NIS2 READY
The incident happened at night. By morning, everyone knew about it. Emails were down, internal systems were unavailable, and phones would not stop ringing. Eventually, a sentence was heard in the meeting room that we hear far too often:
“So who is actually responsible for this?”
The risk itself was not a surprise. It was recorded in the risk register, had its rating, its color, and its reference number. On paper, everything was in place. But one critical thing was missing – a clearly assigned owner.
And when a risk has no owner, chaos automatically takes over during an incident.
The first hours after an incident look similar in many organizations. IT focuses on the technical side, but does not know what should be prioritized. Management waits for information that does not yet exist. Legal teams ask whether and when the incident must be reported. No one acts in bad faith. The real problem is that no one has the authority to decide.
This is not a technical issue. It is a governance issue. Many organizations automatically treat IT as the owner of cyber risks. But IT does not own business processes, does not carry reputational impact, and does not decide what is acceptable for the organization in a crisis. IT can handle the incident, but it cannot decide what the organization should sacrifice if necessary.
The NIS2 Directive places strong emphasis on management responsibility, risk ownership, and the ability to make decisions during incidents. Even if it does not say this in one explicit sentence, it clearly assumes that every significant risk has a named owner – a person who has both the authority and the obligation to act. Not during an audit, but when things go wrong.
The difference between a risk without an owner and a risk with an owner is fundamental.
Saying “risk of a CRM system outage” does not say much.
Saying “an outage of the CRM system may stop sales; the risk owner is the Sales Director” immediately clarifies impact, responsibility, and decision-making authority.
IT remains a key partner, but it does not carry the full weight of decisions alone.
The turning point comes when responsibility is explicitly assigned. Organizations that handle incidents well share one thing in common – every significant risk has one specific name attached to it. Not a department. Not a team. A person. This does not mean that person is to blame for everything. It means they can decide, escalate, and take responsibility.
At Tazilla, risk ownership is one of the core principles of how we approach security. We link risks to assets and essential services, assign them to specific business or management owners, and connect them to concrete security controls. As a result, incidents do not end in discussions about who should decide, but with a clear next step.
The bottom line is simple. NIS2 is not about paperwork. It is about accountability and decision-making.
If a risk has no owner, it will be taken over by the worst possible manager – chaos. Organizations that assign clear ownership early gain speed, clarity and control when incidents happen. Those that do not will be forced to make critical decisions under pressure, with incomplete information and unnecessary business impact.
