Management boards in essential and important entities bear the responsibility of approving and overseeing the implementation of cybersecurity risk management measures according NIS2 directive. Failure to comply with the directive’s requirements can result in severe consequences, including liability, temporary bans, and administrative fines, as stipulated by applicable national laws.
Management boards of essential and important entities are specifically responsible for:
- Approving Adequacy of Cybersecurity Measures: Ensuring that the cybersecurity risk management measures adopted by the entity are appropriate and sufficient.
- Supervising Implementation: Overseeing the application and effectiveness of the risk management measures.
- Training and Skill Acquisition: Acquiring the necessary knowledge and skills to identify cybersecurity risks and evaluate risk management practices and their impact on the entity’s services.
- Providing Regular Employee Training: Ensuring that similar training is provided regularly to employees.
- Accountability for Non-Compliance: Being held accountable for any non-compliance with the directive’s requirements.
At the governance level, member states are required to ensure that the management boards of essential and important entities not only approve and supervise the implementation of cybersecurity risk management measures but also are held accountable for any failures in compliance by their entities. This comprehensive responsibility framework aims to strengthen the overall cybersecurity posture and resilience of critical sectors across the European Union.