NIS2 and Director Liability: What the Law Actually Says
Since October 2024, a European directive has applied to tens of thousands of companies across Europe.
Its name: NIS2.
Its most significant change isn't technical but personal.
For the first time, you (the business leader) are personally responsible for your company's digital security.
The scenario no one wants to live through
Picture this: Monday morning, your systems are locked. A cyberattack has brought operations to a standstill. Customer data is exposed. Within 24 hours, you have a legal obligation to notify the authorities.
Weeks later, the investigation reveals that your company had no formally approved risk management plan. That incidents weren't being tracked. That there was no paper trail.
The problem isn't your IT team but you. Because NIS2 says so, in black and white.
What the law actually says
Article 20 of the NIS2 Directive is unambiguous: management bodies of essential and important entities must approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements [1]. Operational implementation may be delegated but approval and oversight cannot.
Check now if your company is in scope of NIS2?
And the penalties are serious [1]. Essential entities face fines of up to €10 million or 2 % of global annual turnover. Important entities can be fined up to €7 million or 1.4 % of turnover.
These figures hit the company but your personal liability as a director can be engaged directly. In some EU Member States, a temporary suspension from management functions is also on the table [2].
Why it happens: the blind spots in your organisation
In most SMEs, digital security lives in a corner. One document here, a spreadsheet there, reports nobody really reads. Each team handles their slice, but no one has the full picture.
When an authority asks to see evidence of your decisions, your risk history, your incident log... you have nothing to show. Not because nothing happened, but because it’s scattered across a dozen places.
Cybersecurity is no longer treated as a purely technical compliance exercise. It has increasingly become a matter of enterprise risk management and corporate governance [3]. NIS2 translates that shift into concrete legal obligations.
What it actually requires: approve, monitor, decide
Being responsible doesn’t mean becoming a cybersecurity expert. No one expects you to configure a firewall. What’s expected is that you can answer three straightforward questions:
- What risks has my company identified?
- What are we doing to reduce them?
- If something goes wrong, do we know about it and do we respond?
These are leadership questions, not technical ones. And to answer them, you need a consolidated view, not ten different tools.
The good news: it's not as big as it looks
In January 2026, the European Commission proposed targeted amendments to NIS2 aimed at simplifying compliance and reducing the burden on companies — particularly small and medium-sized businesses [4].
The direction is clear: make compliance more accessible, not more painful.
What you need isn’t a new tool to learn, a dedicated team to hire, or an open-ended consulting budget. You need everything in one place: inside the tools your teams already use.
A system your teams already know
That's exactly what Prismtech's GRC module for Odoo delivers. Risk tracking, incident management, decision traceability, audit readiness: everything happens inside the Odoo environment your teams work in every day. No double entry, no new platform to deploy, no resistance to change.
You stay in control. Your teams keep working as usual. And if an auditor comes knocking, you have something to show them.
NIS2 has made cybersecurity a leadership issue. You might as well have the right tools to handle it.
Discover the Prismtech GRC module.