October is European Cybersecurity Month (ECSM) - an annual initiative dedicated to raising awareness about online safety and empowering individuals and organizations to protect themselves from cybercrime. And it couldn’t come at a more critical time.
Did you know that cyber-attacks have cost Europe’s four largest economies an estimated €307 billion between 2020 and 2025? As digital transformation accelerates across every sector, the risks and responsibilities for business leaders have never been higher.
The Network & Information Security Directive (NIS2) is the European Union’s latest and most comprehensive framework to strengthen cybersecurity across Member States. It builds on the original NIS Directive, introducing tougher requirements, broader scope, and - most notably, personal accountability for senior executives.
Under NIS2, board members and senior leadership can be held personally liable for failures in cybersecurity governance. This marks a significant cultural shift: cybersecurity is no longer just for the server room – it belongs in the boardroom.
The Directive applies to organizations in critical sectors such as digital infrastructure, transport, finance, energy, healthcare, and manufacturing. However, its ripple effects will be felt across the wider business ecosystem, especially through supply chains and third-party vendors.
Organizations must establish robust cybersecurity risk management practices. This includes:
The goal? To proactively reduce exposure to cyber threats and limit potential damage.
Senior management must oversee and approve cybersecurity measures, receive ongoing training, and ensure continuous risk assessment.
Failure to comply may result in fines, management bans, or even personal liability.
Entities must have processes for prompt reporting of significant security incidents.
NIS2 sets out strict notification timelines - including a 24-hour notification requirement, to help national authorities respond rapidly to cyber crises.
Every organization must plan for how to maintain operations during and after a cyber incident.
That means:
In addition to these four pillars, NIS2 requires essential and important entities to implement 10 minimum cybersecurity measures, covering:
Each of these is designed to address specific, foreseeable cyber risks and enhance the overall resilience of Europe’s digital infrastructure.
To prepare your organization for NIS2 compliance and protect your reputation and continuity - Friisberg recommends that senior leadership teams take the following actions now:
As Europe marks Cybersecurity Month, the message from regulators is clear: safeguarding our digital future requires collective responsibility, from policymakers to boardrooms.
By embracing the principles of NIS2 and embedding cybersecurity into your governance and strategy your organization not only achieves compliance, but also earns the trust of clients, partners, and employees.
Because in today’s digital economy, cybersecurity is not just protection - it’s a competitive advantage.
