Cookie consent(s)
We use cookies on our website to personalize content and ads, to provide social media features and to analyze traffic to our website. Please click "ACCEPT ALL" to enable us to offer you the best possible experience on our website. By doing so, you consent to the processing and sharing of your information with our social media, advertising and analytics partners. You can revoke your consent at any time on the cookie settings page​.
Privacy statement

The role of directors under NIS2: responsibility for information security policy

Dec 03, 2025

The NIS2 directive imposes new responsibilities on organizations to demonstrably improve their cybersecurity. An important difference with previous legislation (NIS1) is that directors, including management boards and legal representatives, are now explicitly held ultimately responsible. This means that they must actively engage with their organization's information security policy.

Why directors are central under NIS2

Under NIS2 , information security is no longer seen as a purely operational issue. The board bears ultimate responsibility and can even be held personally liable in the event of shortcomings. Member States are obliged to be able to impose sanctions, including administrative fines or even disqualification orders for individual directors.
This requires active involvement in the strategy, decision-making, and implementation of the information security policy. Directors must not only supervise, but also demonstrate that they have control over cyber risks.

Mandatory involvement in information security policy

NIS2 requires that the directors of an organization:
  • monitor compliance with the information security policy,
  • actively approve and evaluate policy,
  • and receive regular updates about risks and incidents.
In addition, directors are ultimately responsible for ensuring that procedures are in place for the timely reporting of incidents. The directive requires that significant incidents be reported within 24 hours and followed up within 72 hours. The board must ensure that this reporting chain is properly set up and functions effciently.

Training and awareness for directors

An important requirement of the directive is that directors, including management boards and legal representatives, must have knowledge in the field of cybersecurity . This has two objectives:
  • Understanding risks: Directors have a better understanding of the cyber risks involved and how the information security policy manages these risks.
  • Effective supervision: They can monitor better and make informed decisions about security measures.
NIS2 does not view training as a one-off activity, but as a structural investment in knowledge development and awareness.

Information security policy at the management level

NIS2 explicitly places responsibility for information security with management. Directors now bear ultimate responsibility and must actively steer information security policy.
Would you like to know which management systems can help your organization meet these obligations? Read more about ISO 27001 and the NIS2 directive on the articles at the bottom of the page.
Blogs about NIS2 and ISO 27001

9 Results

Dec 02, 2025 Cyber Security / Information security management system
Cyber-secure working with ISO 27001 certification for NIS2 compliance
Cyber-secure working with ISO 27001: discover the five benefits for NIS2 compliance and demonstrably strengthen your organization's digital resilience.
View article
Oct 28, 2024 Digital & Product Solutions / Cyber Security
NIS2 requirements
In this blog, we discuss why DEKRA is an authority on compliance with NIS2 requirements and how we make digital information in organizations safer.
View article
Oct 14, 2024 Digital & Product Solutions / Cyber Security
ISO 27001 and NIS2
This blog provides a concise understanding of how these cybersecurity pillars help organizations improve their cybersecurity and comply with regulations.
View article
Oct 01, 2024 Digital & Product Solutions / Cyber Security
NIS2 and IEC 62443
NIS2 and IEC 62443 are at the heart of cybersecurity. Find out how these guidelines help protect your organization from a cyber attack.
View article
Dec 29, 2023 Audit / Information security management system
Everything about information security
What is information security and why is it important for your organization? Find out and read more about it in this blog.
View article
Dec 21, 2023 Audit / Information security management system
Why ISO 27001?
If you work with confidential information, you will need to consider obtaining ISO 27001 certification at some stage. Read about the benefits here.
View article
Mar 08, 2023 Audit / Information security management system
Difference between ISO 27001 and NEN 7510
ISO 27001 and NEN 7510 are well-known standards that set rules and guidelines for handling confidential information. Find out more about the differences here.
View article
Jan 04, 2023 Audit / Information security management system
Risk analysis in information security
Would you like to have your management system certified to show that you are handling information responsibly? You first need to map out a few things if you are to secure all that information properly.
View article
Dec 01, 2022 Audit / Information security management system
ISO 27001 information security policy
Do you want to demonstrate that your organization handles information securely? An ISO 27001 certificate shows that your information security policy is in order.
View article
Show all articles