NIS2 and joint and several liability: what public-sector directors should and should not fear
Published on June 5, 2026
Note: this article is general knowledge-base information and not legal advice.
Introduction
NIS2 raises the same question at many public organisations: will directors soon become personally or even jointly and severally liable when cybersecurity falls short? That question is understandable, but it mixes up two things you should keep sharply apart. The formal cybersecurity legislation (NIS2 and the Dutch Cybersecurity Act) imposes obligations on the organisation and its board: approving measures, overseeing implementation and having sufficient knowledge to assess cyber risks. The political and administrative accountability — answering to the council, provincial assembly or parliament when things go wrong — runs through the existing national frameworks and does not fundamentally change under NIS2. Whoever conflates these two tracks overestimates the legal risk and underestimates the governance risk.
Even so, the concept of joint and several liability deserves nuance, certainly for public-sector directors. NIS2 does not introduce a general, automatic joint and several liability for every mayor, alderman, provincial executive, water-authority chair, director or government official. For public-sector bodies, national law on the liability of public institutions, civil servants and elected or appointed officials remains decisive. Digitale Overheid (the Dutch digital government programme) states this explicitly: NIS2 brings no new liabilities for government directors beyond what already existed, although liability may already exist in cases such as gross negligence.
The core message is therefore not that every public-sector director becomes personally financially liable for every cyber incident. The core message is that board-level responsibility must be given demonstrable substance. Anyone who has no view of the risks, has no appropriate measures taken and holds no evidence of follow-up stands weaker from a governance and regulatory perspective.
Three actions you as a director must take in any case:
- Complete the mandatory cybersecurity training and keep your knowledge current — NIS2 requires directors to be able to assess cyber risks and control measures themselves.
- Explicitly approve the security measures and record that decision — approval is a statutory board task that you cannot leave to the CISO or IT.
- Organise demonstrable oversight of implementation — a fixed reporting rhythm on risks, remediation and outstanding items, with a traceable record of what was decided and verified.
What does NIS2 say about director liability?
Article 20 of the NIS2 directive forms the heart of the governance obligation. The management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation and can be held liable for infringements by the entity of Article 21. Article 21 contains the duty of care: appropriate and proportionate technical, operational and organisational measures to manage risks to network and information systems and to prevent or limit the impact of incidents.
"Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article." — NIS2, Article 20.
For public-sector directors, the second sentence of Article 20 is especially important. The directive provides that this governance obligation is without prejudice to national law on the liability of public institutions, public officials and elected or appointed office-holders. This means that the Dutch implementation and existing administrative-law, civil-service-law, civil-law and political accountability mechanisms remain decisive for the concrete question of liability.
| Topic | What NIS2 makes clear | What this means in practice |
|---|---|---|
| Approval of measures | The board must approve cybersecurity measures. | Cybersecurity belongs at the board table, not only with IT. |
| Oversight of implementation | The board must oversee implementation. | There must be reporting, escalations and progress decisions. |
| Training obligation | Directors must build up knowledge and skills. | Cyber risks must be understood and assessed at board level. |
| Liability | Management bodies can be held liable for infringements. | For public-sector directors, the national liability context remains decisive. |
| Provability | NIS2 effectively requires demonstrable risk management. | Organisations must be able to show records, decisions, measurements and follow-up. |
Public sector: no panic, but responsibility
Digitale Overheid provides an important clarification for public-sector bodies. According to this guidance, the liability provision of the NIS2 directive does not apply directly to government bodies, because the directive states that national law on the liability of civil servants and elected or appointed government officials is not affected.
That does not mean public-sector directors have nothing to do. On the contrary. Municipalities, provinces, water authorities and central government are named in the Digitale Overheid guidance as entities designated under NIS2 as essential entities. The size criteria that apply to many private sectors do not apply to government bodies. For public organisations, existing accountability structures such as BIO and ENSIA are moreover taken into account, with the aim of aligning oversight as much as possible with existing accountability information.
The message is therefore twofold. There is no reason for legal panic about automatic joint and several liability. There is every reason to organise board-level cyber care demonstrably. Directors cannot hide behind the CISO or IT department. The National Coordinator for Counterterrorism and Security (NCTV) states explicitly that the CISO supports the board, but cannot and may not take over the formal ultimate responsibility.
The Dutch Cybersecurity Act: directors must be able to participate
The NIS2 directive is being transposed in the Netherlands into the Dutch Cybersecurity Act (Cyberbeveiligingswet). The NCSC writes that the NIS2 directive was adopted at the end of 2022 and is aimed at strengthening the digital and economic resilience of European member states; the directive is being transposed into the Dutch Cybersecurity Act, which will replace the current Network and Information Systems Security Act.
The NCTV makes clear what this means at board level. Under the Cybersecurity Act, cybersecurity is no longer seen as a technical matter, but as a topic for the entire organisation. The board is responsible for policy and compliance, must have demonstrable knowledge and skills regarding risks to network and information systems, must have insight into risks and take appropriate measures, and must speak regularly with the CISO.
| Board-level obligation | Practical implementation | Evidence that must be available |
|---|---|---|
| Build up knowledge | Board training, periodic updates and CISO conversations. | Certificates, agendas, minutes and decisions. |
| Understand risks | Insight into critical processes, assets, suppliers and threats. | Risk register, asset overview, supply-chain analysis and threat picture. |
| Approve measures | Decision-making on duty-of-care measures, budget and priorities. | Board decisions, justification, risk appetite and exceptions. |
| Oversee implementation | Periodic reporting on progress, vulnerabilities and incidents. | Dashboards, remediation SLAs, audit trail and escalations. |
| Continuously improve | Re-checking after incidents, audits and scans. | Improvement plans, re-scans, lessons learned and management reviews. |
For directors, the word demonstrable is especially important. Not every organisation has to take the same measures, but every organisation must be able to explain why the chosen measures are appropriate and proportionate. Without up-to-date facts about the digital attack surface, vulnerabilities, supplier dependencies and remediation status, that explanation remains vulnerable.
The public-sector cybersecurity duty of care: from policy to measurable control
Article 21 of NIS2 obliges organisations to take appropriate and proportionate measures. The directive mentions, among other things, risk analysis, security policy, incident handling, business continuity, supply-chain security, security in acquisition, development and maintenance, policy for measuring effectiveness, cyber hygiene, training, cryptography, personnel security, access control, asset management, multi-factor authentication and secure communication.
The Rijksinspectie Digitale Infrastructuur (RDI, the Dutch Digital Infrastructure Inspectorate) emphasises that risk management under the Cybersecurity Act requires an integrated and continuous approach. Organisations must map risks, choose solutions, regularly check whether those solutions work and adjust where necessary. Supply-chain risks and supplier dependency must also be an explicit part of the risk analysis and the cybersecurity policy.
For public-sector directors, this is relevant because public service delivery is becoming increasingly dependent on digital supply chains. Municipalities, provinces and water authorities are not only responsible for internal office automation. They manage digital service desks, data flows, case- and document-management systems, connections to national facilities, supplier portals and sometimes operational technology. A vulnerability in an externally visible system can therefore have board-level consequences for continuity, privacy, trust and service delivery.
Why vulnerability evidence is relevant at board level
A board can only oversee cybersecurity when the information is reliable, up to date and understandable. A policy document or annual audit is insufficient for this. Cyber risk changes daily. New services come online, suppliers adjust configurations, vulnerabilities are published and threat actors automate their reconnaissance.
Evidence-first vulnerability monitoring helps public organisations make that dynamic governable. The essence is that every finding is not only registered technically, but also linked to context, owner, priority, decision and re-check. That makes the difference between "we scanned once" and "we can demonstrate what our current risk picture is and what we are doing about it".
| Board-level risk | Without demonstrable monitoring | With evidence-first monitoring |
|---|---|---|
| Unknown attack surface | Forgotten domains, test environments or open services remain out of view. | New or anomalous external assets become visible more quickly. |
| Insufficient prioritisation | Teams work on low risks while critical exposure persists. | Findings are prioritised by severity, exposure and context. |
| Weak accountability | The board cannot substantiate which choices were made. | Decisions, exceptions and remediation actions are traceable. |
| Supply-chain uncertainty | Supplier risks only become visible during incidents. | External dependencies can be structurally included in the risk picture. |
| Audit or regulatory pressure | Information must be reconstructed after the fact. | The burden of evidence is already built up during the process. |
Exposentry aligns with this by approaching vulnerability monitoring as a forensically substantiated process. The goal is not to have directors manage technical details, but to give them reliable management information. The CISO or security lead remains the substantive advisor; the board receives the evidence it needs to make choices and exercise oversight.
What should be on the board table?
An effective board discussion about NIS2 is not about hundreds of individual vulnerabilities. It is about trend, priority, residual risk and decision-making. The NCSC advises directors to discuss with the CISO: security culture, knowledge, responsibility, board agenda, risk assessment, risk treatment, continuous in control, and laws and regulations.
For public organisations, a fixed quarterly report is often a useful rhythm. For major incidents, critical vulnerabilities or board-level risk acceptance, escalation must take place more quickly. The report does not have to be long, but it must be consistent.
| Board-report component | Example question |
|---|---|
| Current attack surface | Which new or unknown external assets have been discovered? |
| Critical vulnerabilities | Which findings affect essential service delivery or sensitive data? |
| Remediation status | Which risks have been resolved within SLA and which have not? |
| Risk acceptance | Which risks are we accepting temporarily, why and until when? |
| Supply-chain risks | Which suppliers or connections require board-level attention? |
| Incident readiness | Have backup, incident response and continuity plans been tested? |
| Evidence position | Can we demonstrate what was found, decided, carried out and re-checked? |
The board does not have to become a technical panel in the process. It does need sufficient knowledge to ask the right questions, weigh priorities and make decisions about money, capacity and risk appetite.
Conclusion: preventing liability starts with demonstrability
For public-sector directors, NIS2 is no reason to panic about automatic joint and several liability. The directive leaves national rules on the liability of public institutions, civil servants and elected or appointed officials intact. Digitale Overheid moreover confirms that NIS2 introduces no new liabilities for government directors beyond what already existed.
But that nuance must not be read as a free pass. NIS2 and the Cybersecurity Act make cybersecurity emphatically a board-level matter. Directors must understand risks, approve measures, oversee implementation, follow training and stay demonstrably in dialogue with the CISO.
That is why the real question is not: "Will I soon be jointly and severally liable?" The better question is: "Can I demonstrate that we know our cyber risks, have chosen appropriate measures and check follow-up?" How to organise that demonstrability step by step is covered in the NIS2 roadmap for public-sector boards.
Exposentry helps public organisations with the latter. By monitoring the digital attack surface and vulnerabilities evidence-first, the factual basis for board-level cyber care is created: current, traceable and suitable for dialogue between board, CISO, auditor and regulator.
Sources
- EUR-Lex, Directive (EU) 2022/2555, Article 20 — eur-lex.europa.eu
- Digitale Overheid, "Veelgestelde vragen Cyberbeveiligingswet" — digitaleoverheid.nl
- EUR-Lex, Directive (EU) 2022/2555, Article 21 — eur-lex.europa.eu
- NCTV, "Bestuurlijke verantwoordelijkheid en trainingsplicht voor bestuurders" — nctv.nl
- NCSC, "Over de Cbw" — ncsc.nl
- Rijksinspectie Digitale Infrastructuur, "Risicomanagement en cyberbeveiliging" — rdi.nl
- NCSC, "Vragen die je als bestuurder kunt stellen aan de CISO" — ncsc.nl
Written by Edward Hasekamp, founder of Exposentry and core maintainer of the open-source OpenKAT project. See the project on GitHub and the profile at github.com/hasecon. Exposentry provides NL-sovereign, forensically substantiated vulnerability monitoring based on OpenKAT. More articles in the Knowledge base.