Belgium transposed NIS2 into national law in April 2024, months ahead of most EU member states. If your organisation falls under the directive’s expanded scope, enforcement is already happening. Board members can now be held personally liable for inadequate cybersecurity measures, with fines reaching €10 million or 2% of global turnover.
This is not an IT problem. It is a boardroom problem.
Quick overview: NIS2 liability in six points
-
NIS2 extends beyond critical infrastructure to “important” entities including manufacturing, food production, waste management and postal services
-
Belgium leads enforcement in Europe, with national law active since April 2024
-
CEOs and board members face personal liability for failing to approve and oversee security measures
-
Maximum fines reach €10 million or 2% of worldwide annual turnover
-
Article 21 requires organisations to manage supply chain security risks from direct suppliers
-
Large enterprises now demand security evidence from their SME partners, creating compliance pressure throughout the value chain
Why NIS2 changes the conversation
Previous EU cybersecurity regulation focused narrowly on operators of essential services. Energy companies, banks, healthcare providers. NIS2 expands the definition dramatically. A mid-sized manufacturer supplying automotive parts now falls under the same regulatory framework as a power grid operator.
The shift from “critical” to “important” entities catches many organisations off guard. Food producers, waste management companies, postal services and broad manufacturing sectors are now subject to mandatory security requirements and incident reporting obligations.
Belgium’s early transposition means local companies cannot wait for other member states to clarify implementation details. The rules apply now. Regulators have authority to audit, investigate and sanction.
Personal liability for board members
NIS2 introduces something new to European cybersecurity regulation: direct accountability at the executive level. Board members who fail to approve appropriate security measures, or who neglect oversight responsibilities, can be held personally liable.
This goes beyond corporate fines. Individual directors face professional consequences and potential personal financial exposure. The regulation requires that management bodies receive training to understand cybersecurity risks. Claiming ignorance is no longer a valid defence.
The intent is clear. Cybersecurity decisions belong in the boardroom, not buried in IT budgets. When a breach occurs, regulators will ask what the board knew, what they approved and how they monitored implementation.
| Category | Sector examples | Maximum fine | Liability model |
| Essential Entities | Energy, transport, banking, healthcare, water | €10M or 2% turnover | Personal liability for board members |
| Important Entities | Food, waste, manufacturing, postal | €7M or 1.4% turnover | Ex-post supervision |
Supply chain security under Article 21
Article 21 creates obligations that extend beyond your own organisation. You are responsible not only for your internal security posture but also for risks introduced by your direct suppliers. This “duty of care” principle forces organisations to evaluate, monitor and document the security practices of their partners.
For large enterprises classified as Essential Entities, this means demanding rigorous security evidence from every supplier in the chain. The effect trickles down to SMEs who may have previously operated without formal security frameworks. A manufacturing company with 150 employees suddenly needs to demonstrate compliance because their largest customer requires it for their own NIS2 obligations.
This creates both pressure and opportunity. SMEs that can demonstrate clear, auditable security controls gain competitive advantage. Those that cannot risk losing contracts with larger partners who face their own regulatory obligations.
Common compliance mistakes
-
Treating NIS2 as an IT project. The regulation explicitly requires board-level involvement. Delegating everything to the IT department and signing off once a year will not satisfy auditors. Board members must understand the measures, approve the budget and maintain ongoing oversight.
-
Ignoring supply chain requirements. Many organisations focus entirely on internal controls while neglecting Article 21 obligations. When regulators investigate an incident, they will examine how you assessed and managed supplier risks.
-
Assuming compliance transfers from other frameworks. Having ISO 27001 certification helps but does not automatically satisfy NIS2 requirements. The regulation demands specific incident reporting timelines, supply chain risk management and demonstrated board accountability that existing certifications may not fully address.
-
Waiting for enforcement actions elsewhere. Some organisations adopt a “wait and see” approach, hoping to learn from others’ mistakes. With Belgium already in enforcement mode, this strategy carries significant risk. Early compliance also provides commercial advantage when larger partners evaluate their supply chains.
-
Relying on point solutions without central visibility. NIS2 requires organisations to demonstrate appropriate “technical and organisational measures.” A patchwork of disconnected security tools makes it difficult to provide the unified logging, access control documentation and policy enforcement evidence that auditors expect.
How European vendors address data sovereignty concerns
American security vendors face structural challenges with NIS2 compliance. The US Cloud Act grants American authorities broad access to data held by US companies, regardless of where that data is physically stored. This creates tension with European data protection requirements and the Schrems II ruling that invalidated Privacy Shield.
For organisations evaluating their security stack, data sovereignty matters. Regulators expect clear answers about where data resides, who can access it and under what legal frameworks. European-headquartered vendors, like Jimber, avoid these jurisdictional complications entirely.
Transparent architecture also simplifies the compliance evidence process. When auditors ask how you control access to sensitive systems, a single management console with unified logging provides clearer answers than a collection of tools from different vendors with separate policy engines and log formats.
Practical scenario: a Belgian manufacturer
Consider a manufacturing company with 200 employees, three production sites and a network of industrial controllers managing production lines. They supply components to automotive OEMs who are themselves classified as Essential Entities under NIS2.
Their largest customer now requires annual security assessments and evidence of access controls. The IT team of four people manages everything from email to the HMI systems on the factory floor.
The traditional approach would involve separate solutions for remote access, web security, site connectivity and production network isolation. Multiple consoles, multiple policy languages, multiple log formats. When the customer’s auditor asks for evidence of least-privilege access controls, the IT team spends days compiling information from different systems.
A Unified SASE platform changes this equation. Zero Trust Network Access (ZTNA) replaces broad VPN connections with application-specific access tied to user identity. A Secure Web Gateway with Browser Isolation enforces consistent policies across all sites, ensuring ransomware cannot reach the endpoint. Network controllers connect production facilities with encrypted site-to-site links. Agentless devices like PLCs and HMIs sit behind inline network isolation (NIAC) that controls exactly what traffic they can send and receive.
All of this is visible in one console. When the auditor asks questions, the answers come from one place. Policy changes have clear audit trails. Access decisions are logged with user identity, device posture and timestamp.
The IT team of four can actually manage this. They are not spending their time correlating logs from five different systems or maintaining complex firewall rule sets that nobody fully understands anymore.
Building your NIS2 evidence package
-
Start with what auditors will ask for. Document your security measures, who approved them and when. Maintain clear records of board involvement in cybersecurity decisions. This includes meeting minutes, budget approvals and training records.
-
Map your supply chain and document how you assess supplier security. This does not require perfect information about every vendor, but it does require a process. Which suppliers have access to your systems or data? How do you evaluate their security posture? What contractual requirements do you impose?
-
Implement technical controls that generate the evidence you need. Centralised logging captures access decisions and policy changes. Identity-based access control demonstrates least-privilege principles. Device posture checks show that you verify endpoint security before granting access.
-
Test your incident response process. NIS2 imposes strict reporting timelines. You need to detect incidents quickly, assess their impact and report to authorities within 24 hours for significant events. Quarterly tabletop exercises help identify gaps before a real incident exposes them.
FAQ
Does NIS2 apply to my organisation?
If you operate in the EU with more than 50 employees or €10 million turnover, and your sector falls under the expanded scope (energy, transport, banking, healthcare, digital infrastructure, manufacturing, food, waste, postal, chemicals, research), you likely qualify as an Essential or Important Entity.
What happens if we are not compliant?
Essential Entities face fines up to €10 million or 2% of global turnover, plus potential personal liability for board members. Important Entities face €7 million or 1.4% of turnover with ex-post supervision rather than proactive audits.
How does NIS2 affect our relationships with larger customers?
Large enterprises classified as Essential Entities must manage supply chain security risks. They will increasingly require suppliers to demonstrate compliance through assessments, certifications or contractual commitments. Non-compliant suppliers risk losing contracts.
Can we satisfy NIS2 with our existing ISO 27001 certification?
ISO 27001 provides a strong foundation but does not automatically satisfy all NIS2 requirements. The regulation has specific demands around incident reporting timelines, board accountability and supply chain risk management that may require additional measures like Zero Trust implementation.
What technical controls does NIS2 require?
The regulation calls for appropriate technical and organisational measures without prescribing specific technologies. In practice, auditors expect to see access control (ZTNA), logging, incident detection, network security and supply chain risk management. The key is demonstrating these controls exist, work as intended and have board oversight.
How do we handle OT and industrial systems under NIS2?
Production equipment often cannot run security agents but still requires protection. Inline Network Isolation creates a secure bridge between IT and OT environments, controlling exactly what traffic flows to and from industrial controllers without disrupting production operations.
Take the compliance conversation to your board
NIS2 makes cybersecurity a governance issue. Board members need to understand their personal exposure and the measures that protect both the organisation and themselves. A Unified SASE platform simplifies both implementation and the evidence trail that auditors expect.
Book a consultation to discuss how your organisation can demonstrate NIS2 compliance without adding operational complexity.
