Skip to content

NIS2: Cybersecurity Becomes a Board-Level Management Function

In brief: NIS2 makes cybersecurity a leadership responsibility at board level, not just an IT matter — CISOs must operate more strategically and work closer to senior management in the future.

The NIS2 Directive elevates cybersecurity from pure IT responsibility to the level of corporate management. CISOs must henceforth report directly to management and shape strategic decisions.

The EU Directive on Network and Information Security (NIS2) requires companies above a certain size to anchor cybersecurity as a governance matter. This means in concrete terms: protection against cyberattacks is no longer the task of the IT department alone, but must be addressed at board level and in the supervisory board.

For CISOs (Chief Information Security Officers), this results in a changed role. They must increase understanding of security risks among senior management and ensure that investments in cybersecurity are understood as a strategic necessity, not as a cost factor. At the same time, they bear responsibility for ensuring that the organization develops a security awareness that goes beyond IT processes.

The regulation stipulates that companies must have a documented risk management system, conduct regular security checks, and report incidents to the responsible authorities. This requires structured processes and a governance architecture, in the development and monitoring of which CISOs are centrally involved.


Source: news.google.com · Published 26 May 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification through Lumi News Pipeline v1.6.5.

Share on: