01
Who is attacking us right now?
Not who could attack us. Who is trying, now, on real systems.
Persona · Ownership · Board · CEO
Cyber is not an IT cost.
It's governance.
Since 2024, NIS2 attributes personal liability to directors for inadequate cyber posture. Insurance policies require technical evidence to pay. The question is no longer whether we will deal with it — it's how and when.
€10MNIS2 max sanction
2%Turnover · essential entities
72hMandatory CSIRT notification
4×Board reports per year
§ 01 · 10 questions to the CISO
The questions the Board should already be asking.
If the CISO has no concrete answers to these questions, the problem isn't the CISO: it's the information exposure of the Board. We support companies in building a technical-strategic dialogue in risk language.
02
How long would a ransomware shutdown last?
In production hours, in revenue, in lost customers. Numbers, not feelings.
03
Are we in NIS2 scope? Essential or important?
NIS2 attributes personal liability to directors. Do you know where you fall?
04
Would our backups really hold?
When was the last full restore tested? Not simulated — executed.
05
Do we have a cyber policy? What does it really cover?
Policies signed before 2024 often exclude ransomware or require minimum posture not guaranteed today.
06
Who answers if it happens at 3 a.m.?
Phone number, person, language, time zone. Specific.
07
How much do we invest in cyber compared to the sector?
Sector median: 2-4% of IT budget for banking/finance, 1-2% for manufacturing. You?
08
Are our critical suppliers defended?
Supply chain is the leading modern attack surface. NIS2 mandates supervising it.
09
What changed since the last cyber board meeting?
Threat landscape, regulation, internal posture. If the answer is 'nothing', monitoring is inactive.
10
What would we tell the press tomorrow?
Crisis communication prepared before, not improvised during the incident.
Want a printable worksheet? We'll send it via email →
§ 02 · Comparison
In-house SOC vs external MDR.
Qualitative comparison on a mid-market company (200-500 endpoints, 1-2 sites). An in-house SOC requires personnel, technology stack, intel, detection engineering, continuity, training. The Fortgale MDR model aggregates everything in a managed service, with a significantly lower relative investment.
| Component | In-house SOC | Fortgale MDR |
|---|---|---|
| Senior SOC personnel · 24/7 | Full-time dedicated resources | Included · No HR |
| EDR · SIEM · TIP stack | To buy and run | Included · multi-vendor |
| Threat intel feeds / subscriptions | Additional subscriptions | Included · proprietary CTI |
| Detection engineering | Internal team or consultancy | Included · peer-reviewed rules |
| Tabletops, training, certifications | Separate budget | Included (Silver+) |
| Continuity · holidays · turnover | 30% unforeseen | Mitigated · rotating team |
| Time-to-value | 12-18 months | 30 days |
| Relative investment | €€€€€ | €€ |
The €€€€€ : €€ ratio represents the average relative investment observed on the European mid-market. Want a comparison on your specific case? Talk to our analysts.
§ 03 · NIS2 accountability
Sanctions economic and personal.
NIS2 transposition across EU member states introduces significant sanctions for the company and for directors at individual level. The difference with GDPR: here there's also suspension of duties.
| Subject / violation | Amount | Note |
|---|---|---|
| Essential entities | up to €10M or 2% of global turnover | The greater of the two values applies |
| Important entities | up to €7M or 1.4% of global turnover | The greater of the two values applies |
| Directors | personal liability | Suspension of duties in case of serious repeated violations |
| Missed CSIRT notification | additional sanctions | Up to €1M extra for omission/delay in notification |
Personal exposure of directors.
NIS2 obliges management to know and approve cyber measures. The
"I didn't know" formula is no defence. Standard D&O coverage doesn't always
respond on omissions in cyber matters.
§ 04 · Insurability
The policy pays only if.
Cyber policies in 2025-2026 have technical posture conditions for underwriting and claim payment. If the posture is inadequate, the risk is double: suffering the attack and not being indemnified.
Pre-condition
Mandatory MFA
Without MFA on privileged access, most underwriters won't sign. Baseline 2026 posture.
Pre-condition
Immutable backup + DR test
Off-line/immutable backups tested within the year. Without them, ransomware exclusion in new policies.
Pre-condition
EDR/MDR on endpoints
Endpoints with modern detection · 24/7 monitoring. Vendors not whitelisted: the value is the coverage, not the logo.
Premium discount
Documented annual tabletop
Top-tier policies discount 5-15% if a documented annual IR exercise with report exists.
Premium discount
Vendor risk management
Structured process for evaluating critical suppliers (NIS2 art. 23). Reduces the premium.
We work with your company's brokers to certify the posture and reduce the premium. Tell us about your policy.
§ 05 · What has changed
The four precedents redefining liability.
Between 2022 and 2026, four international decisions have shifted the cyber liability bar from the technical team to the board. Knowing them is no longer optional: Italian and European supervisors now cite them as the expected standard of diligence.
Oct 2022
USA · Federal Court · Northern District of California
Joe Sullivan / Uber case
Uber's former CSO was convicted for concealing a breach from federal authorities. The first global precedent of individual criminal liability of a cyber executive — not just civil. Cited by ENISA as a warning to European CISOs after NIS2 entered into force.
Oct 2023
USA · SEC · Securities Enforcement
SEC vs SolarWinds & CISO
For the first time, the SEC charged the CISO (Tim Brown) directly for misleading statements to investors on pre-breach cyber posture. The case is still open but has already changed pre-listing cyber due diligence for all EU dual-listed companies.
Jan 2025
EU · NIS2 art. 20 · Italian implementation D.Lgs. 138/2024 art. 23 (NIS2 art. 20)
Accountability of management bodies
NIS2 (transposed in Italy via D.Lgs. 138/2024) explicitly obliges management bodies to "approve cyber risk management measures" and to "supervise implementation". Not delegable to the CISO: legal liability remains with the board and includes suspension of duties in case of serious repeated violations.
Jan 2025
EU · DORA Regulation 2022/2554 art. 5
DORA · ICT governance
For banks, insurers and critical ICT service providers, DORA art. 5 places ultimate responsibility for the ICT risk management framework on the management body. Sanctions: up to 1% of average daily turnover per day of breach (potential annual: 365% of daily turnover). Supervision by national central banks, insurance and securities regulators.
§ 06 · Board-ready reporting
What belongs in a cyber report to the board.
A quarterly cyber report for the board must answer five questions in risk language, not technology. Below is the template Fortgale provides to Advisory clients — adaptable to your internal dashboard or SOC reporting.
01
Risk register · top 5
The five most impactful risk scenarios with likelihood × impact compared to the previous quarter. Direction (worsened/improved/stable), owner, mitigation in progress. One page, five rows. No 5×5 matrix on the board screen.
02
Posture KPIs · trend
MTTR, MTTD, MFA coverage, % patching SLA, % endpoints under EDR. Only metrics with board-approved targets and comparison to sector benchmarks (Clusit, ENISA). Numbers, not unscaled traffic lights.
03
Quarterly incidents
Count, severity, detection and containment time, operational impact. For each high/critical incident: lessons learned + corrective action closed or planned. Zero incidents must also be reported — it's a data point, not a non-event.
04
Compliance status
NIS2, DORA, GDPR, ISO 27001, national perimeter regimes (where applicable). Open items with deadline, owner, residual exposure if not closed. Any audits/inspections in progress and response status. What would the board sign today?
05
Investments · Q+1 quarter
Planned cyber CapEx/OpEx, concise business case (risk reduced · cost · ROI), any new threats from threat intelligence that justify extraordinary investment. Decision requested from the board, with options and recommendation.
+
Annex · threat briefing
Profile of the 3 most likely actors against the company's sector in the quarter, with observed TTPs and existing detection coverage. Keeps the board aware of the adversary, not only of the controls. Optional technical sheet for those who want to go deeper.
Want us to prepare the first board report on your company's current posture? Request it here. You'll receive it before the next board meeting.
For a Board briefing
A 45-minute briefing for your Board.
Risk language, not technology. Risk register, posture, sanctions, coverage. Ready to present.