NIS2: the responsibility of the management body

One of the notable changes brought by NIS2 is to place direct responsibility on management bodies. Cybersecurity is no longer a purely technical matter; it becomes a governance topic, owned at the highest level of the organisation.

Approve and oversee

Management bodies must approve the cybersecurity risk-management measures and oversee their implementation. Responsibility cannot be fully delegated to a technical department: it remains that of the leadership.

Get trained

Members of the management body are required to follow training, in order to gain sufficient knowledge to identify risks and assess the management practices in place. The CCB recommended planning this training for executives before April 2025. Entities are also encouraged to offer comparable training to their staff.

A responsibility that can be invoked

The law provides that leaders can be held liable in the event of a failure. The authorities have administrative measures and sanctions at their disposal, calibrated according to the entity’s category, the severity, the duration, any repeat breaches and the negligence found.

In practice, the leadership must be able to demonstrate that it has understood the risks, approved the measures and followed their application — a requirement of governance as much as of cybersecurity.