NIS2: Personal Liability in Cyber Risk – Is Your Leadership Ready to Tackle the Challenge?

The NIS2 directive went into effect on October 17, 2024. That means you're hopefully already NIS2 compliant. If not, read on: these new regulatory requirements include significant personal liability for the management body, forcing the C-suite to take an active role in cyber risk management.

The new personal liability clause creates significant risks for senior management and executives. Failure to comply with NIS2 can quickly turn personal nightmares into reality: major financial penalties for the firm, reputational damage and business disruption, and for the most egregious cases of continuing non-compliance authorities have the power to temporarily prohibit responsible individuals from exercising managerial functions.

In this blog post, I'll walk you through the key elements of NIS2 and its expanded scope, highlighting the implications for cybersecurity risk management practices. We'll explore the implications of this directive for the management body and senior executives. Finally, I'll show how different actionable strategies can effectively support the risk management process and ensure that your organization remains NIS2-compliant and resilient to cyber risk.
‍

Key Takeaways

• Executive Accountability : NIS2 holds the management body liable for failing to provide adequate cyber risk management.
• Financial Penalties: Failure to comply with NIS2 could result in fines of up to €10 million or 2% of global annual turnover, whichever is greater. These penalties are comparable to the GDPR, underscoring the serious consequences of failing to comply with the directive's requirements.
• Cyber Risk Quantification can help prepare for NIS2: Using a scenario based quantification approach can strengthen cyber risk management, make cyber risks more understandable to the management body and enable them to make the risk and oversight decisions they are now liable for with confidence.
  ‍

Understanding the Expanded Scope of NIS2: Is Your Leadership Ready?

The scope of NIS2 is broader than that of the initial Network and Information Security directive (NIS1), both in terms of the size of companies and the industries to which it applies. It is important to check whether your firm is in scope.

NIS2 was introduced to counter the escalating sophistication of cyber threats that threaten not just operations but also public safety. By expanding its reach, the directive aims to strengthen the cybersecurity posture of the European Union, ensuring that a wider array of organizations start implementing stronger security measures.

The original NIS Directive primarily targeted critical infrastructure like energy, transport and healthcare. However, as technology has permeated every industry, cyber threats have become a universal challenge. NIS2 reflects this change by expanding its scope to sectors like manufacturing, pharmaceuticals, and digital services (see the infographic for the full scope).

The updated regulation also extends its scope beyond European large enterprises to include mid-sized organizations that meet certain thresholds, such as those with more than 50 employees or more than €10 million in revenue or assets.

Importantly, size isn’t the only criteria; businesses operating in sectors critical to the economy, including those involved in cross-border or monopoly operations, must also adhere to NIS2 regulations.

Key Risk Management Aspects for NIS2

NIS2 requires that essential and important entities adopt appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of their network and information systems. These measures are vital for maintaining business continuity and for managing the impact of incidents on information services and their consumers.

A key aspect of compliance is ensuring that cybersecurity measures are appropriate to the risks posed. These measures must take into account the state-of-the-art, relevant European and international standards, and also the cost of implementation.

The directive further mandates that organizations implement comprehensive measures, including at least the following:

• Policies on risk analysis and information system security;
• Incident handling;
• Business continuity, such as backup management and disaster recovery, and crisis management;
• Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
• Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
• Policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
• Basic cyber hygiene practices and cybersecurity training;
• Policies and procedures regarding the use of cryptography and, where appropriate, encryption;
• Human resources security, access control policies and asset management;
• The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

The risk-management measures taken must be approved by the management body, who must also oversee the implementation. As such, the directive raises a critical question: Does the management body truly understand the cyber risks their organizations face and their implementation plan to achieve compliance?

For organizations that are still working on compliance, understanding which measures to prioritize and the overall potential risks can be a challenging task. Tools like Cyber Risk Quantification (CRQ) are invaluable in assessing and managing these risks, offering a state-of-the-art approach to cybersecurity planning, and presenting technical risk information in business language that executives can confidently comprehend.

‍

Effective Strategies to Better Navigate NIS2 Compliance Challenges

‍

Plain Language Cyber Risk Assessments for the Management Body

The NIS2 directive emphasizes the need for state-of-the-art technology, and Cyber Risk Quantification (CRQ) serves as a cutting-edge tool for organizations to manage cyber risk.

By taking into account factors such as exposure to risks, entity size, and incident likelihood, CRQ enables organizations to quantify their potential financial losses from cyber incidents and plan the cybersecurity measures needed to protect against such threats effectively. By discussing losses in financial terms, the management body can easily evaluate and compare cyber risks against other enterprise risks and prioritize across the whole business.

One effective way to address the risk management aspects of the NIS2 directive is by emphasizing a scenario-based approach to cybersecurity risk assessment. By describing risks in terms of the consequences to the business the potential losses can be more readily identified, quantified, and communicated to senior management and the board.

This approach not only enhances risk management but can also support the development of business continuity, disaster recovery, and crisis plans.

Returning to the topic of personal liability, given that NIS2 holds executives personally accountable for compliance, organizations must ensure their leadership is well-informed and equipped to make strategic cybersecurity governance decisions.

This means they must not only approve and oversee risk assessments and management strategies but also ensure their organizations are prepared to mitigate potential cyber threats. Modelling cyber risks as plain language scenarios and quantifying the potentially losses in financial terms enables the management body to perform these risk oversight duties with confidence.

‍

Developing a Credible Cybersecurity Strategy

Squalify takes this proactive, scenario-based risk assessment approach to the next level by providing advanced simulations that enable organizations to develop or fine-tune their cybersecurity strategies. Simulations allow you to quickly see how the calculated potential financial losses are reduced by improving the maturity of security measures.

By simulating changes to your security measures, you can strategically prioritize cybersecurity investments to achieve the greatest reduction in financial risk, while balancing this with the cost of implementation. For example, you could model small, medium, and large sized change initiatives in simulations and observe the resulting reductions in potential financial losses. Executives can make informed decisions based on how much risk reduction they are willing to pay for.

Using cyber risk quantification enables the management body to see their organization’s cyber risk landscape in business terms. Combining risk quantification with simulations gives a defensible basis for risk based security investment decision making.

‍

Final Thoughts

Under the NIS2 Directive, personal liability for non-compliance is a reality for business leaders. The directive places a new burden on senior management, making them personally responsible for their organization's cyber risk posture. Failure to comply may lead to substantial penalties, including hefty fines, operational setbacks, and potentially personal suspension in the worst cases.

Beyond the financial implications, the personal accountability introduced by NIS2 requires the management body to take an active role in shaping and overseeing cybersecurity strategies. Simply approving security budgets is no longer enough - boards need to understand the full scope of cyber risks and the effectiveness of their organization's defenses.

A scenario-based approach, such as the one offered by Squalify, is useful for navigating this complex landscape. With tailored information security simulations, Squalify helps organizations assess the risk reduction impact of their cybersecurity strategies before implementing them, providing valuable support for NIS2 compliance and cybersecurity resilience and strategic cyber decision making overall.

‍

Frequently Asked Questions on the NIS2 Directive

‍

1. What is the NIS2 Directive and when did it take effect?

The NIS2 Directive, which strengthens cybersecurity regulations across the EU, took effect on October 17, 2024. It expands the scope of compliance and introduces personal liability for senior leadership. Notably, the directive now includes additional sectors such as food manufacturing, processing & distribution, waste management, chemical manufacturing & distribution, industrial manufacturing, public administration, and space, broadening its impact on essential and important services throughout the EU.

‍

2. Who is affected by the NIS2 Directive?

NIS2 affects both large enterprises and mid-sized organizations with over 50 employees or more than €10 million in revenue. It also includes businesses in critical sectors such as food production, healthcare, digital services, and public administration. For affected organizations, compliance with NIS2 means adopting proactive cybersecurity measures to mitigate cyber threats, protect sensitive data, and contribute to a more resilient EU-wide digital ecosystem.

‍

3. What are the consequences of non-compliance with NIS2?

Failure to comply with NIS2 can result in severe penalties, including fines of up to €10 million or 2% of global turnover, business disruption, reputational damage, and personal liability for executives.

‍

4. How does NIS2 impact the management body and senior executives?

Under NIS2, the management body and senior executives are held personally liable for ensuring adequate cybersecurity oversight and risk management. This makes them accountable for compliance failures.

‍

5. How can a scenario-based approach help with NIS2 compliance?

A scenario-based approach helps organizations simulate potential cyber threats and assess the effectiveness of their cybersecurity strategies, ensuring they meet NIS2 compliance and mitigate risks effectively.

‍