In today’s interconnected world, the NIS 2 Directive sets out unambiguous obligations for executive management: it makes clear that ultimate accountability for an organisation’s cybersecurity cannot be outsourced to IT teams alone and must remain firmly with the board. Among other things, NIS 2 requires that board members undertake regular, targeted training so they acquire the necessary knowledge and skills to fulfil these duties.
In today’sinterconnected world, the NIS 2 Directive sets out unambiguous obligations forexecutive management: it makes clear that ultimate accountability for anorganisation’s cybersecurity cannot be outsourced to IT teams alone and mustremain firmly with the board. Among other things, NIS 2 requires that boardmembers undertake regular, targeted training so they acquire the necessaryknowledge and skills to fulfil these duties.
Under theDirective, companies must embed cybersecurity as a core component of theiroverall business operations and risk-management framework. Although NIS 2 is anEU law and therefore does not directly apply in Switzerland, cybersecurity hasbecome part of the general duty of care: Swiss boards too are expected toprotect their organisations against cyber-risks, maintain up-to-dateincident-response and business-continuity plans, and demonstrate activeoversight at the highest level.
The BSI’spreliminary guideline on management training provides a practical startingpoint for designing and benchmarking a board-level cyber-security curriculum.Whether to meet EU requirements or to satisfy Swiss corporate-governance bestpractice, this recommendation can help boards gain a clear overview of thetopics they must address and structure an effective training plan.
1) The Board’s UnavoidableCybersecurity Responsibilities
· Cannotdelegate ultimate accountability: executives remain legally responsible forimplementing and overseeing risk-management measures.
· Mustintegrate cybersecurity into strategy and risk management, ensuring it informscorporate decisions at every level.
· InSwitzerland, directors’ general duty of care now encompasses cyber-riskprevention, incident readiness, and robust oversight.
2) The BSI’s Three-Pillar TrainingModel
To meet the training mandate under NIS-2, the BSI recommends sessions thatcover:
a) Risk Identification & Assessment: Understandingthreat scenarios, likelihoods, and potential impacts at a strategic level.
b) Risk-Management Practices: Familiaritywith the mandatory baseline measures from § 30 Abs. 2 BSIG-E and any additionalcontrols the organisation has implemented or plans to implement.
c) Impact Evaluation: Assessing howrisks and mitigation measures affect service availability, integrity,confidentiality, and business continuity.
3) Designingan Impactful Management Training Programme
· Whoattends? All natural persons legally responsible for directing and representingthe organisation, plus deputies in equivalent roles.
· Frequency& Duration: At least once every three years, with a minimum of four hoursper cycle; adjusted for higher risk exposure or leadership changes.
· ProvidersExternal cybersecurity trainers, specialised consultancies, or qualifiedinternal experts; a blended model helps tailor general content to theorganisation’s context.
· Core& Supplemental Curriculum
a) Core: NIS 2 overview, § 30 BSIG-Eduties, personal liability, incident-reporting obligations, emergency-responseplans.
b) Supplemental: Sector-specificthreats, supply-chain security, secure procurement, tabletop exercises and casestudies.
4) EmbeddingCybersecurity into Governance
· Documenttraining compliance: retain records of attendees, durations, and covered topicsfor internal audits and regulator reviews.
· Regularboard reporting: include KPIs (e.g., detection time, response time, openvulnerabilities) and updates on cyber-risk posture.
· Continuousimprovement: incorporate lessons from incidents, drills, and evolving threatsto refine both training and the organisation’s overall cybersecurity framework.
5) PracticalNext Steps for Boards
6) Benchmarkexisting governance and training against the BSI guideline
7) Identifyknowledge gaps and required skills in the boardroom.
8) Developor commission tailored training aligned with the three-pillar model.
9) Institutionalisedocumentation, reporting, and periodic reviews to demonstrate due diligence.
Cybersecurityhas transformed from a narrow IT topic into a core strategic responsibility forexecutive leadership. The BSI’s preliminary guideline on NIS-2 managementtraining provides a clear framework for crafting C-level courses, but, as aframework rather than a complete training programme, it cannot by itselfguarantee that boards satisfy their EU or Swiss governance obligations.Nevertheless, it serves as an excellent foundation for developing a tailoredcurriculum or agenda for senior-executive training.
Download BSITraining overview here
We are pleased to share some highlights from our most recent event.
In today'sdigital world, the cloud is essential. But with reliance comes questions ofcontrol, security, and independence. The European Commission has addressedthese concerns head-on with its new Cloud Sovereignty Framework, a pivotaldocument designed to define, measure, and enforce digital sovereignty for cloudservices within the EU.
In today’s interconnected world, the NIS 2 Directive sets out unambiguous obligations for executive management: it makes clear that ultimate accountability for an organisation’s cybersecurity cannot be outsourced to IT teams alone and must remain firmly with the board. Among other things, NIS 2 requires that board members undertake regular, targeted training so they acquire the necessary knowledge and skills to fulfil these duties.
How to enforce effective controls and compliance therewith: