Raymond Bierens, Abbas Shahim and Svetlana Khapova, Vrije Universiteit Amsterdam, Netherlands

In 2024, the NIS2 Directive came into effect in Europe introducing specific measures, reporting obligations and personal liabilities to mitigate risks for societal digital disruption. We conducted an inductive study and interviewed 29 CISO's and IT or C-level executives from large, NIS2 affected, organizations in The Netherlands and validated the outcomes with 300+ cybersecurity professionals through various workshops. Our study reveals interrelated tensions in organizational behavior driven by the regulatory changes. It stimulates more compliance behavior amongst organizations and their suppliers which is being reinforced by its accountability and liability clauses. However, our study confirms that considerable residual risks remain due to the dynamic nature of technology, shifting security risks up the supply chain, and dependencies on global technology companies. Government is perceived as challenged in their ability to govern while being a critical factor to succesfullly transforming compliance behavior into digital security risk management to reduce residual risks.

NIS2 Directive, Policy, Organizational Risk, Personal Risk, Liability, Technology, Information Security, Cyber Security, Digital Risk, Risk Management