Prices
Free Trial

NIS2 Cybersecurity Governance

NIS2 requires the management body to approve the cybersecurity risk-management measures taken to comply with the rules and oversee the implementation. Basically, they must take actual ownership of the organisation's NIS2 compliance, and can’t simply delegate it to the IT department.

Table of Contents

NIS2 requires the management body to approve the cybersecurity risk-management measures taken to comply with the rules and oversee the implementation. Basically, they must take actual ownership of the organisation’s NIS2 compliance, and can’t simply delegate it to the IT department.

How NIS2 Defines Management Responsibility

Under NIS2, the “management body” is the group ultimately responsible for overseeing cybersecurity within an organisation. Who this is depends on the type of organisation:

In private companies the management body is typically the board of directors if the company has one, or the executive management if the company only has a management team. In companies with both a management team and a supervisory board, the management team is considered the management body. For businesses that do not have either a board or executive management, the management body is whichever governing body has the same authority as a board or executive team.

In public authorities the management body is the top-level administrative leadership, such as a director-general, senior management team, or department heads.

In other words, the definition adapts to the governance structure of the organisation, but in every case it refers to the group at the top with ultimate decision-making authority.

Delegation of Tasks

Many organisations create dedicated committees or working groups for cybersecurity or information security. These groups may prepare and oversee aspects of cybersecurity management, but the management body as a whole still carries the overall responsibility. Tasks can be delegated, but accountability cannot. Management must therefore monitor and ensure that delegated tasks are carried out properly.

Management’s Responsibility for Cybersecurity

The management body is responsible for steering cybersecurity risks in the same way as it handles financial or operational risks. It must approve the technical, organisational, and operational measures that protect the organisation’s networks and information systems. This includes deciding what constitutes an adequate level of security in light of the organisation’s risk exposure and the importance of the services it provides.

Management decisions set the direction at a strategic level, for example, which measures to prioritise, what resources to allocate, and when protection is sufficient.

Oversight

Management approval of security measures is only the beginning. Management must also follow up to ensure that these measures are implemented and effective against the identified risks. Management oversight can take several forms, such as:

  • periodic management reports covering objectives, action plans, and progress,
  • status updates on incidents, vulnerabilities, and response times,
  • internal audit processes that report directly to management,
  • external audits of NIS2 requirements with findings reported to management,

The key is that management receives clear, regular information and uses it to decide whether adjustments or new actions are needed.

GDPR Test

See how well you know the GDPR.

  • You'll answer 13 questions about GDPR.
  • It only takes 1-2 minutes.
  • Experts typically answer all 13 questions correctly.
Start Test

Free Trial

We will get back to you via email as soon as possible.