Skip to content
Back to insights
Digitalization

If you hand NIS2 compliance to the IT department, you've already failed

Most companies I talk to about NIS2 have done the same thing: they forwarded the directive to the IT manager and assumed the problem would solve itself. It rarely does. The directive asks for risk management, incident reporting, continuity planning and supplier control, and none of that is solved by technical measures. All of it requires processes, documentation and decisions at management level.

I built and delivered an ISMS (information security management system) to board level at Logivity, a startup within Volvo Group. It was not an IT project but a management system project, and the difference matters more than people think.

What an ISMS actually is

An ISMS means the organization knows what risks it has, has decided which ones it accepts, and can demonstrate that it made conscious decisions. That requires a risk register, an information classification, a continuity plan, policies signed by the board, and routines that people actually follow. None of it requires a CISO or advanced technology; what it does require is ownership.

The problem I see is that most companies treat information security as a checklist: buy a tool, run a vulnerability scan, tick off “NIS2 compliance” and move on. But an auditor does not ask if you have a firewall. An auditor asks to see the risk register, asks how you classify information, asks for the decision protocol where the board approved your risk acceptance level. That is documentation, not technology, and the difference between a company that passes an audit and one that does not is rarely technical maturity. It is whether management has taken ownership of information security as a governance matter, rather than delegated it to IT and hoped for the best.

What a risk register looks like in practice

A risk register is the operational core of an ISMS, and it is also the artefact most people get wrong. It is not a spreadsheet of every conceivable threat. It is a list of specific risks to specific information assets, with a documented decision for each one.

A useful entry has six fields: the asset (customer data in the CRM), the threat (unauthorized access by a third-party developer), likelihood and impact rated on a scale the board has signed off on, the existing control (role-based access, quarterly reviews), the residual risk after that control, and the decision (accept, mitigate, transfer, avoid) with a name and a date attached.

When a Logivity board member asked why a particular risk was rated medium and not high, I could point to the entry and the discussion that produced it. That trail of decisions, not a tool, is what an auditor actually wants to see.

A practical sequence for smaller companies

This matters especially for SMEs now covered by NIS2 who often have no dedicated security resource. The temptation is to hand the assignment to the IT manager, who is already at capacity, who installs a couple of tools and writes a policy. Three months later the project is dead, not because it was wrong but because it lacked mandate and ownership from management.

A workable sequence looks like this. Start with information classification (what data do we actually hold, and how sensitive is each category). Build the risk register on top of that classification, one row at a time, with the asset owner sitting in the room. Take the top ten risks to the board, get a documented decision on the acceptance level, and write the minutes. Pick three or four policies that govern the highest-impact risks (access control, incident response, supplier management) and get them signed. Define who reviews the register and when, and put it in the calendar.

That is roughly six months of governance work for a mid-sized company, and it requires a sponsor at executive level who treats the ISMS as a recurring management responsibility rather than a one-time project.

An ISMS is a management system that lives as long as the organization does, which means the question is not “are we compliant” but “who owns this next quarter”. If you want to pass NIS2, move ownership from IT to management. That is the only step that truly matters.

Back to insights