NIS-2 Ownership: When Everyone Is Responsible, No One Is
The most common answer to "Who owns NIS-2 in your organization?" is: "Essentially IT." Or: "We've distributed it." Or: "We're still sorting that out."
All three answers mean the same thing: ownership is unresolved. And without resolved ownership, NIS-2 becomes a project that everyone and no one owns - with the predictable result that it stalls in regular operations.
What "Ownership" Actually Means
NIS-2 ownership does not mean one person implements all technical measures alone. It means three things:
First: one person knows at every point where the company stands on NIS-2. What is complete, what is open, what is at risk.
Second: this person makes decisions when resources are scarce or priorities compete. Not through endless coordination loops, but with mandate.
Third: this person escalates when things stall. To executive management, to the board - depending on the company structure.
Why "Everyone" Doesn't Work
Shared responsibility is a polite way of describing absent responsibility. When IT, compliance, executive management, and external consultants are all "equally responsible," what happens is this:
Everyone waits for someone else to take initiative. Uncomfortable decisions get postponed. Resources aren't released because no escalation occurs. The project slows until it stops.
This is not a character issue. It is system dynamics. Without a clear accountability structure, the outcome is predictable.
Resolving the Ownership Problem in the Assessment
A good NIS-2 assessment resolves ownership not at the end of the process but early - in the kick-off, at the latest in the first workshop.
The questions that must be answered: who is the NIS-2 owner vis-a-vis executive management? Who owns individual measures? Who escalates when implementation stalls?
The answers don't need to be perfect. They need to be concrete. A name, not a functional area.
What Happens Without Ownership
Without ownership, no roadmap gets followed. No status review measures progress. No escalation occurs when deadlines are missed.
In the end, the company has a NIS-2 folder with documents, but no operations actually secured against the requirements. That is the difference between compliance performance and genuine resilience.
Conclusion
NIS-2 ownership is not an organizational formality. It is the prerequisite for every other measure. Anyone who deflects the ownership question signals that the project is already in trouble - before it has properly begun.
In the assessment, ownership is established before the roadmap is built. Not after.