The European Directive NIS2 fundamentally changes the perspective on cybersecurity – and this time it will not spare even smaller organizations. While the first version of NIS primarily concerned critical infrastructure, the new regulation expands the circle of obligated entities to a wide range of businesses and services that are significant for society. This means that the new rules will affect IT service providers, manufacturers, healthcare facilities, and educational institutions, for example.

NIS2 also brings a new level of responsibility. Members of company management – that is, the board of directors, executives, or directors – will bear personal responsibility for the implementation and management of security measures. It is no longer sufficient to delegate security to the IT department. The board must demonstrate that they understand the risks, approve an adequate budget, and oversee the fulfillment of obligations. Failure to comply can result in high financial penalties and reputational damage.

NIS2 thus changes the way companies think about risk management and governance. Cybersecurity becomes part of strategic management, not a technical detail. Organizations that start preparing in advance – investing in processes, training, and accountability – will gain not only regulatory peace but also the trust of their customers and partners. Therefore, it is good to ask: is your board prepared to bear personal responsibility?