7 ways NIS2 demands management involvement – and how to get it

The NIS2 Directive makes cybersecurity a leadership issue. Here are seven places where their involvement is critical—plus how to bring them on board.

Published: 
April 25, 2025
Jacob Høedt Larsen
PR & PA

Read more from the author

These insights come from Marie Bjerre Simonsen, Information Security Expert at Wired Relations.

1. Management is accountable

NIS2 explicitly places responsibility for cybersecurity with executive leadership. In serious cases, top management may be held personally liable for non-compliance.

“It’s explicitly stated in NIS2 that we need to have executive management on board. They must be able to make decisions on an informed basis.”

2. Defining risk appetite

The organisation’s security policies must reflect its risk appetite. While NIS2 sets a non-negotiable baseline, leadership must decide how much additional risk the organisation is willing to accept.

“We need to involve management when determining our risk appetite.”

3. Risk management and acceptance

Once the risk appetite is defined, leadership must help shape the risk model—and formally approve the accepted risk level.

4. Policy approval and support

Security policies only work if leadership is involved, approves them, and actively supports their implementation.

“It’s also important to include executive leadership in the information policy, where roles and responsibilities are defined.”

{{factbox-dark}}

5. Incident response and contingency planning

Cyber resilience requires not just protection—but the ability to recover fast. Leaders must be involved in contingency planning and readiness testing.

“When I look into contingency plans, it’s often at the executive level that issues need to be escalated if something goes wrong. And these plans need to be tested. Leadership must be involved.”

6. Ongoing evaluation

Cybersecurity isn’t a one-time project. It’s an ongoing responsibility. Management must ensure continuous follow-up and improvement.

“There’s a requirement to follow up on whether things are actually working as intended. Making sure it’s effective is extremely important. And we need to adjust along the way.”

7. Prioritisation and resources

Implementing NIS2 takes time and investment. It’s up to leadership to prioritise efforts and allocate resources accordingly.

“Some of these things will cost money.”

Executive leadership must be fully engaged in NIS2 implementation. But how do you get them on board?

5 Quick Tips for Engaging Executive Management

  • Use policies and plans to drive conversation
  • Give leaders the insights they need to make informed decisions
  • Establish clear structure and communication lines
  • Invite active participation—not just approvals
  • Use external experts to guide the dialogue

More ressources:

Want your leadership team to fully support your NIS2 efforts?

Let’s make information security a core part of your leadership agenda.
👉 Book a demo with our experts and get tailored advice for your strategy.

Get tailored advice

You might also like

Trend: Are We Forgetting the Data Subjects in GRC?

Trend: Want a Seat at the Table? Then GRC Needs to Understand the Business

Trend: Why You're Never Involved When New Systems Are Bought – And What You Can Do About It