NIS2: Cyber governance as a boardroom matter

Directive (EU) 2022/2555 (the “NIS 2 Directive”) places cybersecurity within the remit of corporate governance, reaching far beyond the original NIS framework. Implemented in Italy through Legislative Decree No. 138/2024 (the “Italian NIS 2 Decree”- together with the NIS 2 Directive “NIS 2”), NIS 2 elevates cyber resilience to a matter of corporate governance and personal accountability at board level.

From board training and governance arrangements to supplier management and cross-border compliance, NIS 2 requires proactive engagement from corporate leadership and makes oversight of cyber risk a statutory responsibility.

At Hogan Lovells, we are advising international and Italian clients in getting their NIS 2 obligations right — from entity classification and board governance to drafting policies, contract repapering, training, and multi-jurisdictional compliance strategies, to assess exposure and design a governance framework that can withstand scrutiny.

***

What is changing, and why does it matter for corporates and equity portfolio companies?

Where the first NIS Directive left wide discretion and led to uneven enforcement, NIS 2 closes the gap. Its reach extends far beyond traditional “critical infrastructure,” covering “essential” and “important” entities across sectors as diverse as providers of public electronic communications, digital services, energy, health, transport, manufacturing, water supply and many more.

Boards are directly accountable for approving and overseeing cybersecurity strategies, risk management policies, and incident response plans, as well as for undertaking training and offering similar training to employees. Delegation is possible, but ultimate liability remains with the board.

What’s new is not only the expansion of the regulatory perimeter, but also the shift in mindset: from formal compliance to substantive, documented risk governance. Boards must be able to demonstrate that cyber risk management is embedded in the company’s DNA — through dedicated training, documented minutes, periodic reports, and – for companies subject to the Italian NIS 2 Decree –  regular reviews before the Italian Cybersecurity Agency (ACN).

Under the Italian NIS 2 Decree, failure to do so exposes the board of directors to administrative fines up to €10 million or 2% of global turnover, and in severe cases, temporary disqualification from executive roles.

What makes NIS 2 so demanding?

Given the cross-border and sectoral complexity that will shape NIS 2 implementation and enforcement, the following areas are likely to become focal points for boards and compliance officers:

• Extraterritoriality: Non-EU companies subject to NIS 2 making business within the EU must appoint an EU representative and align with local supervisory authorities — echoing the GDPR’s and AI Act’s models but with more operational complexity.
• Fragmentation risk: Although NIS 2 seeks harmonisation, Member States will still exercise supervisory powers nationally. Save for some exceptions (for instance, digital service providers), for clients operating across different Member States, the practical reality will be multiple regulators, multiple audits, and potentially inconsistent interpretations.
• Supply chain liability: NIS 2 requires scrutiny of supplier and third-party cybersecurity measures. For global groups with complex procurement chains, this can mean re-papering of vendor contracts, re-mapping risk acceptance policies, and re-training procurement teams.
• Multi-regime exposure: Financial entities are primarily under the Digital Operational Resilience Act (DORA), but NIS 2 continues to apply at the margins. Personal data incidents often straddle – among the others –  NIS 2 and GDPR reporting obligations, exposing firms to “double jeopardy” unless coordination is carefully managed.

What should boards do now? Turning NIS 2 into a governance agenda

For Boards and General Counsels, the NIS 2 should be viewed not as a technical IT requirement, but as a core governance duty. Key priorities include:

• Determine exposure. Conduct a classification analysis to assess whether the company qualifies as an essential or important entity.
• Reinforce oversight. Review board procedures and D&O coverage in light of directors’ responsibilities.
• Strengthen the supply chain. Update procurement frameworks and vendor templates to include cybersecurity certification, audit, and reporting clauses.
• Integrate reporting regimes. Develop a unified notification playbook that aligns NIS 2, GDPR, DORA, and sector-specific frameworks.
• Adopt required policies. Implement and maintain updated comprehensive policies covering – among others – risk management, incident response, and business continuity, ensuring alignment with internal governance and regulatory obligations.

As to timing, under the Italian NIS 2 Decree, the timeline is explicit:

• By 1 January 2026, entities in scope must be ready to meet incident-notification obligations.
• By October 2026, they must comply with:
• the governance and management duties under Article 23 Italian NIS 2 Decree
• the risk-management and security implementation requirements under Article 24 Italian NIS 2 Decree, and
• the domain registration data retention obligations under Article 29 Italian NIS 2 Decree.

Authored by Alessandro Seganfreddo, Giulia Mariuz, Maria Lucia Passador, and Cecilia Canova.