Compliance with the NIS 2 directive requires a board-led risk management approach, including the appointment of a designated officer, the assessment of critical assets, staff training, and the preparation of business continuity and incident response plans.

• Decision: Management must formally appoint a Chief Information Security Officer (CISO), who may be an internal resource, an external one, or a board member trained for this purpose.
• Key Point: The personal liability of executives is engaged in the event of serious failure to meet cybersecurity obligations, transforming compliance into a strategic issue rather than a simple IT cost.
• Action: Conduct a risk assessment by identifying the company’s critical assets (the ‘crown jewels’) and prioritizing the most likely threats such as phishing and ransomware.
• Action: Develop a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP), ensuring that backups follow the ‘3-2-1-0’ rule (3 copies, 2 media types, 1 offline, 0 test errors).
• Identified Risk: Non-compliance with the directive exposes the company to fines of up to €10 million or 2% of turnover, as well as commercial sanctions and a loss of customer trust.