Supervisory Board Duties in Cybersecurity: What Must Really Be Documented

The Supervisory Board in Regulatory Focus

Cybersecurity is no longer just a topic for the IT department or CISO. With NIS2, DORA, and the EU Commission's increasing focus on corporate governance in cybersecurity regulation, the supervisory board is coming under greater scrutiny. The central question: what must the supervisory board know, decide, and document to fulfill its duty of care?

What Supervisory Boards Must Know (and Often Don't)

The minimum requirement is clear: the supervisory board must know and understand the company's key cyber risks – not in technical detail, but in their business relevance. This means:

• What are the three biggest external cyber threats to the company?
• What is the estimated financial damage potential of a serious cyber incident?
• Which regulatory requirements (NIS2, DORA, sector-specific) are relevant and in what implementation status?
• How is the supply chain positioned from a cybersecurity perspective?

This information must be presented to the supervisory board in understandable form regularly – at least annually, more frequently with significant changes.

What Must Be Documented

From a liability perspective, documentation is decisive. What should be logged and archived?

In supervisory board meetings:

• Regular reporting on the cyber risk situation (at least annually)
• Resolutions on significant security investments
• Acknowledgment of significant security incidents or risks
• Reports on regulatory compliance status (NIS2, DORA)

In general corporate governance:

• Documentation of the risk management framework for cyber risks
• Evidence of external risk review (supply chain, external threat monitoring)
• Records of emergency exercises and incident response tests
• Reports on conducted technical security reviews

How External Risk Documentation Improves the Liability Situation

A supervisory board that can demonstrate regular procurement of external risk assessments, reviewed documented recommendations, and approved corresponding measures is in a significantly better position in a liability case than one that relied on internal reports without independent validation.

Note: This article provides general guidance. For specific compliance requirements, we recommend specialized legal advice.