Trustlinks free webinar: Turning regulation into resilience – Register now

Get useful tips, learn best practices and read the latest newsThe Trustlinks Blog

NIS2 – New obligations for management board members in 2026 

Guest post Gras i Wspolnicy. NIS2 - new obligations for board members.

This article was written by Mariusz Bonisławski, Solicitor, and Mateusz Grosicki, Advocate and Partner, at Kancelaria Graś i Wspólnicy – a leading Polish law firm specialising in cybersecurity law, compliance, and corporate liability. 

Introduction 

The NIS2 Directive introduces a fundamental shift in the approach to cybersecurity across the European Union. For the first time, it explicitly assigns personal responsibility for cybersecurity to members of governing bodies, including company board members. This means that cybersecurity is no longer exclusively the domain of IT or compliance departments – it becomes an area of direct oversight for senior management. 

In this article we explain: 

  • what the NIS2 Directive is, 
  • who is subject to the new regulations, 
  • what obligations and sanctions apply to members of governing bodies, 
  • how to prepare for the new requirements, based on the state of legislative work as of January 2026. 

What is the NIS2 Directive and why does it matter for boards? 

The NIS2 Directive (Directive of the European Parliament and of the Council (EU) 2022/2555 of 14 December 2022) concerns measures for a high common level of cybersecurity across the EU. It replaces the earlier NIS1 Directive and significantly expands both the scope of entities covered and the range of obligations imposed. 

The Directive does not apply directly, it requires transposition into national law. Member States had until 17 October 2024 to complete this process. 

In Poland, implementation is being carried out through amendments to: 

  • the Act on the National Cybersecurity System, 
  • and certain other acts (draft – Sejm document no. 1955, currently at the parliamentary stage). 

Who does NIS2 apply to? 

The NIS2 Directive covers essential entities and important entities, whose definitions are set out in Article 3 of the Directive. Final lists are to be determined by individual Member States. 

At this stage, businesses can conduct a preliminary self-assessment by analysing, among other things: 

  • whether they meet the criteria for at least a medium-sized enterprise, 
  • whether they operate in sectors covered by NIS2 (e.g. energy, transport, healthcare, digital services, critical infrastructure, trust services), 
  • whether they previously held the status of operator of essential services or a relevant entity. 

How does NIS2 change the liability of governing body members?

The most significant change introduced by NIS2 is the direct assignment of responsibility to governing bodies. Under Article 20(1) of the Directive, governing bodies are required to: 

  • approve cybersecurity risk management measures, 
  • oversee their implementation, 
  • and may be held liable for violations. 


These obligations are personal in nature and cannot be effectively delegated solely to IT departments, external providers, or appointed representatives. 

What cybersecurity measures must boards oversee? 

Entities covered by NIS2 must implement risk management measures, the minimum scope of which is defined in Article 21(2) of the Directive. These include: 

  • policies for risk analysis and information system security, 
  • incident handling procedures, 
  • business continuity mechanisms (backups, data recovery), 
  • crisis management, 
  • supply chain security. 


These measures must be appropriate, proportionate and continuously updated, with oversight resting with the governing bodies. 

Incident reporting obligations: The role of the board

The NIS2 Directive introduces detailed rules for reporting significant cybersecurity incidents (Article 23). While reports are formally submitted by the entity itself, board members are responsible for: 

  • establishing procedures for detecting and assessing incidents, 
  • correctly classifying events, 
  • ensuring that reports are submitted on time and in full. 


A failure to establish procedures or an incorrect assessment of an event may be considered a breach of supervisory duties. 

Must board members have cybersecurity knowledge?

NIS2 does not explicitly require certification or a specific educational background, but in practice it requires members of governing bodies to: 

  • understand cyber risks, 
  • be able to assess the consequences of incidents (legal, financial, operational), 
  • make informed supervisory decisions. 



In practice, this means there is a need for: 

  • management-level training, 
  • ongoing advisory support, 
  • regular cybersecurity reporting. 

Supply chain security as a board responsibility

The NIS2 Directive places particular emphasis on supply chain security. Governing bodies must oversee: 

  • assessment of vulnerabilities among key IT suppliers, 
  • risks arising from dependence on third parties, 
  • the adequacy of contractual provisions relating to cybersecurity. 



A cyberattack affecting a supplier may result in liability on the part of the entity covered by NIS2. 

What sanctions apply for breaching NIS2 obligations?

The NIS2 Directive provides for sanctions against both entities and personal sanctions against individuals performing management functions. Possible sanctions include: 

  • a temporary ban on holding management positions, 
  • administrative financial penalties:  
    – up to €10 million or 2% of global turnover — essential entities, 
    – up to €7 million or 1.4% of global turnover — important entities. 



The draft Polish legislation additionally provides for the possibility of financial penalties against managers within the meaning of the Accounting Act and the Public Finance Act. 

Summary 

The NIS2 Directive fundamentally changes the model of accountability for cybersecurity, shifting the burden of oversight directly onto governing bodies. Board members must be prepared for personal liability — including financial and organisational consequences. 

Even at this stage of the legislative process, it is advisable to: 

  • conduct a compliance audit, 
  • review decision-making structures, 
  • prepare boards for their new supervisory obligations. 

FAQ – NIS2 and Board Liability 

Q: Does NIS2 apply to all companies? 

A: No. The Directive covers essential and important entities operating in specific sectors. 

Q: Can liability be transferred to the IT department? 

A: No. Governing bodies bear personal supervisory responsibility. 

Q: Is a ban on holding board positions possible? 

A: Yes — in extreme cases the Directive provides for such sanctions. 

Q: Is it worth preparing before the legislation comes into force? 

A: Yes. Early action reduces the risk of sanctions and personal liability. 

About Kancelaria Graś i Wspólnicy 

Kancelaria Graś i Wspólnicy is a Polish law firm with extensive experience in cybersecurity law, corporate compliance, and regulatory matters. As a partner of Whistleblowing Solutions AB, provider of Whistlelink and Trustlinks, the firm works closely with organisations across Poland to help them understand and meet their obligations under the NIS2 Directive and other EU regulations as transposed into Polish law. 

For more information about their services, please visit kglegal.pl

Looking for a secure and user-friendly compliance solution?Share your details, and we’ll contact you to discuss how Trustlinks can help.

Talk with Territory Manager
Annelie Demred

WHISTLELINK BLOGWhat to read next...​

The rising compliance challenge for small and medium-sized organisations 
What is DORA? A simple guide to the EU’s new Digital Operational Resilience Law
Get compliant with NIS2 in 3 easy steps

Book a meeting

Send us a message and our team will get back to you shortly.
Trustlinks logo white.

Talk to Sales

Have questions about pricing, frameworks, or how Trustlinks fits your organisation? Our team is here to help you find the right approach.

→ Or explore our Frequently Asked Questions

Get Product Support

Need help using the platform or experiencing an issue? Our support team is ready to assist you.

Contact us