Liability and due care, demonstrable
What demonstrable board-level conduct under NIS2 and DORA requires in practice
Demonstrating careful board-level conduct under NIS2 and DORA is not a document and not an insurance policy. It is the combination of four things that have to fit together: a traceable decision trail from risk to measure with names attached, a control mechanism that demonstrably works across the measured period, an organisation mature enough to carry that cadence itself, and a stable translation of that operation to the board. Missing one of the four means the file does not hold. Four together, in a repeatable cadence, form what a regulator or a shareholder will later want to see when they ask whether the board acted with due care.
For you as CFO, this is not a paper matter. Under NIS2 Article 20, the management body itself approves the cybersecurity measures and oversees their implementation; under NIS2 Article 32, a regulator can enforce this; and under DORA, responsibility for the ICT risk management framework is assigned to the management body and cannot be delegated. The duty of care under Book 2 of the Dutch Civil Code provides the civil-law route that runs on top of this. What these three frameworks have in common: a regulator or a judge does not look at whether a report exists, they look at whether the board weighed, decided, followed up and adjusted. That is a cadence, not an archive.
What demonstrability means precisely here
Demonstrability in this context means that a third party, without you present, can reconstruct from your own records what the board knew, when it knew it, which assessment it made, and what it decided afterwards. Not from a single document, but from a chain.
The four carriers sit in four different places in the organisation, and each belongs in its own place where it should be visible.
Traceable decision trail. From risk to measure to decision to implementation owner, with a date and a signature. Not a GRC tab with green ticks, but a line where each segment can be traced back to a set of minutes. An approval without supporting reasoning in the same meeting is not an approval; it is a signature under a document the board cannot recount.
Working control mechanism. The measure does what it is meant to do across the measured period. Not designed to work, but observably working, with evidence an independent party can verify. The measure that exists only on paper counts formally in the risk analysis and formally does not count in demonstrability.
Mature organisation. The measure runs without a single person propping it up, with transferable procedures, with capacity that does not depend on incidental availability, and with a succession line if that person leaves tomorrow. A strong individual in a weak organisation does not produce demonstrability; it produces a vulnerability that becomes visible at the wrong moment.
Stable board translation. What the control mechanism produces returns to the boardroom in a fixed form and on a fixed cadence, in units the board can decide on. No shifting dashboards, no different indicators every quarter, but a reporting line that can be compared with itself over two years.
The four carriers together form demonstrability. The four carriers separately form an illusion of it.
Why a document does not carry demonstrability
In many organisations, demonstrability is implicitly delegated to the document: the policy, the assessment report, the GRC system, the NIS2 self-declaration. That is understandable and, in practice, insufficient. A document describes a moment, a guideline, an intention. A regulator under NIS2 or a judge under Book 2 of the Dutch Civil Code looks at what the board did with that document, not at whether the document exists.
In its governance publications, the NCSC consistently points out that the weak spot in most organisations is not the existence of policy, but the chain that has to carry it: from adoption to implementation, from implementation to measurement, from measurement to revision. An organisation can have excellent policy, mediocre implementation, absent measurement, and a revision that therefore has nothing to revise. Complete on paper, absent in operation.
A second reason the document does not carry demonstrability is practical. A document ages in silence. A cadence becomes visibly disrupted. The difference is exactly what the regulator is looking for: an organisation that notices its measure no longer works can report and adjust. An organisation that knows only documents notices only at an audit. The cadence is therefore not only the evidence, it is also the observation.
Where the work sits, then
The work sits in four places, and it is worth keeping them apart, because they call for different people, different capabilities and different cadences.
The work in decision-making. Here cybersecurity does not belong in a footnote but in an agenda item with a decision. The CISO prepares, the board weighs, the minutes record what was weighed and what was decided. An agenda item without a decision cannot be found in the minutes, and what is not in the minutes formally did not take place. Under NIS2 Article 20 this is not optional: the directive names the management body as the party that approves the risk management measures, not the CISO or the CIO.
The work in implementation. Here lies the difference between a measure that has been conceived and a measure that runs. The implementation owner has a mandate, capacity and a reporting line upward that is not interrupted by a single person. Under DORA this is stated more specifically in the requirements for the ICT risk management framework: the management body approves the framework, oversees its implementation, and keeps itself demonstrably trained in it. Demonstrating implementation is therefore a board-level responsibility, not an operational one.
The work in measurement. Here the independent baseline measurement comes in: the audit, the penetration test, the external assessment against a standard. The work is not the measurement itself; the work is the decision about what is measured, on what cadence, at what depth. Whoever runs the same audit every year because it grew that way misses the board-level side of it. Measurement follows the risk assessment, not the other way around.
The work in board training. NIS2 Article 20 explicitly requires board members to follow regular training so they can assess risks themselves and weigh the quality of the CISO's advice. A board member who receives a SOC report and does not know which question goes with it does not fulfil this point. The directive calls for training proportionate to the complexity of the entity, not a general briefing once a year.
What a demonstrable cadence looks like at board level
A cadence is not a frequency. A cadence is a sequence of actions that repeats and that is recorded somewhere legibly. For cybersecurity at board level, it usually looks like this, regardless of sector.
Half-yearly weighing of the risk picture. The board receives an updated picture of the three to five scenarios that hit the organisation hardest, in a unit it can decide on. The picture has a lower bound and an upper bound, and it points to what has changed since the previous weighing.
Annual approval of the measures package. The board formally approves the coherent package with a decision attached, not merely a note. The approval refers to the risk picture beneath it, and the implementation owners are named per measure.
Two independent measurements per year. An external assessment against a standard, and a second measurement on another topic that emerges from the risk assessment as a priority. The outcomes go back to the board in a form it can read without translation beforehand.
Continuous adjustment in implementation. The CISO has the mandate and cadence to adjust within the approved package, and reports deviations on time. Board-level escalation follows a fixed path that is not invented in the moment.
Annual board training. A session that goes beyond a generic update, focused on the scenarios that affect the organisation, with the questions the board should ask about them.
This cadence is not heavy. It is recognisable to any board that also takes financial and operational risks seriously. What makes the difference is the discipline to keep it in a year when nothing happens, because that is precisely the year in which demonstrability is built.
What this means for your position as CFO
The CFO who takes part in board decisions on cybersecurity faces two conflicting temptations. The first is to stand outside it because it looks technical. The second is to step in at the wrong level and redo the CISO's work. Both produce a weaker board-level file than stopping at the right level.
The right level for you is the chain itself. Not the technology in it, not the tooling beneath it, but the question of whether the four carriers stand and are connected to each other. Whether a traceable decision trail runs on which your name also appears somewhere. Whether the control mechanism demonstrably works across the measured period or whether the measurement is missing. Whether the organisation carries the operation itself or whether one person props it up. Whether the board translation is stable or whether the units shift every quarter.
You can ask those four questions without learning a technical language. They are board-level questions. And they are exactly the questions a regulator under NIS2 or DORA will ask, and that a judge will use as an assessment framework under Book 2 of the Dutch Civil Code if it ever comes to that. Whoever brings them into the boardroom before a regulator asks them builds the file they will need later. Whoever waits until an occasion arises builds, under pressure, a file that should never have looked the way it does.
Demonstrability does not come from a document. It comes from a cadence that can be shown. The document is the exhibit, not the act. The act is the cadence, the weighing, the decision, the measurement, the adjustment. Whoever has that cadence can explain at the right moment what the board knew, when it knew it, and what it did with it. That is what careful board-level conduct means in this regulation. Nothing more, and nothing less.
Governance & Risk