Towards Unified Accountability: How NIS2 will make Cybersecurity Top Management’s Business in Europe

Since the turn of the year, we at Nixu have been sharing information and insights about the key obligations under the NIS2 cybersecurity directive. Compliance with such obligations requires an effective security management system and sufficient incident detection and response capabilities. What we have not yet touched upon in greater detail is the glue that ties those cybersecurity measures with business goals and strategy – governance.

Cybersecurity governance is about directing and controlling cybersecurity activities. It ensures that cybersecurity is aligned with the goals of the business. On the one hand, a functioning governance model provides top management with the information they need to make decisions and also holds them accountable for such decisions. On the other hand, it enables cybersecurity risk management decisions to be taken at appropriate levels in your organization.

NIS2 requirements on governance are very much about defining the responsibilities of management bodies.

• Firstly, management bodies are required to approve the cybersecurity risk management measures that entities must implement under NIS2.
• Secondly, management bodies are required to oversee the implementation of said measures.
• Thirdly, management bodies are to be held liable for infringements of NIS2 provisions on cybersecurity risk management.
• Finally, NIS2 aims to increase top management awareness of cybersecurity by explicitly requiring members of management bodies to regularly follow training on cybersecurity risk management.

In this article, we will elaborate on these NIS2 governance requirements.

Management Responsible for Approving Cybersecurity Risk Management Measures

NIS2 aims to make cybersecurity an executive management and board issue. Until now, boards have been known to accept short-term information security policies, but otherwise, cybersecurity has been the responsibility of an often-under-resourced CISO, CIO, or CFO.

NIS2 aims to change this approach by making management bodies responsible and also accountable for cybersecurity. The management body will be expected to define the entity’s strategy and risk appetite for cybersecurity which others can then effectively manage and operate. Such decisions should not be isolated from overall risk management decisions but be incorporated into your organization’s general risk management framework.

Effective governance will require identifying management structures and internal stakeholders and defining clear roles and responsibilities for cybersecurity. Management bodies will need to define an approach to decision-making that is neither too rigid nor too loose. A range of cybersecurity decisions should be possible at operative and tactical levels, whereas business-critical strategic decisions ought to be escalated to executive management and even the board. Most importantly, this governance model must also work in practice.

Management Bodies Expected to Oversee Implementation of Cybersecurity Risk Management Measures

Management body oversight requires regular and meaningful reporting by those responsible for operating cybersecurity risk management functions. The management body should be kept informed about security-related performance, such as notable incidents, important developments, and changes in the organization’s cybersecurity landscape. Such reporting will enable the management body to identify opportunities for continual improvement and make informed decisions about security objectives aligned with the company’s strategic direction.

Sometimes, effective governance may require commissioning independent reviews or audits of your level of cybersecurity.

Implementing an effective information security management system (ISMS) will help management ensure that the organization is doing the right things. For example, an ISO27001-based information security management system integrates into an organization's processes and existing management structure. It will create a structure that embeds confidentiality, integrity, and availability into the different areas of cybersecurity that NIS2 requires you to maintain. Read our blog post on information security management systems to learn more. 

Sometimes, effective governance may require commissioning independent reviews or audits of your level of cybersecurity.
 

Management Bodies to Be Held Liable for Infringements

Management bodies are eventually responsible for what happens in your organization. NIS2 contains a range of different supervisory and enforcement powers, including an explicit obligation to hold members of management bodies personally responsible for breaches of their duties to ensure compliance with NIS2 obligations. In certain situations, members of management bodies could be temporarily discharged from their managerial responsibilities. Such enforcement powers need to be implemented and further specified in national law.

Steps to Take

We encourage all organizations affected by NIS2 to start evaluating their level of cybersecurity and reviewing their governance models.

• Have you identified the teams you need to make cybersecurity work?
• Have you defined clear roles and responsibilities for cybersecurity?
• How do those roles work in practice?
• Do you already have an information security management system?

Having a clear and effective governance model in place will not only help you towards NIS2 compliance but, if properly implemented, it will definitely enhance your entire organization’s cybersecurity awareness. And eventually, it will enhance your stakeholders’ trust in your capabilities to manage cybersecurity.
 

If preparations related to NIS2 are topical to your organization, we will gladly advise you on the matter. You can find information on our services here and contact us by using the contact form here.

Read more of Nixu's insights on the effects of NIS2 from our blog series at nixu.com. The articles can be found below.