NIS2 Explained: Cybersecurity Moves from IT to the Boardroom

For many years, cybersecurity was treated as a technical issue. It belonged to the IT department, the CISO, or an external service provider. If systems were protected, backups were running, and security tools were in place, many management teams assumed the organization was reasonably prepared. NIS2 explained simply: that assumption is no longer enough.

The updated EU cybersecurity directive makes it clear that cyber risk is no longer only an operational IT concern. It is a management responsibility. Leaders, boards, and executive teams must understand how their organization is exposed, how incidents would be handled, and whether suppliers and partners meet the necessary security expectations.

The question is no longer only: Is IT handling security? It is also: Can management prove that the business is prepared?

That shift matters. Cyberattacks are increasing, AI is creating new attack surfaces, suppliers are becoming common entry points, and sensitive data can quickly end up in the wrong hands. For organizations across the Nordics and Europe, NIS2 is not just another compliance requirement. It is a signal that cybersecurity has become a core part of business resilience.

A Broader Framework for a Changing Threat Landscape

NIS2 is an update of the EU Network and Information Security Directive from 2016. Its purpose is to strengthen cybersecurity and digital resilience across Europe, covering both public and private sector organizations.

The directive is especially relevant for sectors such as banking, finance, transport, digital infrastructure, operators, networking companies, public services, and other organizations connected to critical functions. But one of the most important changes is that the scope reaches beyond the most obvious critical infrastructure providers. Suppliers are also part of the picture.

A company delivering essential services to a bank, transport provider, public-sector organization, or critical infrastructure operator may now be expected to meet higher cybersecurity standards. It may also need to support incident reporting if something goes wrong. In practice, this means NIS2 can affect organizations that may not immediately see themselves as part of critical infrastructure, but that still support customers who are. This is why the directive is relevant far beyond IT departments. It affects contracts, supply chain security, reporting routines, data handling, access management, and daily ways of working.

Cybersecurity Can Be Delegated – Responsibility Cannot

The biggest change with NIS2 is not only what companies need to do. It is who must take responsibility. Management teams and boards are expected to ensure that cybersecurity risks are understood, managed, and followed up. That does not mean leaders must become technical experts. But they do need to know whether the organization has the right processes, policies, routines, and internal resources in place.

They need to understand which systems are critical. They need to know where sensitive data is located. They need visibility into who has access to what. They need to know which suppliers are essential to operations, and whether those suppliers meet the organization’s security expectations.

This also applies when IT services are outsourced. A company may use a managed IT provider, a cloud partner, or a cybersecurity advisor, but it cannot outsource accountability. If a supplier has access to systems, infrastructure, or sensitive data, that supplier becomes part of the company’s risk picture. In other words: cybersecurity tasks can be delegated, but responsibility cannot.

The Supply Chain Is Now Part of the Attack Surface

One of the most important lessons from recent cyber incidents is that attackers do not only target the main organization. They also look for weaker links around it. “Suppliers and vendors often become the entry point – so you must control the entire chain, not just your own organization,” says Robin Frantzen, Cloud Business Development Manager at NetNordic.

A company may have strong internal security, but still be exposed through a vendor, a support process, a poorly governed cloud environment, or a supplier with insufficient controls. This is why NIS2 puts more pressure on organizations to understand and manage their supply chains.

For companies delivering into sectors such as finance, transport, public services, or digital infrastructure, cybersecurity maturity may become a commercial requirement. Customers may increasingly ask for documentation, processes, incident routines, and evidence that suppliers can meet their expectations. Organizations that cannot show this maturity may struggle to deliver into certain markets. That makes NIS2 not only a regulatory issue, but also a business issue.

AI and Shadow IT Make Visibility More Important

The timing of NIS2 is important. It arrives at a moment when the threat landscape changes quickly. AI is making it cheaper and easier to scale certain types of cyber activity. Attackers can use automation to identify exposed systems, test credentials, create phishing material, and search for weaknesses. At the same time, employees are adopting AI tools and cloud services at high speed, often before organizations have created clear policies for their use. This creates a visibility problem.

“Shadow IT and uncontrolled use of AI tools are one of the biggest challenges – because you lose visibility of where your data actually goes,” Frantzen points out.

Many organizations already struggle with shadow IT: tools, applications, and services used by employees without formal approval. Sensitive information may be entered into unapproved tools. Data may be processed in environments outside the organization’s control. New systems may be introduced without clear ownership.

That is why management needs a stronger overview of technology use. Which tools are being used? Who approved them? Where does the data go? Who owns the risk? Who reports back to management?

For some organizations, this may require appointing clear ownership for AI and new technologies, for example through an AI officer, security owner, or governance role. The important point is that new tools cannot simply appear inside the organization without anyone being responsible for them. If no one owns the tools, no one owns the risk.

Compliance Starts in Everyday Work

NIS2 will not only affect policies and board-level discussions. It will also influence everyday behavior. Employees will need to be more aware of which tools they use and which information they share. Document sharing is one example. Many organizations still send sensitive documents as email attachments, even when more secure methods are available. If those documents contain personal data, business-critical information, or customer details, poor sharing practices can become a security risk.

Access management is another key area. Organizations must understand who has access to which systems, why they have that access, and whether it is still needed. This includes employees, administrators, suppliers, managed service providers, and potentially AI agents or service accounts.

Training also needs to become more practical. Generic awareness training is not enough. Employees and leaders need to understand realistic scenarios: suspicious emails, unusual access requests, data sharing mistakes, supplier incidents, unapproved AI tools, and potential breaches.

NIS2 pushes organizations toward a more proactive security culture. Not everyone needs to become a cybersecurity specialist, but security needs to become part of how people work.

The Biggest Mistake Is Waiting

A common mistake is to treat NIS2 as something to deal with later. Many organizations did the same with GDPR, acting only when enforcement and fines became visible. That is a risky approach.

Waiting can become expensive. Companies may face fines, customer demands, operational disruption, reputational damage, or loss of market access. More importantly, weak cybersecurity can expose sensitive data and affect real people. When personal information ends up on the dark web, the damage does not end when the technical incident is closed.

Another common mistake is treating NIS2 as an IT project. If management does not engage, the organization may end up with technical measures but no real governance. Policies may exist on paper, but not in daily practice. Suppliers may be used without proper assessment. Access rights may remain unclear. Shadow IT may continue unnoticed. The organizations that prepare early will be in a stronger position – not only with regulators, but also with customers, partners, and employees.

Start With a Maturity Assessment

For leaders, the best starting point is not to try to solve everything at once. It is to understand the current level of maturity. A maturity assessment or gap analysis can help answer the most important questions: What policies and processes do we already have? Which systems and data are most critical? Who has access to what? Which suppliers and vendors are essential? Do we have control over shadow IT and AI tools? Who owns cybersecurity, cloud services, and incident response? Are we prepared to report and respond if something happens? This gives management a clear view of where the organization stands today and which gaps should be closed first.

From there, companies can take practical steps: clarify ownership, map suppliers, review access rights, adopt Zero Trust principles, update document-sharing policies, control AI usage, train employees on realistic scenarios, and work with an experienced partner where internal expertise is limited.

Smaller organizations should not try to build everything at once. They should focus on the most critical systems, suppliers, data, and processes first. The goal is not complexity. The goal is control.

From Compliance to Cyber Resilience

NIS2 should not only be seen as a compliance burden. It is an opportunity to build stronger, more resilient organizations. The directive forces management teams to ask questions they should already be asking. Do we understand our risks? Do we know our suppliers? Do we control access? Do we know where our data is? Are we prepared for an incident? Can we prove that our routines work?

Cybersecurity has become a leadership issue because digital risk is now business risk. Leaders do not need to know every technical detail, but they do need to take ownership.

The organizations that start now – with visibility, governance, and a clear understanding of their current maturity – will be better prepared for NIS2, for customer expectations, and for the threat landscape that made the directive necessary in the first place.