Reporting Cybersecurity to Your Board: What NIS2 Requires, What Most Packs Miss

In April 2026, the Dutch Cyberbeveiligingswet completed its passage through the Eerste Kamer. Twenty-one of twenty-seven EU member states now have NIS2 transposed into law. Germany has been auditing entity registration since 6 March. Belgium ran essential-entity self-assessment deadlines through 18 April. Italy's Decreto Legislativo 138/2024 has been in force since 16 October 2024.

What boards are being asked to do under NIS2 Article 20 is no longer hypothetical, and what they actually receive in their quarterly cybersecurity pack rarely matches.

The gap shows up three different ways. CISOs present technical dashboards (mean time to respond, vulnerability counts, MITRE coverage maps) while directors are legally accountable for something different: oversight, training, and risk-acceptance documentation. Boards ask about worst-case scenarios and regulatory exposure, but the resources they can actually allocate, the policies they can approve, and the governance structures they can change are narrower than the questions suggest. Pre-incident reporting follows a quarterly steady-state cadence, while incident-mode reporting follows Article 23's 24-hour, 72-hour, and one-month clocks. Most board packs are not built to switch modes.

This piece walks the gap from three sides: what NIS2, the UK's NIS Regulations 2018 and emerging Cyber Security and Resilience Bill, and the SEC's Item 106 actually require; what a defensible quarterly pack looks like at the level of section anatomy; and what directors should be asking when the pack lands.

What Article 20 Actually Requires of Management Bodies

Article 20(1) of Directive (EU) 2022/2555 places three obligations on the management bodies of essential and important entities. Member States must ensure those bodies "approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article."

Three verbs. Approve. Oversee. Be held liable. Each operates on different evidence.

Approve is the simplest. It needs a record showing that the board, or a designated committee, looked at the measures and gave them assent. Meeting minutes referencing the specific Article 21 measures, with dates and the documents reviewed, satisfy the basic evidence requirement.

Oversee is harder, because oversight is ongoing. It needs evidence that the board continued to receive reports on implementation between approval and the next review cycle. The board does not have to read every penetration test result. It has to be able to demonstrate that it knew what was happening. That demonstration is the quarterly pack.

Held liable is where vendor marketing has gone furthest from the directive text. The administrative fines under Article 34 (up to €10 million or 2% of global turnover for essential entities, €7 million or 1.4% for important entities) apply to the entity, not to natural persons. Article 32(5)(b) gives national authorities the power to ask courts to temporarily prohibit individuals at CEO or legal-representative level from exercising managerial functions, but only for essential entities and only through judicial process. DLA Piper's November 2025 analysis emphasises a related distinction often missed in vendor framing: while the suspension power is essential-entity-only, the broader personal-liability scope, flowing through each Member State's corporate law, extends to both essential and important entities. The form of liability is set nationally (civil claims under Book 2 Article 9 of the Dutch Civil Code, the German BSI Act's binding-order regime, France's ANSSI-led audit cycle) and the directive itself does not impose direct personal fines.

Article 20(2) adds a mandatory training requirement. Members of management bodies "are required to follow training… in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity." The word required is load-bearing. For employees the directive uses encourage. For management, it is a duty.

The European Commission's Implementing Regulation (EU) 2024/2690 of 17 October 2024 set the technical security requirements for digital infrastructure, ICT service management, and digital provider entities. ENISA's Technical Implementation Guidance v1.0, published 26 June 2025, mapped the Regulation's annex into practical implementation paths: a structured process involving the CISO, a Cybersecurity Implementer (typically a system administrator with incident response skills), a Cyber Legal, Policy and Compliance Officer, and where necessary a third-party service provider. The guidance is non-binding, but it is now the closest thing to an agreed reference point for what compliance evidence looks like.

For the prior piece in this sequence, the analysis of how each EU Member State's transposition implements Article 20 personally is at our piece on NIS2 personal liability for board members.

The UK and US Parallels

NIS2 is not the only regime asking boards to do something specific with cybersecurity, but it is the one that asks the most.

United Kingdom. The UK left the EU before NIS2 was finalised and chose not to transpose it. The current statutory baseline remains the Network and Information Systems Regulations 2018. The Cyber Security and Resilience (Network and Information Systems) Bill was introduced to the House of Commons on 12 November 2025 and is, as of May 2026, in committee stage. The Bill amends the NIS Regulations 2018 by adding data centres as a regulated sector, expanding designations for critical suppliers, and tightening incident-reporting obligations to a 24-hour initial notification plus a 72-hour full notification. It does not introduce mandatory board approval, oversight obligations, training requirements, or personal liability provisions. It does not require a final incident report. The Bill's penalty regime is higher than NIS2's (up to £17 million or 4% of global turnover for serious breaches) but the accountability architecture is built around the entity, not the board.

That leaves the NCSC Cyber Security Toolkit for Boards as the UK's de facto board-level reference. Version 3.0, last reviewed 8 April 2025, is organised around the five principles of the Cyber Governance Code of Practice: Risk Management, Strategy, People, Incident Planning Response and Recovery, and Assurance and Oversight. It is non-statutory, and that is its weakness and its strength. Weakness: no legal teeth. Strength: it can be specific about what good board practice looks like without waiting for Parliament.

United States. The Securities and Exchange Commission's Final Rule 33-11216, adopted 26 July 2023, took a different route. Item 106 of Regulation S-K requires public-company registrants to disclose, in their Form 10-K, their processes for assessing, identifying, and managing material cybersecurity risks (Item 106(b)) and the board's oversight of those risks (Item 106(c)). Item 106(c)(1) specifically requires registrants to describe "the board's oversight of risks from cybersecurity threats and, if applicable, identify any board committee or subcommittee responsible for such oversight, as well as describe the processes by which the board or such committee is informed about such risks." That last phrase, processes by which the board is informed, is what the SEC has made disclosable.

Item 1.05 of Form 8-K, layered onto the same rule, requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. SEC Compliance and Disclosure Interpretations published 24 June 2024 sharpened the perimeter. Under C&DI 104B.05, resolution of an incident through ransomware payment before the materiality determination does not relieve the company of the requirement to make that determination. Under 104B.06, resolution before the 8-K deadline does not relieve the company of the requirement to file. Under 104B.07 and 104B.08, insurance reimbursement and ransomware-payment size are not, on their own, dispositive of materiality. Under 104B.09, related incidents must be evaluated collectively.

The SEC's enforcement track record on this rule is less clean than the rule itself. The action against SolarWinds and its CISO Timothy Brown, filed October 2023, was largely dismissed by the Southern District of New York in July 2024 and the remaining claims withdrawn by the SEC on 20 November 2025. The disposition signalled a broader recalibration of enforcement priorities. What survives is the disclosure regime itself, and live filings continue to follow it: Coinbase Global filed an 8-K under Item 1.05 on 14 May 2025 disclosing an insider-paid contractor extortion incident with a preliminary cost estimate of $180 to $400 million.

The contrast between the three regimes is sharp enough to be operationally useful. NIS2 asks boards to do things, approve, oversee, train, be liable, and creates the evidentiary surface for an audit. The UK CSR Bill asks entities to report things, leaves the board out of the statutory text, and relies on the NCSC Toolkit to carry governance expectations. SEC Item 106 asks public companies to disclose what their board does, without prescribing the shape of board oversight itself. A FTSE-listed multinational with EU operations and US-listed ADRs is in all three regimes simultaneously, and most board packs are designed for one.

For the supply-chain dimension of Article 21(2)(d), where supplier-side personnel exposure compounds the entity's own, our prior piece on right-of-access reconnaissance and the Article 15 gap maps the underlying mechanic.

The Quarterly Pack: What a Defensible Version Looks Like

Most cybersecurity board packs were built to satisfy the audit committee, not the directive. They lead with operational metrics. They run thirty to fifty slides. They are read once, in the meeting, and shelved.

A pack built around Article 20's evidentiary burden, and built to switch into incident mode when needed, looks different. It has six sections, in roughly this order.

Section 1. Threat environment and sector context (1 to 2 pages). What changed since last quarter that is specifically relevant to this entity's sector and geography. Not a survey of every ransomware family. The two or three threats that have shown up in the entity's sector, plus the regulatory developments that directly bear on the entity's scope: Member State transposition status, new ENISA guidance, sector-specific implementing acts.

Section 2. Top risks with quantified exposure (3 to 5 pages). The five to seven risks the entity is actively managing, each with a financial exposure range and a confidence interval. The NACD/ISA 2026 fifth principle, Guide Cybersecurity Risk Measurement and Reporting, explicitly elevates this from optional to expected. Cyber risk quantification is no longer the avant-garde of board reporting. It is the floor.

Section 3. Control posture against the critical-asset map (2 to 3 pages). Not a generic NIST or ISO control inventory. The entity's identified critical assets (the systems, data sets, and processes the entity has formally said it cannot lose) mapped against the specific controls protecting each. A board cannot exercise oversight of asset-protection prioritisation if the pack does not show what was prioritised.

Section 4. Incident and near-miss log (1 to 2 pages). Every incident reported under Article 23 since the last meeting, including the ones that did not reach the significant threshold. Near-misses with their root-cause analysis. Both lists. The pack should make it impossible for the board to learn about an incident first from the press.

Section 5. Third-party and supply-chain exposure (2 to 3 pages). Critical suppliers ranked by criticality to the entity, with their incident posture and contract terms. NIS2 Article 21(2)(d) makes supply-chain risk a board-level item. The pack has to show that risk is being measured, not that a TPRM questionnaire was sent.

Section 6. Open decisions for the board (1 page). Three to five decisions the board is being asked to make this quarter, each tied to a specific risk and resource implication. The shortest section. The most important.

The page counts in parentheses are not prescriptive. The structure is. A pack with these six sections, in this order, makes the Article 20 evidence trail self-documenting. A pack that scatters the same information across thirty operational slides does not.

Pre-Incident Reporting Is Not the Same Cadence as Incident-Mode Reporting

The quarterly pack is the steady-state instrument. NIS2 Article 23 sets the cadence for incident-mode reporting, and it is faster.

Article 23 establishes four stages. An early warning is required without undue delay, and in any event within 24 hours of becoming aware of a significant incident, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact. An incident notification follows within 72 hours, providing an initial assessment of severity and impact and, where available, indicators of compromise. An intermediate report is provided on CSIRT or competent-authority request. A final report is due not later than one month after the incident notification, with a detailed description of the incident, the root cause likely to have triggered it, applied and ongoing mitigation measures, and cross-border impact where applicable.

The UK CSR Bill mirrors the 24-hour initial and 72-hour full notifications but omits the intermediate and final reports. The SEC requires materiality determination "without unreasonable delay" and disclosure within four business days of that determination. For a public company with EU operations and US-listed ADRs experiencing a significant cross-border incident, three different clocks start at slightly different moments and have to be reconciled in real time.

The board's role in incident-mode is narrower than in steady state, and most packs do not say what it is. The board needs to know, before the incident, not during it, who has authority to make the materiality determination under SEC rules, who signs off on the 24-hour notification language under NIS2, what counts as significant against the entity's own thresholds, and who tells the board first. A board that learns its CFO authorised a ransomware payment in the same minute as the regulator did is governing reactively.

A useful pre-incident exercise: walk the 24-hour clock in advance. Pick a plausible scenario. Identify each decision point. Name the person responsible for each. Document the threshold each person is using. Time the exercise. This is a desk exercise, not a full simulation. It does not have to interrupt normal operations to be useful. Its purpose is to surface the procedure and policy points where decision authority, thresholds, or escalation paths need revision before they are tested for real. A 24-hour scenario that takes the team 36 hours to walk in advance is not a 24-hour scenario in incident-mode either.

Our Corporate Breach Response Checklist covers the operational side of the first 72 hours; our law-firm breach analysis walks the principal-side governance discipline (matter-file segregation, notification SLAs in engagement letters, prior-incident disclosure) from the perspective of clients reading their counsel's pack.

What Boards Ask About vs. What Boards Can Act On

The question are we secure is the most common board question and the least useful one. Security is not a binary, and even if it were, the board cannot move it with a vote.

The questions a board can act on are narrower. Resource allocation. Policy approval. Governance structure. Risk acceptance. Training compliance. Each maps to a decision the board has formal authority over. Each is documentable. Each can be re-examined cycle to cycle.

The NACD/ISA 2026 third principle, Establish Board Oversight Structures and Access to Expertise, names the board's own structure as the first cybersecurity asset class the board controls. Most boards have a risk or audit committee that absorbs cybersecurity oversight by default. The 2026 handbook frames that absorption as a choice, not a given: the board should be deciding, on the record, whether cybersecurity warrants a dedicated subcommittee, what its terms of reference are, and how often its chair reports to the full board.

Deciding the structure also means naming who sits on it. The directors who take on cybersecurity oversight are also the directors most likely to be reconnoitred against the entity's threat model. The structure decision creates the personal-exposure audit case for the directors who sit on the cybersecurity subcommittee, and tying that audit into the same governance cycle that approves the structure is the cleanest evidence trail Article 20 will get.

A board pack that does not name the open decisions is not asking the board to govern. It is asking the board to approve.

The Vanity-Metric Trap

A pack that leads with mean-time-to-detect, mean-time-to-respond, vulnerability counts open and closed, and MITRE ATT&CK coverage percentages is a pack that has confused operational telemetry for governance evidence.

These metrics matter to the SOC. They tell the board very little about exposure. A 96% MITRE coverage number does not say whether the four percent that is uncovered touches the critical-asset map. A 2.4-hour MTTR does not say whether the incidents the team is responding fast to are the incidents that would have warranted a 24-hour Article 23 notification. A vulnerability count of 1,247 open does not say how many of them are exploitable, internet-facing, or chained.

NACD/ISA 2026's fifth principle moves the bar. Reporting should translate technical metrics into financial terms: exposure ranges with confidence intervals, scenario-based loss estimates, control-failure cost projections. The transition is uncomfortable, because financial framing forces decisions the operational framing avoids. That is the point.

The pack does not need to drop the operational telemetry. It needs to put it in Section 3, behind the critical-asset map, where it belongs as evidence rather than headline. The headline is the financial exposure, the open decisions, and the regulatory state of the entity. Everything else supports.

The Personal-Exposure Blind Spot

The blind spot most board packs share is the directors' own digital exposure.

Our executive cybersecurity four-threat-models analysis traced where executives sit in the attack chain: incidental, path, personal target, vector. A board pack that maps the entity's enterprise exposure surface in detail and says nothing about the surface its own members present is incomplete by Article 20's standard. The directive obliges the management body to identify and assess cybersecurity risks. The personal exposure of the people identifying and assessing is a cybersecurity risk.

That exposure is not abstract. Home addresses on people-search platforms. Email and password pairs from old breaches still circulating. Family connections, travel patterns, executive-assistant routines visible through social-media correlation. Our piece on why executive digital exposure is a NIS2 compliance risk documents the mechanic. The Executive Exposure Checklist is the discovery tool we built for boards that want to see what is findable.

A pack section that maps the top directors' aggregate exposure quarter on quarter (what was findable, what was suppressed, what re-emerged) is a section the board can act on. Aggregate, not individual. The intent is governance evidence, not disclosure of any one director's vulnerabilities to the rest.

This is the OSINT layer our NIS2 compliance mapping service sits alongside a technical readiness programme: the personnel exposure surface the directive asks boards to understand, made visible.

What Directors Should Ask the CISO Each Quarter

The NCSC Board Toolkit's question set works for first-time boards getting oriented. For boards that have moved past orientation and are trying to govern the pack they receive, the questions sharpen.

1. What three decisions are you asking us to take this quarter, and what risk threshold did you use to surface them? If the pack does not surface three open decisions, the board is being asked to approve, not to govern. If the threshold is opaque, the next pack should make it explicit.
2. Which control failures from last quarter's pack remain open, and why? Last quarter's commitments are this quarter's audit trail. Article 20's oversight obligation runs through them.
3. What is the gap between what we would report under Article 23 today and what an attacker would already know about our infrastructure? The pack should not let the board imagine that incident notification is the first time information leaves the building.
4. Show me the ratio of governance metrics to operational metrics in this pack. If the ratio is wrong way round, ask why.
5. Who in our supply chain materially shapes our threat model, and how often do we test their incident workflow? Article 21(2)(d) lives or dies here.
6. If we had to file a 24-hour notification tomorrow, who decides what counts as significant, and have they ever made that decision before? A decision made for the first time during an incident is a decision made badly.
7. If a regulator audited our Article 20 compliance documentation tomorrow, what would they find missing? Then the harder question: where the documentation is complete, do the controls and policies it describes actually do what they were approved to do? The first version of the question audits the binder. The second audits the programme. The pack should answer both. Box-checking compliance is the easier evidence to produce and the weaker oversight signal.
8. Whose personal exposure surface is the largest among us, and what is its trajectory? The same question, applied to ourselves. Our analysis of the RIA training-first gap made the parallel argument from the fiduciary side: an adviser's duty of care under the Investment Advisers Act §206 is structurally similar to a director's duty of care under domestic corporate law. The vector is the same. The reporting line, until now, has not been.

The CISO does not have to have all eight answers on the day. The right pack-development cycle has the CISO and the board agreeing each quarter which one or two of these is being added to the pack permanently.

Sources

Primary legal sources

• Directive (EU) 2022/2555 of the European Parliament and Council on measures for a high common level of cybersecurity across the Union (NIS2), Articles 20, 21, 23 and 32. EUR-Lex.
• Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024.
• The Network and Information Systems Regulations 2018 (UK). legislation.gov.uk.
• Cyber Security and Resilience (Network and Information Systems) Bill, introduced 12 November 2025. House of Commons Library research briefing CBP-10442.
• SEC Final Rule 33-11216, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, adopted 26 July 2023. SEC.gov.
• SEC Form 8-K Compliance and Disclosure Interpretations 104B.01 to 104B.09, issued 24 June 2024.

Implementation guidance and reference

• ENISA, Technical Implementation Guidance v1.0, 26 June 2025.
• DLA Piper, NIS2 directive explained Part 2: Management bodies rules, November 2025.
• NCSC, Cyber Security Toolkit for Boards, v3.0, last reviewed 8 April 2025.
• NACD/ISA, 2026 Director's Handbook on Cyber-Risk Oversight (5th edition).

Live filings and litigation

• SEC v. SolarWinds Corp. and Brown, S.D.N.Y. Initial complaint October 2023; dismissal of most claims 18 July 2024; remaining claims dismissed by the SEC 20 November 2025.
• Coinbase Global, Inc., Form 8-K Item 1.05, filed 14 May 2025.