You know him. The guy in the corner office or more likely, the corner of an open-plan floor clutching a binder full of risk acceptances that nobody ever read. For years, the risk manager was the corporate equivalent of the smoke detector: annoying when it beeps, ignored until the house is on fire.
And then there's his cousin: the lone ISO buried deep under the CIO, doing "security" as a side quest between firewall tickets and audit prep. No budget. No mandate. No audience. Just a person with a compliance spreadsheet and a thousand-yard stare, who's been screaming into the void that somebody should probably look at this.
Well, congratulations to both of them. The house is on fire. And NIS2 just handed them a megaphone.
Here's the thing most organisations get wrong about NIS2: they think it's an IT problem. "Just patch the servers, run a pentest, buy a shiny new SIEM ..sorted." Except the directive doesn't start with firewalls. It starts with the boardroom. Article 20 is brutally clear: management bodies must approve cybersecurity risk measures, oversee their implementation, and - here's the kicker - can be held personally liable if they don't.
Suddenly, that dusty pile of risk acceptances signed off with "we'll accept the risk" looks less like bureaucracy and more like evidence. And the ISO who was told "just handle it" now holds the proof that nobody was actually handling anything.
Because governance sounds like something you do after the exciting stuff. It's the broccoli of cybersecurity. Everyone knows they should eat it, nobody orders it voluntarily.
Some organisations have a risk manager, but his work lives in spreadsheets nobody opens. Others don't even have that - they have an ISO who inherited "risk management" because he once fixed a phishing incident and the CIO said, "Great, it's yours now." No formal role. No authority. No escalation path. Just best effort in a system designed to not listen.
NIS2 doesn't care about your org chart politics. It wants clear roles, documented accountability, board-level oversight, and demonstrable decision-making. That's not a firewall upgrade - that's a cultural shift.
If your security person has been operating on best effort and good intentions, NIS2 is actually the best thing that ever happened to him — if leadership uses it right. Here's how:
1. Elevate, don't just delegate. Stop burying security under IT operations. Your ISO needs a reporting line to someone who can say "no" to the business or at least "not yet." NIS2 requires board-level accountability. Use that to pull security out from under the CIO's shadow and give it a voice.
2. Formalise the role before the regulator does it for you. If your ISO has been doing risk management without the title, the budget, or the authority make it official. Define the mandate, assign the resources, and for the love of compliance, give the person a seat in governance meetings instead of just the meeting minutes afterwards.
3. Revisit every "accepted" risk. Every risk that was "accepted" needs a second look. Was it a conscious decision or a convenient one? Document the rationale, assign owners, set review dates. Your risk manager or your ISO who's been doing that job in disguise has been waiting for this moment.
4. Define who decides what. Create a simple governance charter: who approves risk treatment, who escalates incidents, who talks to the regulator. If the answer to any of these is "uhh… probably IT?" you have work to do.
5. Train the board - seriously. NIS2 requires management to undertake cybersecurity training. Not a 15-minute e-learning with a multiple-choice quiz. Meaningful engagement with what the organisation actually faces.
6. Make it repeatable, not heroic. Governance isn't a one-off project. Build review cycles, tie them to existing business rhythms, and stop relying on one person's heroic best effort to keep the lights on securely.
NIS2 didn't invent good governance - it just made ignoring it illegal. Whether you have a risk manager with his spider-web of acceptances or an ISO who's been quietly holding the fort with duct tape and determination - they were right all along.
The question is: will your organisation finally give them the authority to match their responsibility, or keep pretending the smoke detector is just being dramatic?
Spoiler: the regulator won't care which one you chose. They'll care what you can prove.
