By Maria Lucia Passador
I. Executive Overview and Legislative Purpose
In today’s economy, digital trust is capital. Yet it is eroded daily by ransomware and supply-chain breaches. Europe’s response is Directive (EU) 2022/2555—better known as NIS 2—the most ambitious cybersecurity framework ever enacted.
NIS 2 marks a turning point: it moves cybersecurity from the server room to the boardroom. Replacing and expanding the original NIS Directive, it widens the range of covered sectors, strengthens risk-management and reporting obligations, and arms regulators with sharper supervisory and enforcement tools. Its legislative purpose is unmistakable—to end the patchwork of national regimes that left Europe unevenly protected.
By replacing the narrower dichotomy of “operators of essential services” and “digital service providers” with a unified framework for “essential” and “important” entities, the Directive extends its reach across the connective tissue of the European economy.
This broadened scope is constitutional in effect. It signals the EU’s assertion that cybersecurity is no longer a sectoral or national concern but a precondition for the functioning of the internal market and for the legitimacy of its digital transformation. NIS 2 introduces a uniform size-cap rule, ensuring that all medium or larger entities in the listed sectors—and, where societal impact demands, even smaller ones—fall within its regulatory perimeter. This eliminates Member State discretion, curbing the fragmentation that had previously undermined the original NIS Directive.
Jurisdictionally, NIS 2 advances the EU’s strategy of regulatory consolidation and projection. Entities are governed by the law of their place of establishment, while non-EU providers must appoint an EU representative. The implication is twofold: first, it prevents regulatory arbitrage by ensuring that all providers offering services to the EU are subject to equivalent cybersecurity obligations; second, it extends the EU’s normative reach beyond its borders, reinforcing the EU’s ambition to act as a global rule-setter in digital governance.
II. Governance and Leadership Accountability
IS 2 expressly elevates cybersecurity to the boardroom. Boards and equivalent must approve the entity’s cybersecurity risk-management measures and oversee implementation. They can also be held liable for infringements of risk-management measures under national law. N This moves cybersecurity from a purely operational risk to a governance-level fiduciary exposure, aligning with modern conceptions of risk oversight in enterprise law and finance. In doing so, NIS 2 links EU digital policy directly to the evolution of fiduciary accountability.
In corporate-law terms, NIS 2 resembles Europe’s attempt to codify Caremark. Under Delaware law, the duty of oversight obliges directors to ensure that information and reporting systems are “reasonably designed” to bring compliance red flags to the board’s attention. NIS 2 goes further. It removes discretion and replaces it with prescriptive obligations. Boards are required to oversee specific, technically detailed measures, from incident handling and supply-chain security to multi-factor authentication and encryption. The standard shifts from “reasonably designed” to mandated and reviewable compliance architecture.
That shift has two consequences. First, it raises the bar on the duty of care for European directors, in ways reminiscent of Marchand v. Barnhill (2019),, where oversight of “mission-critical” risks was non-delegable. Second, it creates a comparative benchmark likely to influence U.S. cyber-oversight litigation. As plaintiffs continue to test the limits of Caremark, NIS 2 offers a live regulatory experiment in what mandatory cyber-oversight looks like when written directly into law.
Entities must adopt proportionate, state-of-the-art security measures spanning technical, operational, and organizational domains, calibrated to their threat landscape and systemic relevance. Supply-chain due diligence becomes central, translating proportionality into concrete governance expectations. Cyber-resilience is no longer aspirational.
III. Supervision, Enforcement, and Penalties
NIS 2 differentiates supervision to balance burdens: essential entities are subject to both preventive and reactive oversight, while important entities face ex post measures, generally triggered by indications of non-compliance. Authorities may conduct inspections or audits and impose binding instructions or fines. NIS 2 translates risk-based, multi-level governance into concrete enforcement architecture.
To avoid double punishment, where GDPR sanctions have already been imposed for the same conduct, NIS enforcement is limited to non-monetary measures. The Directive also mandates cooperation among supervisory frameworks—most notably between NIS, DORA, and the Critical Entities Resilience regime—aligning oversight and preventing regulatory fragmentation.
Member States must designate competent authorities and a single point of contact, ensure adequate resources, and maintain crisis-management frameworks supported by Computer Security Incident Response Teams (CSIRTs). The result is a layered system of supervision.
IV. Corporate-Law Lens: Board Duties, Liability, and Enterprise Governance
NIS 2 transforms cybersecurity from a technical discipline into a test of corporate governance capacity. By requiring boards to approve and oversee cybersecurity programs—and by attaching personal and entity-level liability for lapses—the Directive embeds digital risk within the fiduciary architecture of the enterprise. Governance under NIS 2 thus becomes a matter of structure, culture, and traceability. Oversight must be institutionalized through dedicated committees, regular briefings, and documented training that sustain the tone from the top.
Sanctions amplify this shift. Because fines are calculated on the basis of group turnover, parent companies become directly exposed to the failures of their subsidiaries—a functional extension of the group liability principle into cybersecurity law. More strikingly, regulators may suspend individual directors or officers until deficiencies are remedied In U.S. corporate law, such direct interventions into board composition are exceptional; accountability usually flows through derivative litigation or enforcement by the SEC or DOJ. By contrast, the European model empowers administrative regulators to act as quasi-corporate judges, able to reshape governance in real time. Regulators become quasi-corporate governors. This reflects a broader divergence in regulatory philosophy. What is at stake, therefore, is not only compliance, but the emergence of a European fiduciary model in which public law instruments internalize private governance standards.
This hybridization blurs the traditional boundary between regulation and management. Under the Directive, fiduciary duty shifts from the reasonableness of decisions to the verifiability of compliance. Traceability, documentation, and escalation mechanisms become central to lawful management.
The same transformation extends to the supply chain. NIS 2 converts third-party vigilance into a legal obligation and, effectively, a corporate-law duty. It’s no longer best practice. Boards must ensure that due diligence, contractual covenants, and risk allocation mechanisms are embedded in supplier relationships. Incident-reporting timelines further illustrate the convergence of legal compliance and governance behavior. Directors must ensure that the enterprise can act within the law’s clocks, authorizing prompt notification to regulators and coordinated communication under stress. Yet hesitation persists, driven by reputational concerns—a pattern mirrored on both sides of the Atlantic, though the liability triggers differ. In the U.S., exposure arises from omissions in market disclosure, in Europe, from breaches of mandatory notification. Under NIS 2, transparency under pressure becomes a fiduciary act.
V. Conclusion
NIS 2 is not merely a cybersecurity directive. Its core innovation lies in fusing technical compliance with fiduciary accountability, transforming cybersecurity from a peripheral IT concern into a constitutive element of lawful management. By tying board-level liability to prescriptive controls, mandatory reporting timelines, and auditable oversight, the Directive requires companies to institutionalize cybersecurity as they once did with workplace safety.
For corporate lawyers, the task is architectural. This entails anticipating jurisdictional coordination, aligning registry obligations and supervisory interfaces, and harmonizing due diligence across supply chains, all under the shadow of administrative fines tied to group turnover. In essence, NIS 2 calls for a pan-European grammar of corporate accountability. Beyond Europe’s borders, NIS 2 acts as a global rule setter. Like the GDPR, it exports not just compliance obligations but a philosophy of governance—where cybersecurity becomes a precondition for market legitimacy.
Across the Atlantic, a Delaware judge would likely read NIS 2 as a mirror held up to American practice. Yet it is Europe that has positioned the mirror. Where U.S. cyber-oversight evolves through litigation, Europe legislates oversight directly. The two traditions now converge on the same insight: both recognize cybersecurity as a core fiduciary obligation and a measure of good governance.
By articulating cyber-governance through law rather than litigation, Europe has begun to export not merely rules, but a philosophy of accountability that others are learning to emulate. This, ultimately, is the essence of Europe’s project—to turn its internal regulatory grammar into the lingua franca of lawful governance in the digital age.
