Cybersecurity Goes to the Boardroom: Why NIS2 Changes Executive Liability and Why U.S. Companies Should Care

Executives used to be able to ignore cybersecurity. That era is over.

Europe’s Network and Information Security Directive II (NIS2) substantially expands cybersecurity obligations across all 27 EU member states. It entered into force in January 2023, with member states required to transpose it into national law by October 2024. Many missed that deadline—Germany’s implementation act didn’t take effect until December 2025—and compliance complexity varies across the Union as a result. But the directive itself is binding, and organizations shouldn’t mistake a slow national rollout for a grace period.

The big change? NIS2 puts executives on the hook, personally. Leadership is no longer insulated from operational cybersecurity failures.

From IT Incidents to Systemic Threats

Three forces pushed cybersecurity into the boardroom:

The damage got too big to ignore. The scale of cybercrime across the EU is staggering, with Germany alone estimating annual losses exceeding €200 billion, and that pattern repeats across major economies throughout the Union. Attacks increasingly target supply chains, industrial operators, and public infrastructure, not just data-rich tech companies.

The threat actors got scarier. European officials now openly describe the landscape as “hybrid warfare.” Critical infrastructure, including energy, water, and health systems, has become a geopolitical target across the continent. A cybersecurity failure today can carry national security implications.

Companies kept making the same mistakes. Many major breaches followed familiar, preventable patterns: phishing, credential theft, insufficient segmentation, untested backups. Regulators concluded that technical controls weren’t enough if leadership didn’t actually prioritize cyber resilience. So, regulators moved the responsibility upward.

What NIS2 Actually Requires

NIS2 covers tens of thousands of organizations across 18 sectors throughout the EU. The governance requirements are direct: management bodies are personally responsible for compliance, executives must approve cybersecurity risk management measures, and cybersecurity training is mandatory for leadership. Serious failures can result in personal liability, and fines can reach €10 million or 2% of global annual turnover.

This isn’t symbolic. Regulators expect documented engagement and evidence that cyber risk is treated like financial or operational risk, not as a departmental afterthought. Board-level reporting becomes mandatory, and budget decisions are now liability decisions.

Why U.S. Businesses Should Pay Attention

NIS2 is an EU directive, but its effects don’t stop at the Atlantic.

The extraterritorial reach is real. U.S. companies operating anywhere in the EU, or providing services into regulated sectors, may fall within scope. If a U.S. parent owns a covered EU subsidiary, governance expectations will flow upstream. Board oversight doesn’t stop at jurisdictional lines.

U.S. regulators are heading the same direction. The SEC’s 2023 cybersecurity disclosure rules already require public companies to describe board oversight of cyber risk. California’s CCPA cybersecurity audit regulations, which took effect in January 2026, say covered businesses must submit annual compliance certifications signed by a board member or senior executive. NIS2 is more explicit about personal consequences, but the trajectory in the U.S. is pointing the same direction.

The litigation risk is real too. U.S. corporate law already recognizes board oversight duties through Caremark claims in Delaware, and a global standard for cyber governance makes it easier for plaintiffs to argue a board fell short. D&O insurers are watching as well, and explicit management liability under NIS2 may affect underwriting standards and pricing for multinationals.

What Boards Should Do Now

The path forward isn’t complicated, but it requires intentionality. Conduct a governance gap assessment across your jurisdictions and formalize cyber oversight at the board committee level. Ensure the CISO and CPO report to the board directly, not filtered through IT leadership. Run tabletop exercises that include board participation and document decision-making around cybersecurity investments. Regulators need to see that leadership was engaged before a breach occurred, not just reactive after one.

The Bottom Line

NIS2 reflects something bigger than one directive. Cybersecurity has been reframed by regulators, insurers, and increasingly, courts as a systemic economic threat.  This has national security implications and is now a core governance obligation.

For executives in Europe or elsewhere, the message is the same: cybersecurity competence is now part of the job description. Failing to engage is no longer just a company risk.  NIS2 says this time, it’s personal.