For many CEOs and executives, one assumption has long seemed obvious: NIS2 and the implementation of related measures fall entirely within the responsibility of the IT department. It is standard practice for IT teams to handle the maintenance of hardware and software. However, NIS2 fundamentally changes this understanding. IT security is no longer just a technical issue—it becomes a leadership responsibility.

 

A common statement from management is: “That’s what I have my people for.” While this may sound reasonable at first, it is insufficient from a NIS2 perspective. Tasks can certainly be delegated, but responsibility cannot. The management team remains accountable for ensuring that appropriate security measures are not only in place but also properly implemented and effective when it matters. NIS2 therefore requires a clear shift in mindset: leadership must understand what is happening within the organization and how it is being executed.

 

As a result, cybersecurity becomes an integral part of corporate governance, comparable to finance or compliance. IT security risks must be understood, assessed, and actively managed. Decisions can no longer be made purely on an operational level—they must also be transparent, justifiable, and visible at the management level.

 

A typical example from practice is the onboarding and offboarding process for employees. In theory, this process is straightforward: IT creates user accounts when employees join and deletes them when they leave. In reality, however, deviations are common. An employee leaves the company, the information is not communicated in time, and the user account remains active. As a result, former employees may still have access to internal systems and sensitive data. These situations rarely occur due to negligence, but rather because of missing or insufficiently controlled processes.

 

This is precisely where the role of management becomes critical. It is not the responsibility of executives to manage user accounts themselves, but to ensure that clear, effective, and verifiable processes are in place. This includes defining responsibilities between HR and IT, documenting procedures, and regularly verifying that they are followed. Equally important is the ability to provide evidence of these controls, particularly in the context of audits or liability concerns.

 

A similar pattern can be observed in the use of security solutions. Many organizations have firewalls, antivirus systems, and backup solutions in place. However, systematic verification is often missing. Backups may be performed regularly, but restore processes are rarely tested. Security alerts are generated, but not consistently reviewed or acted upon. In such cases, a false sense of security emerges, which can lead to serious consequences in the event of an incident.

 

Here again, management is not expected to understand technical details or configure systems themselves. What matters is that they demand transparency and receive regular reporting. This may include restore test protocols, incident reports, or summaries of detected and mitigated threats. Statements alone are not sufficient—what counts is verifiable evidence.

 

A common misconception is that a lack of technical expertise prevents executives from taking an active role. This is not the case. NIS2 does not require deep technical knowledge, but rather a structured approach to managing risk. The key responsibility is to ensure that processes are defined, implemented, reviewed, and documented.

 

Many organizations already have the necessary technical solutions in place but still fall short of NIS2 compliance. The reason is rarely a lack of technology, but rather insufficient governance, unclear responsibilities, and a lack of traceability. These are the areas where the most common NIS2 gaps arise.