Another significant change resulting from NIS2 is the increased responsibilities imposed upon management bodies. NIS2 does not define who is considered a member of a "management body", but boards of directors and certain executives are likely to fall within its scope.
Management bodies of essential and important entities must approve the cybersecurity risk-management measures required under NIS2 and oversee their implementation. Moreover, they may even be held personally liable for the entity's failure to adopt and comply with such measures.
In relation to essential entities, NIS2 requires that natural persons acting as a legal representative of an essential entity on the basis of their power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it, have the power to ensure the essential entity's compliance with NIS2. National law must also hold such natural persons liable for breach of their duties to comply with NIS2. This rule applies in a similar way to the supervisory and enforcement measures that may be imposed upon important entities.
Consequently, management bodies, such as the chairman of the board, may assume personal liability for breach of the cybersecurity rules, exposing them to significant potential penalties. Though such penalties will be subject to the rules of individual EU Member States, NIS2 requires that the penalties are effective, proportionate and dissuasive. One potential penalty may, for example, include suspension from the board.
In light of the increasing responsibilities, management bodies of both essential and important entities should consider adopting the following measures to ensure compliance with NIS2:
- Implement the required training procedures and make sure that employees are also offered relevant training;
- Conduct a thorough assessment of the risks posed to the security of the network and information systems which the entity uses for their operations or for the provision of their services;
- Evaluate what technical, operational and organisational measures are required based on the findings of the risk assessment;
- Complete annual cybersecurity audits;
- Adopt an operational procedure so employees can report on security incidents, and are aware of how to comply with reporting obligations;
- Complete vendor risk assessments before engaging new IT suppliers or service providers.