NIS2: Your Board Can't Hide Behind the CISO – ACN FAQ Drop the Mic
Table of Contents
Board, Meet Your New Full-Time Job: Cyber Security
If you thought hiring a CISO was your NIS2 ticket to ride, think again. The Italian Cybersecurity Agency (ACN) just dropped a fresh set of FAQs that make one thing crystal clear: the board's responsibility for cyber security is non-delegable. You can outsource the operational grind, but the ultimate accountability? That stays firmly in the boardroom.
Featured Snippet Bait: Under NIS2, the board of directors retains ultimate responsibility for cyber security, even if a CISO is appointed. Operational tasks can be delegated, but governance and oversight cannot.
What the ACN Actually Said
The FAQs, published on the ACN website, address a common misconception: that naming a Chief Information Security Officer (CISO) ticks the compliance box. Not so. The board must actively govern and supervise cyber security, ensuring policies, risk management, and incident response are in place. Think of it like a restaurant: the head chef runs the kitchen, but the owner is still liable if someone gets food poisoning.
It's a bit like delegating your taxes to an accountant – you still go to jail if they mess up. So, no pressure.
Why This Matters for Your Compliance
NIS2 applies to a broad range of sectors – energy, transport, banking, health, digital infrastructure, and more. The penalties for non-compliance are steep: up to €10 million or 2% of global annual turnover. The ACN's clarification means boards can no longer plead ignorance or claim they 'trusted the IT guy'.
Boards need to roll up their sleeves and ask tough questions: Do we have a cyber risk register? How often do we test our incident response? Are we training employees? If the answer is 'I'll get back to you', you're already behind.
Practical Steps for Boards
- Formalize governance: Assign cyber security as a standing board agenda item.
- Demand metrics: Require regular reports on threat landscape, vulnerabilities, and incident trends.
- Invest in training: Ensure directors understand basic cyber risks – no more 'I'm not technical' excuses.
- Review insurance: Check that your cyber insurance covers NIS2 penalties (spoiler: most don't).
For the full legal text, see the NIS2 Directive on EUR-Lex.
FAQ
Can the board delegate cyber security to a CISO?
No. Operational tasks can be delegated, but the board retains ultimate responsibility for governance and oversight. The ACN FAQs explicitly state that appointing a CISO does not discharge the board's obligations.
What are the penalties for non-compliance with NIS2?
Penalties can reach up to €10 million or 2% of the company's total annual worldwide turnover, whichever is higher. Individual liability for directors may also apply under national law.
Do all companies need to comply with NIS2?
NIS2 applies to medium and large companies in critical sectors (energy, transport, banking, health, digital infrastructure, etc.) and certain large companies in other sectors. Check the directive's scope for exact thresholds.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings

Mandatory Arbitration Clauses: The Hidden Trap in Software Contracts That Strips Your Right to Sue

New Jersey's Independence Day Surprise: A Costly New Data Broker Law That's No Firework

Do I Really Have to Pay the ICO Data Protection Fee? (And What Happens If I Don't)
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now