NIS2 requires companies to establish structured governance, implement technical security measures, and maintain demonstrable incident-response processes, for which CISOs must assume full responsibility at board level.
Tabletop exercises without clear objectives, unrealistic scenarios, and missing relevant stakeholders create false confidence and fail to expose organizational weaknesses in incident response.