NIS2: What really changes and why many organizations are not yet ready

In recent months the Directive (EU) 2022/2555 - NIS2 has steadily entered the discussions of Boards of Directors, Risk Committees, and IT and Cybersecurity functions.

It is no longer a “technical” regulation confined to insiders, but a Regulatory intervention that directly affects corporate governance, on the responsibilities of the apex bodies and decision-making mechanisms in case of cyber crisis.

The increasing attention does not depend only on the’Expansion of the subjective scope - involving significantly more organizations than the previous NIS - but especially from the paradigm shift introduced by the Directive.

Increasingly, a key question emerges:

“If a major cyber incident occurred tomorrow, would the organization be able to handle it in an NIS2-compliant manner?”

The answer, in most cases, is not technical.
È organizational, procedural, cultural and decision-making.

Many organizations have invested over the years in security technologies, SOCs, threat detection and incident response services. However, NIS2 makes clear an often overlooked point: safety is not just prevention, but incident governance skills.

CSIRT NIS2
CSIRT NIS2

From “suffering an attack” to “governing an incident”

Major European and international reports on cybersecurity show a well-established trend:
cyber incidents rise in frequency, sophistication e impact, involving critical and non-critical sectors, large groups and medium-sized organizations.

Energy, transportation, health care, digital services, manufacturing and supply chains are now exposed to systemic risks that can have cascading effects on the economy and national security.

NIS2 starts from a very clear premise:

cyber incident is no longer a remote possibility, but an expected event.

For this reason, the Directive shifts the focus from a purely defensive logic to a logic of governance of the incident.

It is no longer enough to prove that you have:

  • firewall,
  • detection systems,
  • technical response procedures.

The regulator evaluates:

  • How decisions are made under pressure,
  • Who has the authority to declare a significant incident,
  • How outward communications are handled,
  • Whether management is aware of the risks and involved in the choices.

In other words, NIS2 introduces a “managerial” reading of the cyber incident:
not only what happened, but How the organization reacted, decided and communicated.

NIS2 and accountability: a level change

One of the most disruptive aspects of NIS2 concerns the issue of the responsibilities of management bodies.

The Directive stipulates that administrative bodies:

  • Approve cyber risk management measures,
  • Supervise their implementation,
  • can be held accountable in case of serious noncompliance.

This implies a profound cultural change.

Cybersecurity can no longer be considered a subject that can be “fully delegated” to the IT function or CISO.
Become a governance responsibilities, as well as other strategic risks.

In this context, incident management takes on central value because it is the time when:

  • decisions become visible,
  • responsibilities emerge,
  • the relationship with the authorities is tested.

NIS2 obligations: timelines, processes, and accountability

NIS2 introduces concrete and measurable obligations on several levels.

1. Notification of significant incidents

The Directive provides for a structured notification process:

  • early warning Within very tight time frames,
  • formal notification With validated initial information,
  • final report With analysis of impact and corrective measures.

This assumes that the organization knows:

  • To distinguish between event, accident and significant incident,
  • Decide quickly whether notification requirements are triggered,
  • Validate the information before transmitting it.

Without clear governance, the risk is twofold:

  • notify too late,
  • Incomplete or inconsistent notification.

Both cases expose them to relief and penalties.

2. Formalized roles and responsibilities

NIS2 does not allow for organizational ambiguity.
It requires clear roles, assigned responsibilities, and documented processes.

In particular, it presupposes the existence of a stable function capable of:

  • Coordinate the different functions involved,
  • Representing the organization to the CSIRT,
  • Ensure consistency and traceability of decisions.

This is not a figure “to be appointed in an emergency,” but a role defined ex ante.

The central issue: the relationship with the CSIRT

During a significant incident, the relationship with the National CSIRT becomes a crucial element.

NIS2 requires that:

  • communications are timely but reliable,
  • information is contextualized,
  • decisions are documented and defensible.

In the operational reality of many organizations, however, recurring critical issues emerge:

  • SOC speaks a technical language,
  • the Legal takes a conservative approach,
  • Management is under reputational and operational pressure,
  • information comes in fragmented.

In the absence of direction, the risk is that:

  • communications are inconsistent,
  • timelines are not met,
  • the CSIRT receives partial or contradictory information.

This is one of the main factors of NIS2 non-compliance.

The CSIRT liaison: why it is a governance function

NIS2 does not define the CSIRT Contact Person as a purely technical figure.
On the contrary, it implicitly delineates its role as a strategic coordination function.

The CSIRT Contact Person is placed:

  • between the operational and decision-making levels,
  • Between technical and control functions,
  • Between the organization and the external authority.

To be effective it must:

  • Know the regulatory framework,
  • Understand the business implications,
  • Have access to management,
  • Have a clear mandate.

It is a function that does not replace the CISO, the SOC or the Legal, but there coordinates In a logic of incident governance.

CSIRT as a Service Contact Person - NIS2

Many organizations, especially medium-sized ones, do not have this structured function internally.
This is the origin of the service CSIRT as a Service Contact Person - NIS2.

The service provides an ongoing, independent and qualified function focused on NIS2 obligations and incident management as a fact of governance.

Areas of intervention

1. NIS2 framework and governance.

  • Formal definition of the role,
  • Integration into existing governance models,
  • alignment between IT, Risk, Legal and Management.

2. Preparation for the accident

  • Clarification of decision thresholds,
  • Definition of playbooks consistent with the Directive,
  • Support for exercises and simulations.

3. Incident management

  • Decision support at critical stages,
  • Coordination of the functions involved,
  • Validation of communications.

4. Interface with the CSIRT

  • single point of contact,
  • adherence to timelines,
  • Traceability of decisions and actions.

5. Post-incident and continuous improvement

  • root cause analysis,
  • process review,
  • Support in case of audits or inspections.

Why preparation is the real critical factor

Post-accident analyses show a consistent figure:
the most relevant problems are not technological, but organizational.

Unclear roles, delayed decisions, insufficient documentation and inconsistent communications are the main causes of critical regulatory issues.

La NIS2 Does not ask if an organization has been affected.
He asks whether was ready.

Being ready means:

  • Having defined roles and responsibilities,
  • Having tested the processes,
  • Having prepared management to make decisions.

A Practical First Step: NIS2 Readiness Check - CSIRT Referent

The NIS2 Readiness Check - CSIRT Contact Person. (45 minutes) is designed as a pragmatic first step to:

  • Assess the level of organizational maturity,
  • Identify decision-making and governance gaps,
  • Understand the exposure with respect to NIS2 obligations.

It is not a technical audit, but a focused assessment of the organization's ability to governing an accident In a compliant manner.

Conclusion

NIS2 marks a key transition:
From cybersecurity as a technical function to cybersecurity as a governance responsibilities.

In this context, the CSIRT Contact Person is not an organizational detail, but a strategic junction.

Organizations that understand this early turn a regulatory obligation into an advantage of control, credibility, and resilience.
The others are likely to find out at the worst possible time: during a real accident.

DISCOVER OUR SOLUTIONS

CONTACT US

Similar Posts

cyber attacks: deepfake
| | |

The Wolf in the Net: HRC alongside schools for digitally aware education

ByMarika Alario

The Wolf in the Net: The digital world has offered extraordinary opportunities, but it has also presented significant risks, especially for the younger generation. 65% of young people said they had been victims of violence, of which 63% experienced bullying and 19% cyberbullying. The consequences of these experiences were...

Registration reopened for Aperi-Cyber Oct. 12, 2022: super guest Raoul Chiesa

Registration reopened for Aperi-Cyber Oct. 12, 2022: super guest Raoul Chiesa

ByRaffaella Loprete

HACKMAGEDDON: How hacking can affect our lives at Aperi-Cyber Oct. 12 Aperi-cyber is back! OGR's CyberSecurity-themed events curated by CyberBrain. On Wednesday, October 12 at 6:30 p.m. come meet Raoul Chiesa "Nobody": the first Italian hacker who will tell us how hacking changed his life and what path led him to become...

"Don't open that door" or: the protection of corporate assets

"Don't open that door" or: the protection of corporate assets

ByRaffaella Loprete

Since childhood, we have always been taught not to open our doors to strangers, the techniques used by hackers to breach our systems are many, find out at "Don't Open That Door." Their goal is to steal the greatest asset: our data, find out how to defend yourself at our "Don't Open That Door" event. Italy.

Bank Phishing: 16,000 formidable scam in minutes
|

Bank Phishing: 16,000 formidable scam in minutes

ByMarika Alario

Phishing is becoming a widespread phenomenon: hackers are becoming more experienced day by day, employing sophisticated methods that are complex to unmask, thus making themselves the perpetrators of very serious losses of data, money and more. This is confirmed by the results that emerged from the Clusit Report 2024, especially with regard to Italy, which seems to be increasingly...

Windows 10 toward end of support: what's new in Windows 11?

Windows 10 toward end of support: what's new in Windows 11?

ByMarika Alario

Windows 11 brought with it a number of significant updates, redefining the user experience with new features, a revamped interface and security enhancements. As Microsoft continues to push toward this new version, the end of support for Windows 10, scheduled for 2025, is fast approaching. This means users will have to start considering...