A few weeks ago, I attended a training session for board members. One of the topics was the recently introduced EU NIS2 directive. A law that significantly increases board-level responsibility for cybersecurity. Under this directive, executive and non-executive directors can be held personally liable for cybersecurity failings. In other words, cybersecurity is no longer just an IT issue; it’s a boardroom priority.

What struck me during the discussion wasn’t the complexity of the law itself, but the reactions from my fellow attendees. Most of them came from financial or legal backgrounds. They acknowledged the importance of the topic but insisted they couldn’t possibly understand the technical details. “That’s what the CIO or CISO is for,” someone said. Others nodded.

But here’s the uncomfortable truth: you cannot delegate accountability. Execution? Yes. Understanding and oversight? No. As a board member, you’re expected to challenge and validate, not just accept and approve.

I spoke up and made a comparison with something more familiar to them: financial reporting. When your CFO presents a budget or forecasts, do you simply nod along, or do you ask questions? Do you trust blindly, or do you challenge, audit, and validate before signing off?

We’ve come to accept that good governance requires financial literacy. Why should cybersecurity be any different?

In the same way that board members today are expected to read balance sheets and income statements, tomorrow’s boards will be expected to interpret risk assessments, understand threat models, and evaluate mitigation strategies. Not to become experts, but to be literate enough to ask the right questions, spot red flags, and ultimately, fulfil their fiduciary duties.

If no one on the board feels confident in this area, then it’s time to bring in someone who does. Including a director with a solid background in cybersecurity isn’t just a compliance checkbox. It’s a strategic advantage. It helps the board ask better questions, make more informed decisions, and avoid the costly consequences of being caught off guard.

The NIS2 Directive is a wake-up call, but also an opportunity. It’s a chance to close the gap between tech and governance. To create boards that are both strategically sharp and digitally resilient.

Cybersecurity is a board-level responsibility now. Let’s start treating it that way.