NIS2 | Who Owns Cyber Risk?
The EU's NIS2 Directive raises the stakes for cybersecurity across critical sectors. But as organisations work to interpret and apply the directive, one issue stands out: confusion about who is responsible for what. Too often, cybersecurity is still treated as an IT-only problem, leaving serious gaps in accountability, governance, and risk oversight.
This article explores the root causes of that confusion and outlines how to build a clear, shared cybersecurity governance model that meets NIS2’s expectations and strengthens resilience.
Cybersecurity is Not Just IT’s Problem Anymore
The NIS2 Directive makes one thing clear: cybersecurity is no longer just a technical issue; it is a business risk. That means it is not just the CISO’s responsibility. Instead, accountability needs to extend across executive leadership, legal teams, compliance, and the board. Adapting to this will require a lot of work for many organisations as it challenges old governance structures and company cultures.
The Mistake: Leaving Cybersecurity Out of Strategic Decisions
Many organisations fall into the same trap: cybersecurity is viewed as a purely technical concern and left out of bigger business conversations. The board assumes IT is “handling it,” while IT expects leadership to set the direction.
The result? No one takes full ownership.
These are the common pitfalls:
It is still seen as an IT problem: Cybersecurity often remains confined to IT, rather than being addressed as an enterprise risk that requires leadership and cross-functional alignment.
Vague job descriptions and legacy structures: When job descriptions are not clearly defined, tasks fall between teams, or are duplicated unnecessarily. Over time organisational structures with informal elements and legacy roles tend to form causing cultural push-back to needed change.
Legal and compliance teams are brought in too late: Bringing in legal and compliance teams after decisions are made creates regulatory gaps, especially around reporting and liability.
Lack of integration with enterprise risk: When cyber threats are not part of the broader risk management conversation, they are often under-prioritised and underfunded.
The CISO becomes a bottleneck: CISOs are frequently expected to handle both strategic and operational responsibilities without enough authority or support. This is neither sustainable nor effective.
Why It Happens: Cybersecurity Began in the IT Department
In many companies, cybersecurity grew out of IT and stayed there. As threats and regulations evolved, the governance model did not follow suit. Today, departments often hesitate to take on cyber responsibilities, assuming it is someone else’s job.
This creates a series of issues. Unclear accountability leads to tasks and critical actions falling through the cracks. It leads to slow responses to incidents, delays and ineffective decisions that get made without a security lens. Because cybersecurity is not seen as a shared business priority, there is a risk of underinvestment in governance and over-reliance on the CISO, who is expected to handle everything from strategy to incident response.
Last but not least, this is now also a regulatory risk. NIS2 requires proof of structured cybersecurity governance and board-level involvement.
NIS2 underlines what we already know
The directive does not just ask for checkboxes; it demands evidence of real, active risk management. While it sets out clear obligations for organizations and their leadership, it leaves the “how” up to you.
That means each company must define a governance model that works. Every control needs a named owner. Everyone, from HR to Finance to the Board, must understand their role.
Put simply: Cybersecurity is a team sport.
By writing these expectations into law, NIS2 simply formalises a best practice we have long advocated for when helping clients build robust cybersecurity programs.
How to Get it Right: Close the Gap
Here is how to turn NIS2’s requirements into a workable, organisation-wide model.
Start by:
Define and document roles
Make sure leadership understands their legal obligations under NIS2, especially around oversight and reporting. A good example is to use a RACI matrix (Responsible, Accountable, Consulted, Informed) to clearly map out who owns what.
Engage Business and system owners
Work closely with business owners and system owners to ensure they understand their role in managing cybersecurity risks. These stakeholders often oversee critical processes and data, and their involvement is essential to building a resilient, organization-wide security posture. Cyber risk can’t be managed effectively without their active participation.
Involve legal and compliance early
Cybersecurity has major legal implications under NIS2, especially around incident reporting and executive liability. Make sure these voices are present from the beginning, not brought in after the facts.
Build a cross-functional governance model
Create a standing forum with representatives from IT, Legal, Compliance, Finance, Operations, and key business units. This breaks down silos, aligns goals, and ensures that security decisions reflect both technical realities and business priorities.
Integrate cyber risk into Enterprise Risk Management (ERM)
Cyber should sit alongside financial, operational, and strategic risks. When it is part of broader risk discussions, it gets the attention and funding it deserves.
Empower the CISO – but do not isolate them
The CISO needs authority, budget, and visibility. But they should not carry the load alone. Business leaders across functions must take ownership of their slice of cybersecurity risk.
Want to dive deeper into NIS2? Explore our dedicated NIS2 hub for expert insights, practical recommendations, and the latest updates.
Next Step: Make Cybersecurity Business as Usual
NIS2 pushes cybersecurity into the boardroom, but it also demands action across the entire enterprise. Now is the time to map out your governance structure, assign clear ownership, and make sure every department understands its role.
Cybersecurity does not belong in a silo. When every function understands how it fits into the bigger picture, response times improve, blind spots close, and security becomes part of your company’s DNA, not an afterthought.
Schedule your session today and take a proactive step toward NIS2 compliance.
Managing NIS2 from the Top
We help organisations meet the requirements of the NIS2 Directive – from gap analyses and risk assessments to incident response management and executive advisory. With deep expertise in cybersecurity and regulatory compliance, we deliver tailored solutions aligned with the EU-wide NIS2 Directive and its national implementations across Member States.
