Cybersecurity Moves to the Boardroom: Are Firms Ready for NIS2?

Across Europe, the regulatory landscape for cybersecurity is changing in ways that directly affect how professional services firms advise clients — and how they manage their own risk. For accounting and legal firms, the question is no longer whether to engage with cybersecurity, but how to lead on it. At Schuiteman Accountants and Adviseurs, we see these shifts reflected directly in client engagements, where boards are increasingly asking not just about compliance deadlines, but about what genuine cyber resilience looks like in practice.

The EU’s NIS2 Directive is the most significant expansion of cybersecurity law in a decade. Where its predecessor applied narrowly to critical national infrastructure, NIS2 casts a far wider net — drawing in mid-sized businesses across energy, transport, healthcare, financial services, food supply, and digital infrastructure. Crucially, it extends liability into the supply chain: anyone serving a regulated business will face pressure to demonstrate compliance too, regardless of their own size.
Directors in the frame

The most consequential shift NIS2 introduces is personal liability at board level. Directors are now responsible for their organisation’s cybersecurity posture — with obligations including mandatory 24-hour incident reporting, documented risk management policies, and demonstrable oversight of third parties. This is not an IT compliance matter. It sits alongside financial and operational risk as a fiduciary responsibility.

Treating NIS2’s enforcement date as the starting line is a critical error. The risks already exist. Boards that wait will find themselves behind — on readiness, documentation, and the expectations of clients, insurers, and regulators. Most EU member states have either completed or are finalising national transposition. NIS2 questionnaires are already arriving in supply chains.
What good looks like in practice
Schuiteman Accountants & Adviseurs, working with cybersecurity specialist Lupasafe, has been navigating this territory with clients ahead of the Dutch NIS2 implementation. The approach centres on giving boards something most currently lack: a clear, honest picture of where they stand.

Through Lupasafe’s continuous monitoring and automated reporting, Schuiteman presents clients with real-time visibility across people, technology, and processes — in business language, not technical jargon. Phishing exposure, third-party supplier risk, incident readiness: all rendered in terms a director can act on. The result is confidence where there was previously either complacency or anxiety — with audit-ready records that demonstrate the board took its responsibilities seriously.

In practice: Total Packaging, mid-sized manufacturer certified for food handling, as well as other industries, uses Lupasafe’s continuous security and awareness software saved three weeks on compliance work — time previously spent on manual data collection and board reporting. Within two months, directors had a live dashboard they could present directly to insurers and clients during due diligence reviews.

What this means for advisers
For accountants and professional advisers, NIS2 creates a timely entry point into the governance conversation. Clients who trust their accountant to navigate financial risk are increasingly open to that relationship extending to cyber risk — particularly when the regulatory framing makes it a board-level matter rather than a technical one. The firms best placed to lead on this are those that have done the work themselves. The client conversation changes when you can show, not just tell.

Ready to take responsibility for NIS2?
Speak to Schuiteman about how we can help your firm and your clients get ahead of NIS2 — with clear, board-ready reporting that turns cyber risk into a managed conversation, not an open liability.