Why CEOs Should Put NIS2 Under Their Pillow – and Say Goodbye to Excel Spreadsheets
We live in an era where IT service providers are breached by anime-inspired hackers guessing passwords and military generals hold sensitive discussions via WebEx. But let’s stay optimistic — by October 2024, such mishaps should be a thing of the past. That’s when the EU’s NIS2 Directive comes into force. Officially titled Directive (EU) 2022/2555, it is also known as the Second Directive on the Security of Network and Information Systems. Its goal: to strengthen cyber resilience — and it has the potential to do just that.
However, those who struggled to comply with the GDPR introduced in 2018 would do well to brace themselves.
NIS2: A Look at the EU’s Cybersecurity Directive
Organizations falling under NIS2 are required to appoint a cybersecurity officer, implement risk management systems, form IT incident response teams, and conduct regular audits of their service providers.
NIS2 makes one thing very clear: Cybersecurity is not the same as IT security. While IT security focuses on technical defenses, cybersecurity is a strategic business issue. That’s why NIS2 is a C-level matter.
Where CISOs report directly to the CEO, organizations are better positioned to respond quickly and effectively to cyber threats. Cybersecurity must be viewed as an integral part of the corporate strategy — not an afterthought. By placing the CISO alongside the CIO at the executive level, security concerns receive the attention and resources needed to protect the entire enterprise.
Challenges and Opportunities in NIS2 Implementation Across Europe
Unfortunately, Forrester offers sobering statistics:
Only 21% of European CISOs report directly to the CEO, while 40% still report into the CIO. This structure can cause delays in decision-making and resource allocation, as cybersecurity must compete with broader IT priorities.
With NIS2 expanding its definition of critical infrastructure, sectors like energy, healthcare, and transport are joined by postal services, digital providers, and the food industry.
In Germany alone, an estimated 40,000 companies must now prepare for extensive cybersecurity obligations that go far beyond IT departments. If 40% of them rely on outdated tools like Excel, email, and phone calls, that’s 16,000 organizations heading into major resource conflicts.
As BSI President Claudia Plattner aptly noted: “We don’t have a measures problem – we have an implementation problem.”
Some companies mistakenly believe that BSI is responsible for defending their networks. Those that understand they must protect themselves often stumble over one critical question:
Who is responsible for doing what, by when, in the event of an incident?
To meet the increasing complexity of cyber threats, CIOs, CISOs, and CEOs must act as Security and Risk Managers (SRMs) — promoting a cybersecurity culture that extends beyond IT and permeates the entire organization. Otherwise, the following NIS2-mandated disciplines will remain unmanageable:
Cyber Risk Management: Risk management processes must be established to assess and mitigate threats to critical services. Both EU member states and ENISA (the EU Cybersecurity Agency) will conduct coordinated assessments of critical supply chains — considering both technical and non-technical risk factors.
Corporate Responsibility: Internal reporting mechanisms must inform top management about the organization’s risk exposure and security posture. Governance structures should enable executives to monitor, approve, and respond to cybersecurity risks effectively.
Incident Reporting Obligations: External reporting capabilities must be established to meet NIS2’s incident notification requirements. Any incident with a significant impact on services or recipients must be reported promptly. Authorities may assess the incident and advise affected entities on response actions.
Business Continuity Planning: Organizations must develop plans covering backup management, disaster recovery, and crisis response — ensuring continued operation in the event of cyber incidents.
Who Needs to Be Involved?
Executive Leadership (CEO, CFO, COO): Top executives must gain a deep understanding of cybersecurity and embed it into the company strategy. Given potential liability under NIS2, executive leadership must show active involvement in implementing and maintaining cyber defenses.
Legal and Compliance Teams: These departments interpret the NIS2 directive and ensure legal requirements are met. They act as a bridge between business leadership and technical teams.
Human Resources (HR): With the cybersecurity talent shortage, HR must develop strategies to attract, retain, and train skilled professionals — while also fostering a security-aware culture across the workforce through regular training and awareness programs.
Operations and Facility Management: In newly covered critical sectors, operational teams must account for physical security and operational technology (OT) risk to reduce vulnerabilities.
Product and Service Development: Security-by-design must be baked into all new product and service development — especially for companies in newly regulated sectors like digital services.
Supply Chain and Third-Party Management: Organizations must evaluate and monitor the cybersecurity practices of their suppliers and partners. Supply chain leads must collaborate closely with security teams to ensure compliance and risk management throughout the ecosystem.
Customer Service and Support: Those teams must be prepared to respond effectively to security incidents affecting customers and have clear communication protocols in place for such scenarios.
The Question for 40,000 CEOs: How Do You Maintain Oversight?
The motivation is easy to quantify: NIS2 enforcement includes significant fines for non-compliance.
- Important entities face up to €7 million or 1.4% of annual turnover.
- Essential entities can face penalties of up to €10 million or 2% of global annual turnover, whichever is higher.
Recommendation: The Role of an Integrated Management System in Cybersecurity Strategy
To meet both CEO-level responsibilities and NIS2 compliance, companies should adopt an integrated management system (IMS) that unifies security and risk management efforts across the organization.
An IMS can incorporate standards such as:
- ISO 27001 – Information Security Management
- ISO 22301 – Business Continuity Management
- ISO 31000 – Enterprise Risk Management
By combining these frameworks, companies can leverage synergies, avoid duplication, and take a holistic approach to security.
An integrated management system also enables ongoing monitoring, measurement, and improvement of cybersecurity measures, while supporting efficient resource allocation.
Get an integrated management system — juggling is for the circus.
