Most NIS2 compliance programmes stop at the edge of the network. Firewall rules, incident response plans, continuity testing, endpoint coverage — these are real obligations, and they take time. But Article 21(2) of the directive lists ten categories of risk-management measures, and only half of them are technical in a conventional sense. The other half reach into supply chains, hiring, access policy, and — most under-audited of all — what the people the organisation relies on carry around with them in public.
Executive digital exposure sits exactly there. It is the human-factor risk the directive names, expressed through data brokers, breached credentials, public filings, and the shape of each executive's online presence. A compliance programme that treats it as marketing-adjacent misses a category the directive asks boards to own.
What the directive actually names
Article 21(2) enumerates the risk-management measures entities must take. Two items are worth quoting directly:
- 21(2)(d) — "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers"
- 21(2)(g) — "basic cyber hygiene practices and cybersecurity training"
Article 20 binds these to the top of the organisation. Management bodies of essential and important entities must approve the measures, oversee their implementation, and — in the directive's language — can be held liable for infringements. The exact form of that liability depends on national transposition, but the approve-and-oversee duty is in the directive itself.
Cybersecurity training for directors is also in the text. Article 20(2) requires management body members to follow training "to gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices." That training is where the human-factor gap becomes a governance item rather than a departmental one. A first-pass self-assessment of that gap — at the named-executive level — is what our Executive Exposure Checklist is for.
Where executive exposure becomes a named risk
Three vectors connect a board member's public footprint to the categories NIS2 asks the organisation to address. Each can be reconstructed from legal, public sources — no intrusion, no credential theft. These are the attack chains an OSINT-driven adversary will already have prepared.
Vector 1 — Data-broker listings and physical or voice-based targeting
A mid-range data broker entry typically carries a home address, previous addresses, date of birth, a phone number that still works, and named family members. Several brokers join vehicle and property-registry data to that, giving an attacker a commute pattern. The same broker records drive most vishing scripts: the caller knows the neighbourhood, the mortgage vintage, the spouse's first name. That is the social-engineering vector the directive's risk-management categories already reach, rebuilt from records that are free to buy.
Vector 2 — Credential fragments and lateral movement
Breach databases — the combolists traded openly for years — regularly contain directors' personal email addresses paired with passwords from third-party services. Even where those passwords are stale, the patterns are not: adversaries predict active credentials from historical ones with useful accuracy, and the re-use rate across personal and work accounts for senior staff stays higher than the training programmes assume. A single successful pivot lands inside the SSO perimeter that the technical controls were built to defend.
Vector 3 — Public filings as pretext material
Chamber-of-commerce filings, signed annual accounts, conference bios, board-appointment press releases, and the directors' own LinkedIn timelines combine into a pretext library. Business-email-compromise and CEO-fraud operators depend on this library: the emails that succeed are the ones that reference a real acquisition, a real travel window, a real counterparty.
The 2018 Pathé case in the Netherlands is the canonical European example. The Dutch subsidiary wired roughly €19 million across a series of transfers to scammers impersonating the Paris-based parent's leadership, and the CEO and CFO were dismissed for authorising them. The operators needed the parent-subsidiary structure, the reporting line, the executive names, and the communication patterns — all a matter of public record before the first email was sent. The supply-chain category in Article 21(2)(d) is where many of these hand-offs live: the CFO's vendor contact, the M&A adviser copy chain, the scheduled wire the attacker already knew about.
Why this lands on the board, not IT
None of the three vectors above is defended primarily at the network edge. The data broker listing is not a firewall problem. The reused credential is not an MFA problem alone — MFA helps, but the pretext succeeded before the prompt ever appeared. The conference bio is not anything a SOC can take down. Each sits at the intersection of supply-chain risk, human-factor risk, and governance — the exact categories Article 21 names and Article 20 assigns to the board.
That is also why personal liability for directors under NIS2 turns on more than technical controls. As we have set out separately, the directive does not impose direct personal fines — those sit at the entity level, €10 million or two percent of worldwide turnover for essential entities. The personal exposure flows through each Member State's transposition of the approve-and-oversee duty. The underlying question a regulator or a civil claimant asks is the same one the board should ask first: did the management body understand the risks the organisation actually faced, including the ones carried by its own members?
If your NIS2 risk register does not include a documented assessment of your executives' public exposure, a Corporate Audit maps the full surface against the directive's categories.
Talk to an AnalystWhat "addressing" looks like in a NIS2 audit context
In programmes that take the human-factor categories seriously, executive digital exposure is handled the way any other risk-management measure is: as a documented artefact, not a one-off sweep. Three components tend to be present.
A scoped assessment — an analyst-run examination of each in-scope individual's exposure across data brokers, breach databases, registry systems, and social surface. Named sources, named findings, tied to the Article 21 categories that cover them.
A remediation plan — opt-outs, takedowns, access-control changes, awareness adjustments, with owners and timelines. This is the step most self-service tools stop short of; it is also the step regulators will expect to see evidence of.
A monitoring cadence — because broker listings reappear, credentials leak again, and public filings keep accumulating. The control is the cycle, not the one-time clean-up.
None of this is out of reach for a small compliance team. But it needs to be on the register. Under NIS2, that is a board-level commitment rather than an IT expense line, and the distinction matters when the regulator, the insurer, or the plaintiffs' lawyer is asking how the measures were approved and overseen.