As the EU prepares to roll out its next phase of cybersecurity legislation business leaders across Europe should brace for more than just compliance checklists. This is not merely about tighter rules or higher penalties. It’s about a profound shift in how cybersecurity is  viewed: no longer a technical function relegated to IT departments, but a strategic,  company-wide responsibility tied directly to competitiveness, trust, and long-term survival. For many boards and executive teams, this marks the beginning of a new era:  cybersecurity as a boardroom issue.

From Optional to Operational

Under previous frameworks, many businesses, especially SMEs in non-technological domains, could treat cybersecurity as a secondary concern. The new legislation changes that. The NIS2 Directive, for instance, drastically expands the list of essential and important entities that  must meet stringent risk management and reporting requirements. This means more  companies in sectors like manufacturing, food, waste management, and digital  infrastructure are now in scope. Furthermore, failure to comply doesn’t just risk reputational damage, it comes with fines of up to €10 million or 2% of global turnover. (1)

Elevating Accountability

One of the most significant changes is the increased personal accountability for top management. Boards and executives can no longer delegate responsibility to their IT  teams. Instead, they are expected to take an active role in understanding and governing  cybersecurity risk. Under NIS2, executives, including CEOs and boards, can be held personally liable for

cybersecurity failures.

Regulators now expect leaders to:

• Understand cyber risk in the context of overall business strategy

• Personally oversee incident response preparedness

• Approve and fund adequate cybersecurity programs

• Ensure continuous risk management across the value chain

As a result, we’ll see rising demand for executives with strong digital and cyber acumen, even outside the CISO role.

Costs Today, Value Tomorrow

Responding to the legislation will require investment. Companies will need to invest in new technologies, workforce training, third-party audits, and incident response capabilities. Boards will be expected to have cyber-literate members who understand digital risk at a strategic level. But these investments should be seen not just as costs, but as necessary infrastructure, no different than ensuring workplace safety or financial solvency. In an increasingly digital economy, your ability to secure data and systems is your license to operate.

What's Next?

The winners will be companies that embed cybersecurity into their core strategy, equip their leadership with the right capability, and view these directives not as a box-ticking exercise, but as a springboard for innovation and long-term resilience. Cybersecurity is no longer something you hire for. It’s something you hire around.

Whether supporting established industry leaders or emerging innovators, we provide tailored leadership solutions that empower organizations to stay ahead of the curve, foster innovation, and seize new opportunities in an increasingly complex global landscape.

Connect with our Cyber Security and Digital Risk Practice to explore how our leadership expertise can help you navigate the shifting cybersecurity landscape—and turn risk into strategic advantage.