News

Cybersecurity has firmly become a boardroom matter

A day at the European Resilience Summit, among Microsoft, Deloitte, Capgemini and the public sector - and everywhere the same signal: security belongs at the board table.

24 June 2026
5 min read

Sometimes you leave an event sensing that a market is fundamentally shifting. That is how the European Resilience Summit felt - a day among people from Microsoft, Deloitte, Capgemini, Fujitsu and the public sector, where one theme kept returning: cybersecurity is no longer an IT issue. It has become a board responsibility.

Some events are all about new technology. Others leave you with the feeling that a market is fundamentally changing. The European Resilience Summit was firmly the second kind.

Throughout the day I spoke with people from organisations such as Microsoft, Deloitte, Capgemini, Fujitsu and several public-sector bodies. The conversations ranged from AI to digital infrastructure and geopolitics, but one theme kept coming back: cybersecurity is no longer an IT issue. It has become a board responsibility.

The new reality of NIS2 and the Dutch Cybersecurity Act

Most organisations are aware of NIS2 by now. Yet in conversation after conversation, I noticed that its impact is still underestimated. The Dutch Cybersecurity Act, the national implementation of NIS2, moves responsibility firmly onto the board.

Before long, directors will not only have to approve measures. They will also have to show that they oversee how those measures are carried out, and that they know enough to make the right calls. That changes the playing field entirely. For years cybersecurity was mainly a topic for IT managers and security specialists; now it lands directly on the boardroom agenda.

Three questions every board member should be able to answer

One of the strongest takeaways of the day was surprisingly simple. Every organisation should be able to answer three questions today:

Are we in scope? Are we an essential or important entity under the legislation?
Can we demonstrate that we comply? Not just having policies, but actually producing evidence of monitoring, logging, access control and risk management.
Who is accountable? Which director ultimately carries responsibility and can be held to account?

Tellingly, none of these are technical questions. They are governance questions.

Technology alone is not enough

What I heard in many conversations is that organisations often go looking for the one technical solution. But compliance does not start with technology. It starts with insight. You need to know your risks, which processes are critical and where your vulnerabilities sit. Only then does the question of which technology supports that policy come into play.

At the same time, organisations cannot wait until every policy document is finished. The adoption of AI, cloud and hybrid work is simply moving too fast. That is why, at Momentum EMEA, we see two movements happening at once:

From policy to technology.
From technology to policy.

You develop governance while putting in place the technical measures that reduce risk straight away.

From compliance to cyber resilience

Something else stood out: the most mature organisations barely talk about compliance anymore. They talk about resilience. Cyber resilience. For them, compliance is not the goal but a by-product.

These organisations invest in continuous monitoring, Zero Trust architectures, multi-factor authentication, supplier assessments, audit trails, and fast detection and response. Not because the law demands it, but because their business continuity depends on it.

Where Momentum EMEA fits in

In conversations I am regularly asked where the responsibility of a partner like Momentum begins and ends. That distinction matters. We help organisations with the technical side of their duty of care:

Network segmentation
Zero Trust Network Access (ZTNA)
Multi-factor authentication
Continuous monitoring and logging
Detection and response
Supplier and access security
Security and connectivity through a single integrated platform

What we do not do is take over the board's responsibility. Governance, risk policy, legal scoping and board accountability stay with the organisation itself. But we can help get the technical foundation demonstrably in order.

My main takeaway

Cybersecurity is moving from the server room to the boardroom. Not because technology matters less, but precisely because it matters more.

Organisations that invest today in insight, governance and technical resilience are building continuity for tomorrow. Because in the end, resilience is not about meeting a legal requirement. It is about whether your organisation can still operate safely tomorrow if something happens today. And that is a responsibility that now reaches everyone at the board table.

About the author

Frank Zoon

Strategic Development Manager EMEA, Momentum EMEA

Frank is Strategic Development Manager EMEA at Momentum EMEA. He follows the developments around cyber resilience, NIS2 and governance closely, and translates them into what they mean in practice for organisations across EMEA.

FAQ

Frequently asked questions

What did the European Resilience Summit change about how we see cybersecurity?

The recurring theme was that cybersecurity is no longer an IT issue but a board responsibility. Under NIS2 and the Dutch Cybersecurity Act, directors must not only approve measures, but also demonstrably oversee them and have enough knowledge to make the right decisions.

Which three questions should every board member be able to answer?

1) Are we in scope - are we an essential or important entity? 2) Can we demonstrate compliance, with real evidence of monitoring, logging, access control and risk management? 3) Who ultimately carries the responsibility and can be held to account?

Where does Momentum EMEA help, and where not?

Momentum helps with the technical side of the duty of care: network segmentation, ZTNA, multi-factor authentication, monitoring, detection and response through a single integrated platform. Governance, risk policy and board accountability stay with the organisation itself.

Knowledge base

News 4 min read

Momentum EMEA: eNPS of +79 and Great Place To Work Certified

Connect 3 min read

Our Global Onsite Support Engineer, working for you

News 4 min read

Catopia: AI is no longer a tool, it is an attack surface

View more articles

Book a call

From insight to resilience

Want to see how Momentum EMEA gets the technical foundation under your duty of care demonstrably in order - from ZTNA and segmentation to continuous monitoring and response? Book a call and we will show you what that looks like in practice.