Am I personally liable as a director under NIS2?
Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
Try this first
- 1Assign cybersecurity to a named board member, not to an external IT vendor (even if they do the execution).
- 2Take the required training. NIS2 obliges board members to demonstrate risk-management knowledge. NCSC and trade associations offer short courses.
- 3Minute the decisions: risk overview, chosen measures, budget, and who owns execution.
- 4Take out D&O insurance or check that your current policy covers cyber negligence. Not all do.
- 5Have an external party assess the measures at least once a year. That evidence supports a "reasonable conduct" defence.
When to bring us in
In an active incident where you realise you cannot document due diligence, get legal counsel involved immediately.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- What is a processing register and how do I build one?A list per processing activity: what data, what purpose, how long, who shares it. Mandatory under GDPR Art. 30; the under-250-staff exemption falls away as soon as processing is structural or high-risk, which is essentially always the case for SMBs handling customer data.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.