The BulletinUpdated weekly
Field notes on NIS2 in practice.
GovernanceFeatured · Apr 18, 2025
NIS2 Article 20: 5 boardroom responsibilities directors cannot delegate
Article 20 of Directive 2022/2555 moves cybersecurity formally into the boardroom. Here are the five responsibilities that now fall personally on directors.
Read · 10 minAll articles
The archive.
Incident managementNIS2 incident notification: the practical 72-hour guide
A cyber incident strikes. The NIS2 clock starts. Here is exactly what you must do, hour by hour.
Supply chainNIS2 supply chain security: 5 clauses to require from your suppliers
Article 21(2)(d) of Directive 2022/2555 explicitly mandates supply chain security. Here are 5 concrete contractual clauses to add to every critical supplier contract.
Risk managementA pragmatic risk register template for NIS2 Article 21
Most organisations already keep a risk register. Here is how to retrofit yours so it actually maps to NIS2 expectations.
SanctionsHow national regulators will calculate your NIS2 fine
Up to €10M or 2% of worldwide turnover. The headline is simple. The arithmetic underneath is not.
GovernanceThe cybersecurity training every NIS2 board now owes its shareholders
Article 20(2) requires directors to follow training. Here is what good looks like — and what regulators will accept as evidence.