strengthen the digital resilience and information security of organizations within the EU, so that disruptions and digital attacks are prevented and addressed more quickly. Organizations achieve this by aiming for and realising a higher maturity level in information security. The urgency is clear from the many recent news reports about data breaches at organizations. The consequences may include financial damage and reputational damage.
The Cybersecurity Act represents the Dutch implementation of NIS2 and translates the European directive into concrete national rules and supervision for organizations in the Netherlands.
NIS2 is expected to enter into force in the second quarter of 2026. And no, an ISO 27001 certification alone does not automatically mean that you comply with the NIS2 Directive. But it does give you a significant head start.
Key characteristics of the NIS2 Directive include:
• A broader group of organizations falling under supervision
• Stricter duty of care in the field of information security
• Mandatory reporting of serious incidents
• Directors being held responsible
• Higher fines for non compliance
Is this a reason to panic? No. Is it a reason to take information security even more seriously and start working on it proactively? Yes, absolutely.
In summary: ISO 27001 maturity ensures that AI governance does not require a completely new system, but rather an extension of existing processes.Want to know more? Schedule a no obligation introductory meeting and together we will explore how we can support you.
Enforcement of the NIS2 Directive
The NIS2 Directive has been in force since January 2023 and should have been transposed into national legislation by all Member States by October 2024 at the latest. In the Netherlands, the Cybersecurity Act is still in the legislative phase and has not yet entered into force.
Although there is no case law yet, the legal framework is already fairly clear. Directors must approve information security measures, promote them and actively supervise their implementation. They may be held personally liable in cases of serious negligence, for example when it can be demonstrated that insufficient measures were taken while risks were known and legal obligations were not complied with.
Hiring a CIO or CISO, for example, does not remove that responsibility. This is explicitly stated in the directive. Courts are expected to assess the following:
• Has the board demonstrably taken appropriate measures? Were measures deliberately not taken?
• Were risks known but ignored? In other words, were risk analyses carried out structurally and followed up?
• Were serious incidents reported on time and in full?
• Is there a log of decisions?
• Was active supervision carried out regarding compliance?
“Hiring a CIO or CISO, for example, does not remove that responsibility.”
Conclusion
With the NIS2 Directive, information security becomes an explicit responsibility of senior management. Directors must actively steer, supervise and receive training.
Organizations must bring their governance, processes and security measures to the next level of maturity in order to meet stricter requirements and reporting obligations. Information security is no longer an IT topic, but a core element of good governance and risk management.
Would you like to know more about how to bring your ISO 27001 certification to the next maturity level and embed the NIS2 requirements within it? Contact us for a no obligation introductory meeting.
