The European Union’s NIS2 Directive, which came into effect in 2025, has become one of the most comprehensive regulations redefining corporate responsibility in digital security. Covering more than 160,000 organisations and their digital supply chains, this regulation now requires active governance and accountability at the board level. Senior executives are directly responsible for defining, implementing and monitoring cybersecurity strategies. Legal obligations also affect organisations and managers individually. In case of non-compliance:
- CEOs and managers may be suspended from their duties,
- Customers must be notified of the nature of the risk,
- Penalties can be up to 2% of annual turnover,
These developments are shifting digital security from a purely technical issue to the core of areas such as corporate strategy, business continuity, supplier security, and investor relations.
New Responsibilities for the Board of Directors in NIS2
NIS2 assigns an active role to boards of directors. Cybersecurity is no longer the responsibility of IT teams but a strategic responsibility of the organisation’s top decision-makers. Management is not only responsible for approving risk management policies but also for overseeing their implementation. This responsibility requires ownership of decisions that directly impact the organisation’s digital resilience.
Who is affected by NIS2?
NIS2 covers high-critical sectors such as energy, transportation, finance, healthcare, public services, digital infrastructure, manufacturing, and research. It also includes digital service providers such as cloud service providers, online marketplaces, search engines, and social media platforms. All companies with over 50 employees or an annual turnover exceeding €10 million are subject to this regulation.
With the new regulation, issues such as supply chain security, third-party risks, data privacy, industrial espionage and cyber threat intelligence have also become the responsibility of organisations.
Compliance with NIS2 requires the establishment of a continuous cybersecurity management system. As of 2025, audit mechanisms will be active, and official registration will be mandatory in many countries. Key steps that organisations should take:
- Certified risk management strategy
- Incident response plans (preliminary notification within 24 hours, detailed report within 72 hours)
- Business continuity and disaster recovery procedures,
- Supplier and third-party security assessments,
- Periodic security audits and vulnerability scans,
- Awareness training for management and employees.
- Artificial intelligence-powered attack detection systems and zero-trust policies
Regulation necessitates technical, cultural, and managerial transformation. This process can be integrated with international standards such as ISO 27001, GDPR, and DORA.
Who should attend our training programmes:
- Managers of critical infrastructure and service provider organisations,
- Information Technology (IT) managers and specialists,
- Cybersecurity, data protection and network security specialists,
- Business continuity, compliance, crisis management and risk management consultants,
- Supply chain and third-party risk management specialists,
- Anyone who wants to improve their skills against cyber threats.
Training programs offered under the NIS2 Directive:
- NIS2 Awareness Training, 1 day
- NIS2 Lead Implementer, 4 days
The scope of our 1-day NIS2 Awareness Training:
- Introduction to NIS2,
- Scope of NIS2 and Organisations within its scope,
- Core objectives of NIS2,
- Cybersecurity Risk Management Obligations (Article 21),
- Incident Management and Reporting Requirements (early warning, 24-hour response, follow-up reports),
- Business Continuity, Crisis Management, and Resilience Testing,
- Supply Chain and Third-Party Security (contractual terms, monitoring),
- Key Challenges and Solution Recommendations in the Harmonisation Process,
- Comparison of NIS2 with Other International Standards,
- Practical Steps for NIS2 Compliance (GAP analysis, roadmap, governance).
The content of our 4-day Lead Implementer training is as follows:
- Overview of the purpose, scope, and fundamental principles of the NIS2 Directive,
- The cybersecurity risk management approach that organisations must implement,
- Incident detection, response, notification timelines, and reporting to CSIRTs,
- Supply chain security,
- Third-party risk assessment and contractual security requirements,
- Audit tools such as monitoring, security scans, information requests, and evidence provision, along with enforcement measures,
- Compliance roadmap and gap analysis,
- Risk and process improvement steps and requirements for continuous development,
- Best practice examples, common mistakes, and effective NIS2 compliance strategies,
- Final exam.
As CFECERT, we offer comprehensive training and assessment services to organisations through customised, internationally standardised awareness, lead responder training and other critical programmes in line with the European Union’s updated NIS2 Directive and other management systems.
Our training content focuses on high-priority areas such as cyber security risk management, incident response processes, supply chain security, restructuring governance structures and regulatory compliance, with the aim of helping organisations become more compliant, resilient and proactive.
Trust CFECERT’s expertise to prepare for the new responsibilities introduced by NIS2, including management-level accountability, time-sensitive notification obligations, and third-party security. To make your organisation NIS2-compliant and become a leader in digital security, contact us at info@cfecert.co.uk.