NIS2 is not just an IT issue. It is a management responsibility.
For the first time, the EU is making it absolutely clear that cybersecurity is something that senior management and boards of directors must personally address.
This article explains what NIS2 means in practice for management—and how to handle responsibility without making cybersecurity unnecessarily complex.
NIS2 shifts responsibility up to management
NIS2 is an EU directive adopted by the European Union, and one of the biggest changes from previous regulations is the location of responsibility.
It is no longer sufficient that:
- IT “has it under control”
- You have an external supplier
- Policies are available in a folder
Management must be able to demonstrate that cybersecurity is prioritized, managed, and followed up on.
Overview of NIS2:
https://securefirst.dk/nis2-compliance/
What does “management responsibility” mean in concrete terms?
In practice, NIS2 means that management must be able to document:
- That cyber security is addressed in a structured manner
- That risks are identified and managed
- That employees are trained
- That there are clear procedures in place for incidents
- That there is ongoing follow-up
It's not about technical knowledge – it's about management, prioritization, and overview.
What are the risks for management if NIS2 is ignored?
The consequences can be serious:
- Fines imposed on the company
- Temporary injunctions
- Enhanced supervision
- Personal liability of management members
- Damage to reputation among customers and partners
NIS2 makes it clear:
Lacking cybersecurity is no longer an excusable mistake—it is a management oversight.
Why CIS 18 is key to lifting management responsibility
Many management teams are stuck with the same problem:
“We know we have a responsibility – but how do we work with that in concrete terms?”
This is where CIS 18 comes in as the operational foundation.
CIS 18 provides:
- A common structure
- Specific controls
- A language that management and IT can understand together
CIS 18 compliance:
https://securefirst.dk/cis18-compliance/
Awareness and phishing – management's hidden risk area
Most security breaches do not start with technology – they start with people.
That is why awareness training and phishing tests are directly relevant to management.
NIS2 expects that:
- Employees receive ongoing training
- Behavior is measured
- Results are followed up
Awareness training:
https://securefirst.dk/awareness-traening/
Phishing simulation:
https://securefirst.dk/phishing-simulation/
Incident response – when something goes wrong
A key element of NIS2 is preparedness.
Management must be able to answer one simple question:
“What do we do if we get hit tomorrow?”
This requires:
- Clear procedures
- Distribution of roles
- Documentation
- Overview
Failure to respond can be as serious as the attack itself.
How SecureFirst helps management in practice
SecureFirst is built to make management responsibilities manageable—not technical.
The platform provides:
- A Comprehensive Overview
- Clear reporting
- Documentation for authorities and insurance companies
- Visible progress over time
See the solution:
https://securefirst.dk/
Calculate level and price:
https://securefirst.dk/prisberegner/
FAQ – Management and NIS2
Should the board of directors be involved in NIS2?
Yes. NIS2 expects cybersecurity to be addressed at management level.
Can management be held personally liable?
Yes. NIS2 allows for personal liability if management grossly neglects its responsibilities.
Should management understand technology?
No. Management must ensure control, prioritization, and documentation—not coding.
How do you get started?
Start with an overview, awareness, and clear processes.
