NIS2 READY
When people hear the term cyber risk, most organizations immediately turn to IT. Firewalls, antivirus, patching, SIEM. Then comes the sense of relief: “We have it covered.” But this is exactly where it becomes clear that a purely technical view of risk is not enough.
In one project, we asked a simple question: “What would happen if this system went down tomorrow?”
The answer did not come from IT. It came from finance.
“We wouldn’t be able to invoice.”
“We couldn’t close the month.”
“We couldn’t pay suppliers.”
This was not a technical problem. It was a business problem. And this is exactly how NIS2 looks at cyber risk.
The NIS2 Directive does not focus only on technical controls. It talks about service continuity, economic and societal impact, and management responsibility. These are business concepts, not technical ones. IT plays a critical role in implementing controls and responding to incidents, but the consequences of cyber incidents always hit the organization as a whole.
This is where many organizations struggle. Risks are recorded as technical failures of systems or infrastructure, without a clear link to the business service or process that is actually at risk. On paper, the risk exists. In practice, it has no clear owner. And when every cyber risk is seen as an “IT risk,” no one truly owns it.
From an NIS2 perspective, risks are tied to services and processes, not to technology alone. A well-defined risk does not just say that a system might fail. It explains what that failure means for the organization.
For example: “An outage of the customer portal may lead to breached SLAs and loss of customer trust.” At that point, the impact is clear, the relevance is obvious, and it is become clear who needs to act.
The real shift happens when the risk owner is not the IT manager, but the owner of the service or process. Invoicing belongs to finance. Production belongs to operations. Customer services belong to customer care. IT becomes a key partner delivering solutions, not the sole owner of risk. This shift is exactly what NIS2 expects.
At Tazilla, we look at risks first through critical assets and essential services. Risks are placed in a concrete business context, assigned to clear owners, and only then addressed with technical and organizational security controls. This way, every risk has a clear meaning and a clear role in decision-making.
Understanding cyber risk as a business issue is only the first step. The next challenge is ownership. When responsibility is uclear, incidents quickly turn into chaos. We explore this problem in more detail in NIS2 Without Paperwork: When a Risk Has No Owner, the Incident Takes Over.
The bottom line is simple. Not every cyber risk is technical. But every cyber risk has technical consequences. If you look at risk only through IT, NIS2 will always feel like a burden. If you look at it through the business, it starts to make sense.