Information security policy

Dec 03, 2025Cyber Security / Management & Organization

The role of directors under NIS2

The NIS2 directive imposes new responsibilities on organizations to demonstrably improve their cybersecurity. An important difference with previous legislation (NIS1) is that directors, including management boards and legal representatives, are now explicitly held ultimately responsible. This means that they must actively engage with their organization's information security policy.

Why directors are central under NIS2

Under NIS2, information security is no longer seen as a purely operational issue. The board bears ultimate responsibility and can even be held personally liable in the event of shortcomings. Member States are obliged to be able to impose sanctions, including administrative fines or even disqualification orders for individual directors.
This requires active involvement in the strategy, decision-making, and implementation of the information security policy. Directors must not only supervise, but also demonstrate that they have control over cyber risks.

Mandatory involvement in information security policy

NIS2 requires that the directors of an organization:
  • monitor compliance with the information security policy,
  • actively approve and evaluate policy,
  • and receive regular updates about risks and incidents.
In addition, directors are ultimately responsible for ensuring that procedures are in place for the timely reporting of incidents. The directive requires that significant incidents be reported within 24 hours and followed up within 72 hours. The board must ensure that this reporting chain is properly set up and functions effciently.

Training and awareness for directors

An important requirement of the directive is that directors, including management boards and legal representatives, must have knowledge in the field of cybersecurity. This has two objectives:
  • Understanding risks: Directors have a better understanding of the cyber risks involved and how the information security policy manages these risks.
  • Effective supervision: They can monitor better and make informed decisions about security measures.
NIS2 does not view training as a one-off activity, but as a structural investment in knowledge development and awareness.

Information security policy at the management level

NIS2 explicitly places responsibility for information security with management. Directors now bear ultimate responsibility and must actively steer information security policy.
Would you like to know which management systems can help your organization meet these obligations? Read more about ISO 27001 and the NIS2 directive on the articles at the bottom of the page.
Blogs about Information security policy