Question 1

Does NIS2 apply to our organisation if we are not formally classified as an essential entity?

Accepted Answer

The scope of NIS2 is broader than many companies assume. Even if your organisation is not directly classified as essential or important, it may be covered indirectly — through supply chain requirements, client obligations, banks, insurers or international partners.

Question 2

Is ISO 27001 certification mandatory under NIS2?

Accepted Answer

NIS2 does not mandate ISO 27001 certification, but in practice this standard is one of the most recognised frameworks for demonstrating the maturity of an information security management system. In many industries it is becoming a market standard.

Question 3

Does board-level liability really apply?

Accepted Answer

Yes. NIS2 explicitly assigns liability to management bodies for overseeing the cybersecurity system. This includes approving security measures, monitoring their effectiveness and ensuring adequate resources.

Question 4

How long does it realistically take to prepare an organisation?

Accepted Answer

It depends on the level of maturity. Organisations with an established risk management framework can implement the requirements within a few months. Without governance structures, the process may be more complex and require a phased approach.

Question 5

Which departments should be involved?

Accepted Answer

Cybersecurity under NIS2 is not an IT project. The process should involve the board, IT, compliance, risk management, HR (training & awareness), legal and operations. In many cases procurement and supplier management are also essential.

Question 6

What are the consequences of not being prepared?

Accepted Answer

Consequences include the risk of administrative sanctions, personal liability for board members, loss of contracts, increased cyber insurance costs and reputational damage.

Question 7

What is the difference between an 'implementation project' and a systemic approach?

Accepted Answer

An implementation project ends once the documents are prepared. A systemic approach means continuous risk monitoring, updating evidence of compliance, managing incidents and operational reporting in a continuous compliance model.

Question 8

What does the incident reporting obligation look like?

Accepted Answer

NIS2 introduces specific reporting deadlines and requires rapid submission of initial incident notifications. An organisation must have procedures for detecting, classifying, escalating and formally reporting events to the competent authority.

Question 9

Are additional technology investments required?

Accepted Answer

In many cases, the key factor is not new tools but the integration of existing systems, organising assets, risk registers and evidence of compliance. Technology supports the process, but governance is the foundation.

Question 10

Is this series suitable for organisations just starting their preparations?

Accepted Answer

Yes. The sessions are designed to provide boards with a clear action roadmap regardless of their current level of readiness. Participants receive a decision-making framework that helps determine the next step.

Cybersecurity, NIS2 and ISO 27001 are changing the rules of the game.

The new reality: geopolitics, the market and regulatory consequences

Implementation that works: continuous compliance

Documents, evidence and market requirements

Audit, reporting and verification

FAQ — Questions from Boards & Managers