NIS2 and the isolated CTO: a governance problem most boards haven't solved

THIS ISN'T A CISO or cto PROBLEM. UNDER NIS2, security’s A BOARD ONE.

In April 2026, Basic-Fit confirmed a hack had exposed the personal and financial data of one million members across twelve European countries. Names, addresses, birth dates, IBAN numbers, all downloaded and gone. Earlier that year, Odido faced the same. The breach was detected within minutes. By then, it was already too late.

Somewhere, a board meeting will follow. A remediation plan will be presented. Questions will be asked. The room will probably spend most of its time on what happened. Considerably less on what made it possible.

The breach took minutes, the conditions for it took years.

Under NIS2, that distinction carries personal consequences for every board member. The directive doesn't just require organisations to take cybersecurity seriously. It holds leadership individually accountable when they don't. Not the CISO. Not the CTO. The board. But accountability without understanding doesn’t close a gap.

THE BREACH TOOK MINUTES. THE GOVERNANCE GAP TOOK YEARS.

A 2021 survey of Dutch digital leaders found that 70% were frustrated with their board, and only 30% felt their board genuinely understood the challenges they faced. That was before NIS2. Before personal liability. Before breaches like Clinical Diagnostics, Odido and Basic-Fit.

CTOs don't become isolated overnight. With each board meeting where risk tables are approved but not understood, and with each incident being treated as a problem 'for the IT team', isolation grows. The security function is growing in importance, but understanding at the table isn't growing at the same speed.

A CTO or CISO in mid- to large organisations is carrying something that most of their peers on MT level are not. Their function can bring operations to a halt, trigger regulatory fines and generate front-page news. The work is inherently technical, and the CTO is expected to explain and translate for board meetings. Their audience likely has little to no technical background, making it difficult to ask the right questions and evaluate the current approach. That's a difficult situation in the best of times, but with NIS2, that becomes a structural exposure.

ON PAPER, THE GOVERNANCE IS HAPPENING

It is not a matter of priority. Most organisations already treat cybersecurity as an important topic. Budgets are increasing, boards sit together to establish risk matrices, and performance is evaluated quarterly. On paper, the governance is happening. In reality, most boards lack the technical understanding to truly understand, let alone challenge, the root causes and implications of security risks.

Boards have developed a high fluency in operational, financial, commercial and reputational risks. Those are rooted in how businesses have operated over the last 100 years or so, topics that leaders learned about through their experience, education and MBAs. Cybersecurity is relatively new to the table, and because of its specialist nature, is most likely to be delegated right back to the seat that is raising the risks.

The result is a CTO who is increasingly isolated, carrying the technical responsibility without the governance support. The board carries personal accountability, whether they understand the risks or not.

THIS IS NOT A COMMUNICATIONS CHALLENGE

A natural inclination is to ask the CTO to explain risks in plain business language. Use less technical language. Make information more accessible. It's not wrong to be clear in communications of course, but it also entirely misses the point that this is not a communications challenge, but a governance one.

The governance problem is more specific than it might appear. When a single executive role such as the CTO carries cybersecurity into the boardroom alone, the organisation has already created the conditions for delegation rather than dialogue. Having delegation of responsibility results in further isolation.

The same is true for how cybersecurity investments are evaluated. When security initiatives are assessed separately from organisational priorities they remain a specialist topic, rather than a business one. That’s not a technology failure, but a structural one.

Most MTs haven't solved either of these things yet. And so the CTO keeps walking into those board meetings, presenting the plan, watching the budget get approved, and leaving whilst still holding everything that wasn't understood.

The question isn't whether your board is taking cybersecurity seriously. It probably is, on its own terms. The real question is: does your CTO feel that? And when did you last actually ask? 

Seventy percent of Dutch digital leaders said their board didn’t understand their challenges. That was in 2021, before those breaches, and before NIS2. I assume that percentage hasn’t increased.

In a follow-up, Alexandros goes deeper, exploring what governance that actually works looks like, and what it takes to get there.