Skip to content
Back to insights
Digitalization

If you hand NIS2 compliance to the IT department, you've already failed

If you hand NIS2 compliance to the IT department, you’ve already failed.

Not because the IT department is incompetent. But because NIS2 is not an IT problem. It’s a governance problem. And governance belongs with management, not with the person who administers the firewall.

NIS2 requires risk management, incident reporting, continuity planning, and supplier control. None of that is solved with technical measures. All of it requires processes, documentation, and decisions at management level.

I built and delivered an ISMS (information security management system) to board level at Logivity, a startup within Volvo Group. It was not an IT project. It was a management system project.

An ISMS means the organization knows what risks it has, has decided which ones it accepts, and can demonstrate that it made conscious decisions. That requires a risk register. An information classification. A continuity plan. Policies signed by the board. Routines that people actually follow.

It doesn’t require a CISO. It doesn’t require advanced technology. It requires ownership.

The problem I see is that most companies treat information security as a checklist. They buy a tool. They run a vulnerability scan. They tick off “NIS2 compliance” and move on.

But an auditor doesn’t ask if you have a firewall. An auditor asks: “Show me your risk register. Show me how you classify your information. Show me the decision protocol where the board approved your risk acceptance level.” That’s documentation, not technology.

The difference between a company that passes an audit and one that doesn’t is rarely technical maturity. It’s whether management has taken ownership of information security as a governance matter. Not delegated it to IT and hoped for the best.

This applies especially to smaller companies. SMEs now covered by NIS2 often have no dedicated security resource. The temptation is to hand the assignment to the IT manager, who’s already at capacity. The IT manager installs a couple of tools, writes a policy, and after three months the project is dead. Not because it was wrong, but because it lacked mandate and ownership from management.

An ISMS requires ongoing maintenance. It’s not a project with a start and end. It’s a management system that lives as long as the organization does.

My experience: start with the risk register. Start with information classification. Start with the board understanding what they’re signing. Technology comes last. Governance comes first.

If you want to pass NIS2: move ownership from IT to management. That’s the only step that truly matters.

Back to insights