The European Union’s NIS2 Directive, which came into effect in 2025, has become one of the most comprehensive regulations redefining corporate responsibility in digital security. Covering more than 160,000 organisations and their digital supply chains, this regulation now requires active governance and accountability at the board level. Senior executives are directly responsible for the development, implementation, and oversight of cybersecurity strategies. Legal obligations also affect organisations and executives on an individual basis. In case of non-compliance:
- CEOs and managers can be temporarily suspended from their duties,
- There is a requirement to notify customers about the nature of the risk,
- Penalties can be up to 2% of annual turnover,
These developments are shifting digital security from a technical issue to the core of areas such as corporate strategy, business continuity, supplier security and investor relations.
New Responsibilities for the Board of Directors in NIS2
NIS2 assigns an active role to management boards. Cyber security is no longer the responsibility of IT teams, but rather a strategic responsibility of the organisation’s top decision-makers. Management is not only responsible for approving risk management policies, but also for monitoring their implementation. This responsibility requires ownership of decisions that directly impact the organisation’s digital resilience.
Who is affected by NIS2?
NIS2 covers high-critical sectors such as energy, transport, finance, healthcare, public services, digital infrastructure, manufacturing and research. It also includes digital service providers such as cloud service providers, online marketplaces, search engines and social media platforms. All companies with more than 50 employees or an annual turnover of €10 million or more are subject to this regulation.
With the new regulations, issues such as supply chain security, third-party risks, data privacy, industrial espionage and cyber threat intelligence have also become the responsibility of organisations.
Compliance with NIS2 requires the establishment of a continuous cybersecurity management system. By 2025, control mechanisms will be active and official registration will be mandatory in many countries. Key steps that organisations should take into consideration:
- Documented risk management strategy,
- Incident response plans (24-hour notification, detailed report within 72 hours),
- Business continuity and disaster recovery procedures,
- Supplier and third-party security assessments,
- Periodic security audits and vulnerability scans,
- Awareness training for management and employees,
- Artificial intelligence-powered attack detection systems and zero-trust policies,
Regulation necessitates technical, cultural and managerial transformation. This process can be integrated with international standards such as ISO 27001, GDPR and DORA.
Who can participate in our training courses:
- Managers of critical infrastructure and service providers,
- Information Technology (IT) managers and specialists,
- Cyber security, data protection and network security specialists,
- Business continuity, compliance, crisis management and risk management consultants,
- Supply chain and third-party risk management specialists,
- Anyone who wants to improve their cyber threat response capabilities.
Training courses provided under the NIS2 Directive
- NIS2 Awareness, 1 day
NIS2 Lead Practitioner, 4 days
The scope of our 1-day NIS2 Awareness Training:
- Introduction to NIS2,
- Scope and Organisations Covered by NIS2,
- NIS2’s Core Objectives,
- Cybersecurity Risk Management Obligations (Article 21),
- Incident Management and Reporting Requirements (early warning, 24-hour response, follow-up reports),
- Business Continuity, Crisis Management, and Resilience Testing,
- Supply Chain and Third-Party Security (contractual terms, monitoring),
- Key Challenges and Solution Recommendations in the Harmonisation Process,
- Comparison of NIS2 with Other International Standards,
- Practical Steps Towards NIS2 Compliance (gap analysis, roadmap, governance).
The content of our 4-day Lead Implementer training is as follows:
- Overview of the purpose, scope and basic principles of the NIS2 Directive,
- Cyber security risk management approach that organisations must implement,
- Incident detection, response, notification times and reporting to CSIRTs,
- Supply chain security,
- Third-party risk assessment and contractual security requirements,
- Audit tools such as monitoring, security scans, information requests, and evidence provision, along with enforcement measures,
- Compliance roadmap and gap analysis,
- Risk and process improvement steps and continuous development requirements,
- Best practice examples, common mistakes, and effective NIS2 compliance strategies,
- Final exam.
As CFECERT, we offer comprehensive training and certification services to organisations through customised awareness programmes, lead auditor training, and other critical initiatives aligned with international standards under the European Union’s updated NIS2 Directive. Our training content focuses on high-priority areas such as cybersecurity risk management, incident response processes, supply chain security, governance structure restructuring, and regulatory compliance, aiming to help organisations achieve a more compliant, resilient, and proactive structure..
Trust CFECERT’s expertise to prepare for the new responsibilities introduced by NIS2, such as accountability at the management level, time-sensitive notification obligations, and third-party security. To make your organisation NIS2-compliant and become a leader in digital security, contact us at info@cfecert.co.uk.
