The NIS2 directive is reshaping cybersecurity obligations for essential and important entities across the Western Balkans — with penalties large enough to concentrate board attention. This is a short, practical guide to what boards need to understand, separate from the implementation detail their CISOs will manage.
The first thing to understand is that NIS2 is fundamentally a governance framework. The technical controls matter, but what the directive actually requires from the board is demonstrable oversight — documented decisions about cyber risk appetite, management accountability, and an ability to produce evidence that the organisation's cybersecurity posture is being actively managed.
In practice this means board-level cybersecurity risk reporting, quarterly at minimum, with a clear ownership chain. It means training for board members on cyber risk — not deep technical training, but enough to ask the right questions. And it means the board is accountable for the adequacy of the organisation's cyber governance, not just the IT function.
NIS2 divides in-scope organisations into two categories. Essential entities (Annex I) include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Important entities (Annex II) include postal services, waste management, chemical manufacturing, food, manufacturing of certain products, digital providers, and research.
The distinction matters because the supervisory regime is different. Essential entities face proactive supervision — regulators may inspect on their own initiative. Important entities face reactive supervision — usually triggered by incidents. Both face the same control obligations; the difference is in enforcement intensity.
One of the most operationally significant aspects of NIS2 is the supply-chain obligation. In-scope entities must assess the cybersecurity practices of their ICT suppliers, including at every level of the supply chain, and reflect those assessments in risk management. This is not a tick-box exercise — it requires genuine due diligence and documented decision-making about who to work with and on what terms.
For most boards, this is new territory. Expect questions from internal audit, expect regulators to ask for evidence, and expect the supplier conversation to change meaningfully. Supplier contracts now need cybersecurity clauses that stand up to supervisory scrutiny.
NIS2 establishes a three-stage incident reporting obligation. Within 24 hours of becoming aware of a significant incident, an early warning must be issued. Within 72 hours, an incident notification with initial assessment. Within one month, a final report. Each of these has defined content requirements.
What this means operationally is that the incident-response process must be well-rehearsed, legal and regulatory coordination must be pre-agreed, and the decision rights for "is this a significant incident?" must be clearly defined. A significant incident that triggers regulator notification is not a technical decision; it's a legal and commercial one.
A practical list of questions boards should be able to get substantive answers to:
If the answers to these questions are not substantive, that is itself useful information for the board.
Penalties under NIS2 reach €10 million or 2% of global annual turnover — whichever is higher — for essential entities. For important entities, €7 million or 1.4%. These penalties are a material board-level risk even for mid-sized organisations.
But the operational exposure is larger. A significant incident without a credible response capability leads to extended disruption, reputational damage, customer and regulator loss of confidence, and — in worst-case scenarios — operational licence risk in regulated sectors. The NIS2 framework reduces this exposure if implemented genuinely; it does not help if implemented as a paper exercise.
NIS2 is expensive to implement and more expensive to ignore. Boards who treat it as a governance obligation — and invest accordingly — will find they not only comply but also materially reduce their exposure to incidents they would have faced anyway. Boards who treat it as a compliance exercise will discover the cost of the gap at the worst possible moment.
If you are a board member or executive in an essential or important entity, now is the time to ensure your NIS2 programme is led as a board topic, not just an IT project.