NIS2 roles and responsibilities around awareness

Board: steering and accountability

Under NIS2 article 20(1) and 20(2), the highest management body (board of directors, executive committee, or equivalent) is directly accountable for cybersecurity. The board must approve the risk-management measures, oversee their implementation and complete regular training that enables it to identify cyber risks and assess their impact on the organisation.

Personal liability for serious breaches is a direct consequence. In practice, the board treats cybersecurity as a standing agenda item, records its decisions in the minutes and verifies progress. Full delegation to the CISO is not an acceptable strategy; board members must be able to engage substantively.

Larger organisations often designate one board member as cybersecurity lead director. This person sponsors the programme, receives the reports and acts as the first point of contact for the regulator. Collective board responsibility remains; it is not transferred to that individual.

CISO or information security officer

The CISO (Chief Information Security Officer), or in smaller organisations the information security officer, holds operational responsibility for defining, maintaining and overseeing the security policy. NIS2 implementations require this role to be explicitly filled, with sufficient mandate and direct access to the board.

Typical responsibilities: risk analyses, maintenance of the ISMS (Information Security Management System), oversight of awareness programmes, definition and reporting of KPIs to the board, contact with the competent national authority and sector regulators, coordination of incidents alongside IT and legal.

Important: the CISO does not run the technical measures, that is the role of IT operations. The CISO is the second line of defence: setting requirements, monitoring and reporting. In smaller entities, the role can be combined with DPO or risk officer, provided independence and mandate are preserved.

IT operations and CSIRT

IT operations (internal IT department or external managed service provider) implements the technical measures: patching, segmentation, monitoring, backup and restore, identity and access management, endpoint protection. These count as the "appropriate and proportionate technical, operational and organisational measures" required by NIS2.

The CSIRT (Computer Security Incident Response Team) handles incidents from detection through restoration and after-action review. NIS2 mandates a three-step notification: early warning within 24 hours, intermediate report within 72 hours, final report within one month, sent to the competent national CSIRT. The CSIRT needs playbooks, 24/7 on-call coverage and regular table-top exercises.

CSIRTs typically cooperate with the national CSIRT, sector-specific CSIRTs and ISACs. ENISA supports the EU CSIRTs network at European level but does not act as a primary incident channel for individual organisations.

HR, communications and awareness lead

The training obligation in NIS2 is not a purely technical task. HR anchors security in the people policy: onboarding training for new hires, annual refreshers, recording completion in the HR system, consequences for sustained non-participation.

The awareness lead or programme manager (often reporting into the CISO or HR) designs and runs the programme: content choices, schedule, phishing simulations, communications, reporting. In large organisations this is a dedicated role; in smaller ones it is combined with CISO or internal communications.

Many organisations also appoint risk owners per business unit: line managers who own the risks in their own processes and translate the awareness message to the operational level. This prevents security from being confined to central functions.

Per-country overview of competent authorities

Although the roles above are common across the EU, the regulator that supervises and enforces them varies by Member State. Always check the national transposition law for the exact split of competences.

• Netherlands: Cyberbeveiligingswet (Cbw), with sector regulators (RDI for digital infrastructure, IGJ for healthcare, DNB for finance) and the National Cyber Security Centre (NCSC) for coordination.
• Belgium: NIS2 Act of 26 April 2024, with the Centre for Cybersecurity Belgium (CCB) as central authority and CSIRT, supported by sector regulators (FSMA, FPS Health, BIPT).
• Germany: NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), with the Federal Office for Information Security (BSI) as central authority, alongside sector regulators (BNetzA, BaFin).
• Austria: NISG 2024, coordinated by the Federal Ministry of the Interior (BMI), with sector regulators (FMA, RTR/Telekom-Control, E-Control).
• France: NIS2 transposition law, with ANSSI as central authority and sector regulators (ACPR, ARCEP, ASN) in their respective domains.
• Spain: Real Decreto-ley transposing NIS2, with CCN-CERT (public sector and critical infrastructure) and INCIBE-CERT (private sector) as primary CSIRTs, plus sector regulators (CNMV, Bank of Spain, Ministry of Health) and the AEPD for personal-data overlap.

Related articles

• NIS2 board training obligation across European member states
• NIS2 transposition across Europe
• NIS2 awareness checklist for organizations

Sources

• NIS2 directive (EUR-Lex)
• ENISA, NIS2 topic page and guidance

FAQ

Must all board members complete training, or only the designated cybersecurity lead director?

NIS2 article 20(2) is explicit: all members of the management body must complete regular training. A designated lead director can sponsor the programme and act as the regulator-facing contact, but this does not relieve other members of their individual training duty or the collective accountability of the board.

What is the difference between CISO and DPO?

The CISO is accountable for information security as a whole (confidentiality, integrity, availability), while the DPO specifically oversees GDPR compliance for personal-data processing. The two roles can cooperate, but must remain organisationally independent to avoid conflicts of interest.

Can the CISO role be outsourced?

Yes. A fractional CISO or CISO-as-a-Service arrangement is possible and often practical for mid-sized entities. Conditions: sufficient availability, clear mandate, direct reporting line to the board, no conflict of interest with other services (for example, the SOC provider). Final accountability of the board remains untouched.

Who notifies an incident to the regulator?

Procedurally the CSIRT files the notification, with sign-off from the CISO and information to the board. Legally the entity is the notifier; the specific signatory depends on internal governance. The notification is sent to the competent national CSIRT designated under the national transposition law.

How do I document the role allocation for an audit?

Build a RACI matrix (Responsible, Accountable, Consulted, Informed) for the NIS2 obligations, link it to job descriptions and formalise board accountability through a board resolution. Embed the roles in the ISMS handbook and the incident-response plan. The combination of RACI and board resolution is the strongest evidence in an audit.

Do HR staff also need NIS2 training?

Yes, at least the HR staff who plan or record awareness training. They need to know which evidence an audit expects (participation logs, certificates, refresh frequency) and how new hires receive their initial training within a reasonable timeframe (typically 30 to 90 days). A 60-minute governance briefing is usually enough.