NIS2 is coming – but who really owns the responsibility for security?

The EU directive NIS2 is approaching. Many Norwegian organizations are now trying to map out what it will mean for them, but many haven’t even begun the journey!

For some, it’s about establishing solid security across their entire IT landscape. Others have security in place but lack documentation and governance.

For both, it comes down to creating clarity around one fundamental question:

Who actually has responsibility for information security?

The answer is often more unclear than one might think.

More requirements, but the same capacity

NIS2 imposes increased requirements for governance, risk assessment, preparedness, and reporting – even for organizations that have previously operated under the radar. At the same time, we see that internal resources in many organizations are not growing in line with the requirements.

This means that security work often becomes “something you do on the side.” An IT manager is given responsibility for security in addition to everything else. Some measures are initiated – but without a holistic plan, prioritization, or structure.

It’s understandable, but also risky.

Why it's not enough to “distribute the responsibility”

Distributing security responsibility across different functions can work in theory. In practice, we often see that:

No one has overall ownership – a security strategy is missing.
Measures are random – there’s a reaction to what’s urgent, but little preventive work.
Regulations and threats remain abstract – because no one has the role of monitoring and translating them into the organization's context.
The board and management are not involved or do not receive sufficient insight – and therefore lack the basis to make informed decisions.

CISO for hire: A pragmatic alternative

You may not need a full-time security leader. But you need someone to take responsibility for the bigger picture – for a few hours a week or during a transitional phase.

Through our CISO for hire service, Sicra offers experienced advisors who act as the organization’s security leader – without you having to hire someone. We can assist with:

Security posture analysis
Short term and long term cyber security strategy
Closing security gaps
Plans to meet NIS2 and other relevant requirements
Establishing or further developing an ISMS (Information Security Management System)
Reporting to management and the board
Incident response and contingency planning

NIS2 is not just a compliance exercise

It’s about trust, reputation, and the ability to withstand unforeseen events. For many organizations, NIS2 will be a wake-up call – and an opportunity to clean up, gain structure, and create a long-term security plan.

But that plan needs an owner.

Are you already working on NIS2 preparations, but lack a clear responsible party?

We’re happy to have a non-binding conversation to explore how a CISO for hire could support your organization.