Boards Talk Cybersecurity — but NIS2 Directive Says They Must Own It
Patrick Kaak
Key Takeaways
- Boards increasingly discuss cybersecurity, but there’s a persistent gap in effectively communicating risk exposure to executives.
- The EU’s NIS2 Directive raises legal stakes for cybersecurity governance, requiring boards to truly understand and own cyber risks.
- Misaligned board priorities often lead to unaddressed vulnerabilities, escalating operational, legal and reputational consequences.
- Top risks (such as AI-driven ransomware and legacy technology) demand focused board action to meet regulatory and business expectations.
Cybersecurity finally has a seat in the boardroom. Ivanti’s 2025 State of Cybersecurity research shows that:
- 89% of organizations now discuss cybersecurity at the board level.
- 81% of organizations have at least one director with cyber expertise.
- 88% of organizations include the CISO in strategic meetings.
On paper, that’s progress. But, many organizations struggle to convert board-level attention into sustained, measurable risk reduction.
Ivanti’s data exposes the crux of the problem: only 40% of security teams say risk exposure is communicated to executives “very effectively” — a governance gap with legal and financial consequences under the EU’s NIS2 Directive.
Let’s take a deeper look at the data from Ivanti’s 2025 State of Cybersecurity Report to see what it tells us — and how to turn those insights into NIS2-ready governance.
Why NIS2 changes everything about cybersecurity risk management
NIS2 broadens the EU’s cybersecurity regime to 18 sectors, tightens supervision and — most consequentially — assigns direct accountability to the management body. Boards and senior leaders must approve, oversee and ensure that measures are proper to the risks and effective in practice.
Failure carries consequences: audits, binding instructions and administrative fines up to €10 million or 2% of global turnover. In serious cases, leaders face temporary bans or personal liability.
Rather than a one-size-fits-all checklist, NIS2 expects organizations to prove they manage risk across the lifecycle (analysis, incident handling and continuity, secure development and supply chain assurance, vulnerability management, training and safeguarded communications) in a manner that’s aligned with the state of the art and proportionate to business impact (per Article 21).
Why boards struggle — and what’s at stake
When you translate risk into dashboards of CVE counts, patch rates and tool inventories that obscure business impact, your board of directors misses the CISO’s key points.
Ivanti’s findings crystallize the disconnect: the conversation is happening, yet few feel exposure is conveyed in a way executives can act upon. The result is misguided prioritization, diffuse budgets and latent exposures that go unaddressed — precisely the scenario NIS2 seeks to prevent.
When things go wrong, costs mount fast. Operational disruption from ransomware, reputational damage, escalating legal exposure and recovery bills often dwarf any administrative fine. With NIS2, ignorance is not a defense; and effective governance requires comprehension, communication and follow-through.
Top cybersecurity risks that demand board attention
Ivanti’s research highlights where organizations are least prepared and most exposed:
- Ransomware and AI
- End-of-life technology
- Supply chain security
- Blind spots (e.g., shadow IT)
Each risk below maps to NIS2’s governance expectations. Read on to learn about the threat they pose and how to do better in practice.
1. Ransomware + AI: The perfect storm
The reality from Ivanti’s research: Ransomware still dominates the 2025 threat landscape — and the stakes are rising. Over a third of security professionals (38%) believe AI will make attacks more dangerous, yet only 29% feel very prepared to respond.
This gap reflects a familiar pattern: adversaries accelerate with automation while defenders wrestle with fragmented telemetry, manual processes and untested response playbooks.
How supervisors judge readiness: Under NIS2, resilience cannot be theoretical. Regulators expect response and crisis plans that have been exercised, continuity and recovery targets that are met in practice and preventive controls aligned to business impact (especially identity and patching for critical systems).
When a significant incident hits, the standard is clear: prompt early warnings, coherent follow-ups within mandated windows and visible command of the situation from containment through recovery.
Raise your security posture: Treat ransomware as a recurring business risk, not a rare IT event. Rehearse the first 24–72 hours with top leadership, legal and communications so you can make fast, defensible decisions and produce the evidence a supervisor will ask for.
Don’t just cycle backups — prove restorability of priority services under realistic constraints; tie RTO/RPO directly to revenue and safety. For prevention, orient around exposure: harden and patch critical assets and reduce blast radius with strong authentication, segmentation and least privilege.
When the board asks for assurance, answer in outcomes: “order-to-cash restored in X hours, confirmed quarterly; stakeholder comms aligned to NIS2’s staged reporting.”
2. End-of-life technology: A compliance time bomb
The reality from Ivanti’s research: Over half (51%) of organizations continue to run end-of-life (EOL) software, and one in three organizations say their security is seriously compromised by legacy tech. These legacy blind spots create systemic risk and undermine any claim to state-of-the-art security.
How supervisors judge readiness: NIS2 does not dictate versions, but it does hold you to the principles of appropriateness and state of the art. That means:
- You know where EOL sits.
- You have a plan to retire it.
- You mitigate risk while it stays and you decommission securely — including sanitizing data — when it exits service.
Under Article 21, keeping unsupported tech in production without timeboxed, documented mitigations is hard to defend as proportionate risk management.
Raise your security posture: Move EOL from backlog item to board-owned exposure.
- Maintain a live inventory that flags support status a year ahead.
- Align the retirement path with business owners.
- Where delay is unavoidable, approve temporary isolation on the network, restricted access and enhanced monitoring — with clear end dates.
- Close the loop with verifiable data sanitization and auditable records at disposal.
Most importantly, price the risk: “This legacy platform drives X% of revenue; extending nine months adds €Y expected loss unless we isolate and monitor it as follows...”
3. Supply chain security: Your weakest link
The reality from Ivanti’s research: Nearly half (48%) of organizations have not identified the third-party systems or components that are most vulnerable in their software supply chains. Many still rely on static questionnaires — time consuming, self-reported and poor at surfacing live risk — particularly for software components and managed providers.
How supervisors judge readiness: Accountability doesn’t stop at the perimeter. Supervisors will look for a defensible method to judge supplier security (including secure development and vulnerability disclosure), contractual duties that mirror that method, ongoing visibility into partner risk (not just annual forms) and the ability to detect and respond when an originating exposure sits with a vendor.
Article 21 makes this explicit: Supply chain security must be risk-based and proportionate. Software security in the supply chain should be a shared responsibility.
Raise your security posture: Start by matching the depth of your security requirements to the risk the supplier introduces to your environment.
A cloud provider hosting critical workloads requires far more stringent controls than a low-impact SaaS tool. For high-risk vendors, demand tangible evidence — SBOM availability, patch and disclosure cadence, participation in coordinated vulnerability disclosure — and make these obligations enforceable in contracts.
Replace one-off surveys with near-real-time indicators, such as exploit telemetry, remediation timeliness and changes in the supplier’s attack surface. Finally, rehearse a supplier-originating incident together: confirm contacts, evidence sharing and public communications that satisfy NIS2’s staged notifications.
4. Blind spots: The hidden risk you can’t manage
The reality from Ivanti’s research: Shadow IT, legacy systems, unmanaged devices and third-party dependencies are persistent blind spots for many organizations.
These gaps slow response, obscure risk and leave organizations exposed to breaches and compliance failures.
How supervisors judge readiness: Article 21 expects organizations to manage risk across the lifecycle — including asset inventory, vulnerability management and supply chain assurance.
Blind spots undermine that mandate. Supervisors will ask: can you prove you know what is in your environment, what’s vulnerable and what is being done about it?
Raise your security posture: Treat visibility as a governance priority, not a technical detail.
- Conduct regular attack surface assessments.
- Integrate IT and security data.
- Use automation to correlate and normalize asset information.
- Flag shadow IT, BYOD and legacy systems for board-level review.
Most importantly, tie visibility gaps to business impact: “We lack patch compliance data for X% of endpoints, which affects SLA delivery and regulatory posture.”
Closing the communication gap: What CISOs and boards must do
Forty percent of security teams say IT doesn’t understand their organization’s risk tolerance — that’s a cybersecurity governance red flag. The board cannot challenge, prioritize or allocate resources without clarity on business impact.
Under NIS2 regulations, the management body needs to exercise informed oversight. The remedy starts with the CISO translating exposures into scenarios the board recognizes:
“If we do not update those systems within 48 hours, there’s a very high probability of breach, and the health data of all our clients will be easy to extract. This will hurt our brand, create claims in court and stop our services for days.”
Strong briefings provide a time frame and tie investments to reductions in the top exposures (the exploits that would materially hurt revenue, safety or compliance).
Boards should insist on a compact list of priorities, agree on risk appetite in economic terms and revisit progress quarterly. Over time, that discipline replaces tool-centric updates with a shared narrative of how the attack surface is shrinking and resilience is improving.
Every board deck should answer these three simple questions:
- What could go wrong that truly matters?
- What are we doing about it?
- How will we know it worked?
Anchor measurement to outcomes — time to isolate, time to recover and changes in the top-ten exposures — rather than raw patch or alert counts. When discussing technical debt, attach a price tag: “Keeping this EOL cluster another quarter preserves functionality but adds €X expected loss unless we isolate and monitor it.” That is the language of governance NIS2 expects to see in minutes and in decisions.
Training the board: A NIS2 imperative
The board can only close the communications gap when they really know the subject. NIS2 codifies what many already recognize: the management body needs regular cybersecurity training to discharge its duties.
Effective programs are pragmatic: They brief directors on evolving threats (such as AI-enabled ransomware and compromised software supply chains), clarify staged reporting and potential liabilities and practice decisions through realistic table-top exercises.
Prioritize sessions that teach directors to read cyber metrics in business terms (e.g., what the exposure picture implies for continuity, customers and compliance) and how to interrogate the plan until it is credible.
Turn training into capability. Make board education a continuous competency, not a one-off seminar. Use short, focused modules that build fluency (e.g., one quarter on exposure prioritization, the next on supplier oversight and CVD, then one on incident reporting mechanics).
Base each session on a real scenario, like AI-assisted ransomware or a malicious vendor update and capture the specific decisions directors must make. Convert those decisions into concrete governance improvements (updated policies, contract clauses or metrics) so training shows traceable uplift rather than box-ticking.
Close the gap between intent and impact for NIS2-readiness
Ivanti’s research shows encouraging intent — boards talk about cybersecurity, budgets are growing and CISOs have a seat at the table. But, intent does not equal impact.
That same data reveals preparedness gaps for ransomware, stubborn silos that slow response and weaken posture, a long tail of end-of-life technology and opaque supply chain risk that keeps material exposure on the books.
NIS2 raises the bar from conversation to accountability: management bodies must ensure measures are proportionate, state of the art and effective — and they must prove it when incidents occur.
Organizations that close the communication gap, retire or isolate legacy systems on a schedule and replace questionnaire-only oversight with evidence and rehearsal will find they are not only compliant, but resilient.
FAQs
What is the NIS2 Directive?
The NIS2 Directive is a European Union regulation that sets stricter cybersecurity requirements and accountability standards for organizations operating critical infrastructure and essential digital services.
How does NIS2 affect boards and senior management?
NIS2 holds boards and senior management legally responsible for ensuring their organization’s cybersecurity, implementing robust risk management measures and demonstrating compliance to regulators.
What are meaningful cybersecurity metrics for boards?
Meaningful cybersecurity metrics focus on business outcomes, such as time to isolate or recover from incidents and changes in exposure to top vulnerabilities, and ideally translate risk into financial terms.
