The European NIS2 Directive fundamentally changes the way we view cybersecurity — and this time, smaller organizations won’t be exempt. While the first version of NIS mainly applied to critical infrastructure, the new regulation expands the scope to a wide range of businesses and services considered essential to society. This means that the new rules will affect, for example, IT service providers, manufacturers, healthcare facilities, and educational institutions.

NIS2 also introduces a new level of accountability. Company leadership — board members, managing directors, and executives — will bear personal responsibility for implementing and managing security measures. It’s no longer enough to delegate security to the IT department. The board must demonstrate that it understands the risks, approves an adequate budget, and oversees compliance. Failure to do so can result in heavy financial penalties and reputational damage.

NIS2 thus transforms how companies think about risk management and governance. Cybersecurity becomes a part of strategic management, not a technical detail. Organizations that start preparing early — by investing in processes, training, and clear accountability — will gain not only regulatory peace of mind but also the trust of their customers and partners. So the question is: is your board ready to take personal responsibility?