NIS-2 Ownership: Why 'IT Handles That, Basically' Is the Beginning of Failure
NIS-2 Ownership: Why Responsibility Is Not an Org Chart Question
Who is responsible for NIS-2 in your organization? If the answer is 'IT handles that, basically,' you already have a problem. The word 'basically' reveals that nobody is truly in charge. And where nobody is in charge, every regulation fails before implementation even begins.
The NIS-2 directive presents organizations with a challenge that goes far beyond technical implementation. It demands clear responsibilities, documented processes, and a governance structure that works under pressure. Yet in many mid-sized companies, exactly this is missing: a clear owner who does not just understand NIS-2 but actively drives it forward.
The 'Everyone and No One' Problem
A recurring pattern emerges in practice. Management views NIS-2 as an IT issue. The IT department sees it as a compliance matter. The data protection officer considers it an information security topic. The result: everyone feels somewhat responsible, but nobody carries the operational accountability.
This accountability vacuum has tangible consequences. Deadlines are missed because nobody maintains oversight. Measures are implemented twice or not at all. The 24-hour reporting obligation becomes a nightmare because in an emergency, it remains unclear who triggers the process, who makes decisions, and who communicates with authorities.
The critical point is this: NIS-2 ownership cannot be delegated by sending an email with the subject line 'Please take care of this.' It requires a deliberate decision by leadership about who carries the responsibility and what authority that person receives.
Why an Assessment Makes the Difference
A structured assessment creates the clarity that many organizations lack, and it does so early. It answers the three decisive questions before operational urgency sets in: Who is responsible for what? Which priorities apply in the next 30, 60, and 90 days? And what effort is realistically achievable internally?
This is not about theoretical frameworks but about practical artifacts. A RACI model, for example, clarifies for every NIS-2 measure who is Responsible, who is Accountable, who needs to be Consulted, and who should be Informed. A concrete example: for the measure 'test incident reporting process,' R could be the Information Security Officer, A the CIO, C the Legal department and Data Protection Officer, and I senior management.
This clarity does not emerge from PowerPoint presentations but from workshops where stakeholders jointly work out who takes on which role. Only when every person knows what is expected of them can NIS-2 transform from regulatory text into lived practice.
Ownership as a Cultural Decision
Ownership is more than an entry in a RACI matrix. It is a cultural decision. Organizations that successfully implement NIS-2 share one trait: leadership understands information security not as an IT cost center but as a strategic management responsibility.
In practical terms, this means the NIS-2 owner reports directly to senior management. They have a budget, a clear mandate, and the authority to make decisions. And management itself remains liable. NIS-2 holds the leadership level personally responsible for implementation. This is not legal formalism but a deliberate mechanism by the EU to ensure that cybersecurity becomes a boardroom priority.
Conclusion: Structure Before Activism
NIS-2 ownership does not begin with selecting a tool or commissioning a service provider. It begins with an honest answer to a simple question: Is there a person in your organization who owns NIS-2? Or is it still 'somehow everyone'?
If the answer to this question is not immediately clear, then now is exactly the right time to establish that clarity. Because structure before activism is the principle that distinguishes organizations treating NIS-2 as a tedious obligation from those leveraging it as an opportunity for better governance.