Home Services Industries Approach Resources Blog Contact
Free. Ungated. No email required.

NIS2 board briefing kit

Ten slides your board needs to see. Shareable. Ungated. Built for board-level audiences.

Have Burak present it
Burak Yazici

Burak Yazici

PECB Certified NIS2 Lead Implementer

Slide 1 of 10

Executive Summary: What NIS2 Is and Why It Matters Now

  • NIS2 is the EU's new cybersecurity baseline. Directive (EU) 2022/2555, transposed into national law across Member States.
  • Scope expanded sharply. From about 350 operators under NIS1 to more than 100,000 entities across 18 sectors.
  • It is active, not aspirational. National transposition is complete, registration windows are live, and supervisory authorities are inspecting.
  • It changes board duties, not just IT duties. Article 20 makes the management body accountable for cybersecurity risk management.
What this means for our board

This is a governance matter, not an IT matter. Accountability sits here, around this table.

Slide 2 of 10

Scope and Applicability: Are We In?

  • Sector test. Energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space (Annex I) plus postal, waste, manufacturing, chemicals, food, digital providers, research (Annex II).
  • Size test. Medium (50+ staff or EUR 10m+ turnover) or large (250+ staff or EUR 50m+).
  • Essential vs Important. Large in Annex I equals Essential. Most others are Important. Classification drives supervision and fines.
  • Group reality. Scope applies per legal entity, so multiple entities in the group may each be in scope, potentially in multiple Member States.
What this means for our board

We need a written scope assessment for each legal entity. Unclear scope is a board-level risk.

Slide 3 of 10

Article 21: The Ten Security Measures We Must Have

  • 1 to 3. Risk management policies, incident handling, business continuity and crisis management.
  • 4 to 6. Supply chain security, secure acquisition and development, effectiveness assessment of controls.
  • 7 to 8. Cyber hygiene and training, cryptography and encryption.
  • 9 to 10. HR security, asset management and access control, multi-factor authentication with secured communications.
  • Proportionality applies. Measures must be appropriate to our size, risk, and exposure, but none can be ignored.
What this means for our board

Each of the ten must be documented, implemented, and testable. "We don't do that" is not a defensible answer.

Slide 4 of 10

Personal Liability for Directors (Article 20)

  • Approve. The management body must formally approve the cybersecurity risk management measures.
  • Oversee. The management body must supervise their implementation.
  • Train. Directors must complete cybersecurity training and enable similar training for employees.
  • Be liable. Member States can hold directors personally liable for infringements, including temporary bans from management functions in some jurisdictions.
What this means for our board

Our D&O exposure is now a direct function of how we govern cyber. Minutes matter.

Slide 5 of 10

Fines and Enforcement: Maximum Exposure

  • Essential entities. Administrative fines up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher.
  • Important entities. Administrative fines up to EUR 7 million or 1.4% of worldwide annual turnover, whichever is higher.
  • Non-monetary powers. Binding instructions, audits, suspension of authorisations, temporary bans on directors, public naming.
  • Litigation exposure. Post-incident civil claims from customers, partners, and shareholders layered on top of regulatory fines.
What this means for our board

Worst-case exposure is measured as a share of group turnover. This belongs on the risk register at the highest tier.

Slide 6 of 10

Incident Reporting: 24 Hour, 72 Hour, One Month

  • 24 hours. Early warning to the national CSIRT or competent authority from the moment a significant incident is identified.
  • 72 hours. Formal incident notification with severity, impact and, where relevant, cross-border implications.
  • One month. Final report with root cause, mitigation, and lessons learned.
  • Customer duty. Significant incidents affecting service may require customer notification in parallel.
  • Evidence. Regulators will inspect how the first call, the first email, and the first log were actually handled.
What this means for our board

We need a rehearsed incident machine, not a plan on a shelf. Tabletop exercises at least once a year.

Slide 7 of 10

Supply Chain Risk Management (Article 21(2)(d))

  • Know your suppliers. Complete inventory with criticality tiering, especially ICT, cloud, MSPs, and any party with privileged access.
  • Assess their security. Independent evidence such as ISO 27001 or SOC 2, plus bespoke controls where needed.
  • Contract for it. Security clauses, incident reporting obligations, audit rights, flow-down to sub-processors.
  • Monitor continuously. Do not treat supplier due diligence as a one-time procurement event.
  • Plan for exit. Concentration risk and data repatriation must be board-level concerns.
What this means for our board

Our biggest NIS2 exposure is often someone else's network. Supplier due diligence is a governance control.

Slide 8 of 10

Implementation Timeline: 30, 90, 180, 365 Days

  • First 30 days. Scope confirmation, appoint accountable executive, commission formal gap analysis against Article 21.
  • First 90 days. Remediation roadmap approved by board, registration with competent authority, incident-reporting playbook drafted.
  • First 180 days. Article 21 controls implemented or compensating controls in place, supplier programme rolled out, training delivered.
  • First 365 days. Internal audit, tabletop exercise, management-body training refreshed, maturity roadmap beyond minimum compliance.
What this means for our board

There is a realistic 12-month path to compliant and defensible, provided we commit budget and executive attention now.

Slide 9 of 10

Decision Required From This Board

  • Accountable executive. Formally appoint the management-body owner for NIS2 compliance, named in the minutes.
  • Budget envelope. Approve multi-year investment for Article 21 implementation, supplier programme, and training.
  • Risk appetite. Approve cyber risk appetite and tolerance thresholds, linked to business impact.
  • Reporting cadence. Approve quarterly NIS2 posture reporting to this board with defined KRIs.
  • Training commitment. Agree the board's own cybersecurity training schedule for the coming year.
What this means for our board

These are the sign-offs that turn NIS2 from a legal risk into a governed programme. They must come from us.

Slide 10 of 10

Next Steps This Quarter

  • Commission a gap analysis. Formal, documented, against Article 21 and Article 23.
  • Appoint and empower the programme owner. Mandate, budget, and direct line to the board.
  • Run a tabletop exercise. Test the 24 hour, 72 hour, one month reporting chain end to end.
  • Review top 10 critical suppliers. Ask for evidence, not attestations.
  • Schedule board cyber training. Block the dates in every director's calendar for the next 12 months.
What this means for our board

Five concrete actions this quarter. Each one is testable. Each one is the kind of thing a regulator will ask about.

Want Burak to walk your board through this?

Book a 30-minute session with Burak Yazici, PECB Certified NIS2 Lead Implementer. Tailored to your sector, your scope, and the questions your board is likely to ask.

Book a 30-minute session See services
nis2-compliant.com | Burak Yazici, PECB Certified NIS2 Lead Implementer