HomepageNews & mediaStories

Information security policy

Dec 03, 2025Cyber Security / Management & Organization

The role of directors under NIS2

The NIS2 directive imposes new responsibilities on organizations to demonstrably improve their cybersecurity. An important difference with previous legislation (NIS1) is that directors, including management boards and legal representatives, are now explicitly held ultimately responsible. This means that they must actively engage with their organization's information security policy.

Why directors are central under NIS2

Under NIS2, information security is no longer seen as a purely operational issue. The board bears ultimate responsibility and can even be held personally liable in the event of shortcomings. Member States are obliged to be able to impose sanctions, including administrative fines or even disqualification orders for individual directors.
This requires active involvement in the strategy, decision-making, and implementation of the information security policy. Directors must not only supervise, but also demonstrate that they have control over cyber risks.

Mandatory involvement in information security policy

NIS2 requires that the directors of an organization:
  • monitor compliance with the information security policy,
  • actively approve and evaluate policy,
  • and receive regular updates about risks and incidents.
In addition, directors are ultimately responsible for ensuring that procedures are in place for the timely reporting of incidents. The directive requires that significant incidents be reported within 24 hours and followed up within 72 hours. The board must ensure that this reporting chain is properly set up and functions effciently.

Training and awareness for directors

An important requirement of the directive is that directors, including management boards and legal representatives, must have knowledge in the field of cybersecurity. This has two objectives:
  • Understanding risks: Directors have a better understanding of the cyber risks involved and how the information security policy manages these risks.
  • Effective supervision: They can monitor better and make informed decisions about security measures.
NIS2 does not view training as a one-off activity, but as a structural investment in knowledge development and awareness.

Information security policy at the management level

NIS2 explicitly places responsibility for information security with management. Directors now bear ultimate responsibility and must actively steer information security policy.
Would you like to know which management systems can help your organization meet these obligations? Read more about ISO 27001 and the NIS2 directive on the articles at the bottom of the page.

Cybercrime whitepaper

ISO 27001 toolkit

Cybersecurity whitepaper

Do you have a question? Get in touch with one of our experts
Henry Dwars
Boris Zandstra
Blogs about Information security policy
9 Results
No results found.
ISO digital image connected to various online systems
Mar 08, 2023Audit / Information security management system

Difference between ISO 27001 and NEN 7510

What are ISO 27001 and NEN 7510, and what's the difference between them? Learn more here.
View article
A lock on a blue cloud with a chip as background
Dec 29, 2023Audit / Information security management system

Everything about information security

What is information security and why is it important for your organization? Find out more in this blog.
View article
Risk analysis information security
Jan 04, 2023Audit / Information security management system

Risk analysis in information security

Risk analysis in information security at DEKRA. Which certifications are interesting for your organization? Find out more here at DEKRA.
View article
laptop keyboard with a digital cloud lock
Dec 01, 2022Audit / Information security management system

ISO 27001 information security policy

Want to demonstrate that your organization handles information securely? Then obtain ISO 27001 certificate.
View article
Why ISO 27001?
Dec 21, 2023Audit / Information security management system

Why ISO 27001?

Why ISO 27001 for information security? And what are the benefits? Find out more in this blog.
View article
NIS2 cyber legislation
Oct 28, 2024Digital & Product Solutions / Cyber Security

NIS2 requirements

What is NIS2? And what are NIS2 requirements for cybersecurity? Read all about the directive here
View article
NIS2 and IEC 62443
Oct 01, 2024Digital & Product Solutions / Cyber Security

NIS2 and IEC 62443

NIS2 & IEC 62443: The two critical pillars for cybersecurity and cyber resilience. Find out more here.
View article
cyber-secure working audit
Dec 02, 2025Cyber Security / Information security management system

Cyber-secure working with ISO 27001 certification for NIS2 compliance

Working cyber-securely with ISO 27001 certification: discover the 5 benefits for NIS2 compliance in this blog.
View article
ISO 27001 and NIS2
Oct 14, 2024Digital & Product Solutions / Cyber Security

ISO 27001 and NIS2

Why are ISO 27001 and NIS2 critical to your organization's cybersecurity? Find out in this blog.
View article