What NIS2 specifically expects from companies
NIS2 does not specify detailed technical requirements but defines clear objectives. Companies must identify, prioritize, and appropriately manage risks. For supply chains, this entails several key tasks:
- First, dependencies must be systematically identified. Which service providers are essential for operations? What data do they process? What access rights do they have?
- Secondly, appropriate security requirements must be defined. These must be commensurate with the risk and contractually stipulated.
- Third, NIS2 requires continuous monitoring. Risks change. Business models, threat landscapes, and technical architectures evolve. Security assessments must therefore not be a one-off project.
The role of the CISO under NIS2
For CISOs, NIS2 represents a significant expansion of their responsibilities. Technical excellence alone is no longer sufficient. Communication skills, risk assessment, and the ability to enforce security requirements across the organization are now essential.
The CISO becomes the intermediary between technology, management, procurement, and legal. They must explain why certain requirements are necessary, what risks exist, and what the consequences of inaction might be. NIS2 strengthens this role by defining clear responsibilities and anchoring the importance of cybersecurity at the board level.
