The NIS2 Directive: Another regulatory and technological challenge for senior management

The NIS2 Directive: Another regulatory and technological challenge for senior management

March 14, 2025

The NIS2 Directive introduces direct liability for CEOs and senior management of affected companies, increasing their legal, financial, and reputational risks. Here are the main risks they face:

1. Personal Responsibility of Directors ISA 2 establishes that senior management (including CEOs) is responsible for overseeing and approving cybersecurity measures. Failure to comply may result in personal sanctions, including bans from holding management positions.
2. Heavy Fines and Penalties: Companies that fail to comply with NIS2 can receive financial penalties similar to those imposed under the GDPR: up to 2% of global annual turnover or €10 million (whichever is greater) for essential entities, and up to 1.4% or €7 million for significant entities. Significant financial losses can impact the company's stability.
3. Criminal and Civil Liability: Directors can be held personally liable if negligence in implementing cybersecurity measures is proven. Possible lawsuits for damages if a cybersecurity incident affects customers or partners.
4. Impact on Reputation and Trust A breach or cyberattack can damage a company's public image and affect its relationships with customers and investors. The loss of credibility can affect the company's valuation and make it difficult to close deals.
5. Training and Oversight Obligation NIS2 requires CEOs and senior managers to receive cybersecurity training and be involved in strategic security decision-making. Failure to properly delegate responsibilities to experts can exacerbate the situation in the event of an incident.
6. Incident Management Liability The policy establishes strict deadlines for incident reporting: 24 hours for an initial alert, 72 hours for a detailed report, and 1 month for a final assessment. If the company fails to report a cyberattack in a timely manner or does so inadequately, the CEO may be held liable.

Conclusion: How to Mitigate These Risks? To avoid problems, CEOs must actively engage in cybersecurity strategy, ensure cybersecurity training and awareness for senior management, guarantee adequate investments in protection and response measures, oversee regular audits and assessments, and have incident response and notification plans in place.

We'll be discussing this topic with experts at the hybrid event "NIS2 Revolution: Strategies and Solutions with Nanfor and ADOK for a Secure Future." This event, organized by Nanfor and ADOK , will take place on March 20th from 9:30 to 11:30 AM (UTC+1 Madrid) .

Don't miss this unique opportunity to learn from experts in the field and discover how to implement effective security measures in your organizations! Learn more