NIS 2 Is Now a CEO Problem: Board Liability, Real-World Risk & Practical First Steps (with Henri & Rainer Ratnik, WIDEN Legal)

NIS 2 has a funny effect on otherwise confident business leaders: the moment they realize it’s not “an IT regulation,” the conversation changes. Suddenly, cybersecurity stops being a technical budget line and becomes what it always should have been—core business risk, board-level accountability, and a direct test of leadership maturity. That’s the heart of this Cybercast episode with NEVERHACK host Anett Numa and guests Henri and Rainer Ratnik from WIDEN Legal.  

From compliance headache to business reality

Anett opens by naming the common reaction: regulations feel like paperwork, checklists, and a compliance burden. But NIS 2 is different because it “lands on the desk” of CEOs and board members. Leadership is directly accountable, reporting timelines are tight, and supply-chain responsibility is now part of the picture. The old comfort blanket—“we haven’t been hacked yet”—doesn’t count as strategy anymore. Under NIS 2, companies are expected to prove they understand risk, can report incidents quickly, and can demonstrate real cyber resilience rather than good intentions.  

That tone matters because it reframes the whole objective. The real win is not “passing an audit.” The win is building a business that can keep operating, keep serving customers, and keep trust intact even when things go wrong. 

Why boards suddenly care (and why they should have cared earlier)

Henri explains the biggest shift plainly: the management board is directly liable for implementing cybersecurity. In the past, many organizations treated cyber as something the IT department “handled” (or outsourced). NIS 2 changes the power dynamic. The law requires organizations to designate board-level responsibility for cybersecurity and expects leadership to have the competence to oversee it—training, review, and governance included. That single legal change is driving a surge of CEO and board questions, because the risk is now personal.  

Rainer adds the management perspective with a scenario any leader can feel. Imagine a company with strong revenue and profit, built on long-term client relationships. Then a cyber incident takes operations down for a week: no sales, no order fulfillment, no cashflow, growing customer anxiety, reputational pressure, and a team in crisis mode. Even if you escape massive regulatory penalties, the business impact can be brutal. Lost profit is one thing—lost trust compounds over years.  

And then there’s the second-order reality leaders often forget: liability and insurance. Many board members assume, “We delegated this to IT,” and mentally move on. But in a serious incident, the question becomes: did leadership do the homework? Did they fund reasonable controls? Did they exercise oversight? Rainer’s point is sharp: insurance doesn’t reward negligence. If leadership ignored warning signs or consistently prioritized short-term profit over risk controls, the protection you thought you had may not protect you at all.  

The two fastest “first steps” leaders should take

This episode is especially valuable because it doesn’t stay abstract. Henri offers two concrete early actions: 

1. Confirm whether NIS2 applies to your organization. Before you overreact, you need clarity. NIS2 doesn’t apply to every company, but the number of covered entities is expanding significantly. The practical takeaway is simple: determine your status early and treat it as a real project, not a vague future task.  

1. Understand what “whole organization” really means. Previously, some rules applied only to the specific regulated service. The new approach pushes controls across the organization. Henri uses a memorable example: if a business sells fuel and also sells hot dogs, the same systems often support both. The law isn’t trying to regulate “hot dog sales.” The point is that shared systems create shared risk—so leadership must think holistically rather than treating cyber controls as a narrow, isolated requirement. 

That “whole organization” mindset is the real transformation. It forces leaders to recognize what their IT teams already know: identities, endpoints, vendors, and workflows are connected. Attackers don’trespect departmental boundaries, so your controls can’t either. 

A real-world lesson: fines aren’t always the main pain

One of the most striking parts of the conversation is a real example from Estonia: a company providing genetic analysis services experienced a data leak involving extremely sensitive genetic data. The regulatory fine discussed in the episode is far lower than many listeners would expect given the sensitivity and scale.  

But that’s not the point of the story. The point is what happened next: trust damage. The guests describe how market consequences can be more punishing than an authority’s fine. Customers reassess, confidence drops, and revenue can suffer. The real cost of a cyber incident is often paid in relationships, reputation, and future growth—not only in penalties.  

For business leaders, that’s a critical insight: even if you think “we can survive the fine,” you may not survive the loss of trust. 

What should leaders prioritize—technology, process, or people?

Anett asks a question every executive team wrestles with: where do we start? Rainer’s answer goes one layer deeper than most frameworks: start with values and commitment. Not as a motivational poster—but as a budget and governance reality. If leadership claims cyber matters yet funds nothing, the organization learns the truth instantly. You can’t “culture” your way out of underinvestment.  

After commitment, Rainer points to people as the biggest risk surface, and then to the combined work of processes and technology. Tools on today’s market are powerful, and many providers can help—but without training and habits, even excellent tools can be bypassed through human error. 

Henri reinforces this with the uncomfortable truth: the weakest link is often the person behind the keyboard. You can have professional services, expensive tooling, and strong legal support—yet one login typed into the wrong place can still trigger a breach. That doesn’t mean “people are the problem.” It means leaders must treat training, clear reporting channels, and practical controls as non-negotiable operational foundations.  

A particularly useful tactic discussed is social reinforcement: “have a friend.” Rainer describes how scams succeed because people make decisions in isolation—especially when an email or call creates urgency. But when you say it out loud to someone else, you often hear the red flags yourself. Anett extends that into the organizational setting: create internal channels where employees can share suspicious messages and learn from each other quickly. That’s a simple cultural control that costs almost nothing and reduces risk immediately.  

SMEs and scale-ups: don’t panic—prioritize

Smaller teams often hear “NIS2” and feel overwhelmed. This episode offers a calm, pragmatic response: you don’t need a perfect program on day one—you need prioritization and a plan. 

Henri draws a parallel to past regulatory waves: companies with limited budget must focus first on what matters most—what regulators will actually look for, and what is practically critical in real incidents. His warning is important: if you just search online and read everything, you’ll drown. Instead, get guidance from someone who can help you sequence the work, avoid wasted spend, and build a defensible baseline quickly.  

Rainer adds a great metaphor: the Swiss cheese principle. One slice has holes; a block has layers that cover each other’s gaps. In cybersecurity, you reduce risk by layering controls over time—starting with low-effort, high-impact steps and building toward maturity. Not every business needs “bank-level” security on day one, and buying the most expensive tools without a plan can be pure theater. The goal is practical protection aligned to your real business model and risk exposure.  

Five-year view: stricter rules, or a more mature digital economy?

Looking forward, Henri predicts cyber regulation will likely keep evolving. The world changes fast, and external events (like rapid digital shifts during COVID-era changes across Europe) accelerate the need for updated rules. But he also points out a reality many leaders miss: enforcement capacity is limited. Authorities may focus attention on higher-risk sectors and larger organizations. This means the “market” often becomes a regulator too—through trust, reputation, and customer decisions. You don’t implement resilience only because you fear an audit; you do it because an incident can reshape your business trajectory.  

The mindset shift to take home

If you remember one line from this episode, make it Rainer’s: treat your data and systems like money. Companies protect cashflow because it keeps them alive. Digital assets—customer data, operational systems, supplier connections, internal communication—are just as business-critical. Leadership’s job is to protect the engine of the business, not only the quarterly result.  

Listen and take action

This episode is for CEOs, board members, founders, and operators who want clarity without panic. You’ll walk away with a better mental model of what NIS2 changes, why leadership accountability is now central, and how to take practical steps—whether you’re a large enterprise or a small team trying to do the right things first. 

Listen now, share this episode with your leadership team, and subscribe for more conversations that turn cybersecurity from “noise” into real-world business action.