The Risk Management & Governance domain under the NIS2 Lens evaluates whether cybersecurity risk is owned, governed, and acted upon at management level. This domain determines whether cyber risk is treated as an operational IT issue or as a business risk with executive accountability and supervisory visibility
Purpose of This Domain
Formal Identification
Cybersecurity risks must be formally identified and assessed using structured methodologies that capture threats across the enterprise landscape.
Management Accountability
Management bodies bear explicit responsibility for risk decisions, ensuring cybersecurity is treated as a business imperative rather than a technical concern.
Risk-Based Measures
Security measures are selected and prioritized based on comprehensive risk assessments, not on vendor recommendations or industry trends alone.
Governance Enablement
Governance structures enable effective supervision and enforcement, providing clear pathways for escalation and decision-making authority.
NIS2 fundamentally evaluates who decides and who is accountable, not merely what controls exist. The directive requires organizations to demonstrate that governance mechanisms translate into actionable oversight and measurable risk management outcomes.
Management Accountability & Oversight
This capability area examines whether management bodies actively own cybersecurity risk through demonstrable oversight and engagement. Management accountability represents the cornerstone of NIS2 compliance, requiring executives to possess working knowledge of the organization's security posture and the ability to articulate risk decisions to supervisory authorities.
Critical Requirements
Clear assignment of cybersecurity responsibility at management level with documented authority and decision-making power
Demonstrable oversight of security posture and incidents through regular reviews and active participation
Integration of cyber risk into enterprise risk discussions alongside financial and operational risks
Capability of management to explain security decisions to supervisors with supporting rationale and evidence
Accountability Standard
Accountability must be explicit, not implied. NIS2 supervisors expect to identify specific individuals who bear responsibility for cybersecurity decisions and can demonstrate their active involvement in risk governance.
Establish and document a cyber risk assessment methodology that aligns with enterprise risk frameworks and regulatory expectations, including defined criteria for likelihood and impact evaluation.
2
Comprehensive Identification
Identify risks systematically across all critical areas including assets, identities, network infrastructure, applications, and third-party suppliers with attention to interdependencies.
3
Risk Evaluation
Evaluate each identified risk based on quantified or qualitatively assessed likelihood and business impact, considering both technical vulnerabilities and organizational context.
4
Periodic Reassessment
Conduct reassessments on defined schedules and when significant changes occur to the threat landscape, business environment, or technology infrastructure.
Unassessed risk cannot be governed. Organizations must maintain current risk registers that reflect the evolving nature of cyber threats and demonstrate how assessment outcomes drive security investment and control prioritization decisions.
This capability area evaluates whether risks are treated intentionally and proportionally through documented decision-making processes. Organizations must demonstrate clear linkage between identified risks and the controls implemented to address them.
Risk treatment decisions should follow established frameworks, considering options to mitigate, transfer, accept, or avoid risks based on business context and regulatory requirements. Each decision must be traceable to specific risk scenarios and supported by management approval.
01
Risk-Based Selection
Technical and organizational measures selected based on assessed risk levels
02
Decision Documentation
Formal records of risk treatment choices with supporting rationale
03
Residual Risk Acceptance
Explicit acceptance of remaining risk by accountable management
04
Control Alignment
Verification that implemented controls address approved risk treatments
Regulatory Reality: Controls without risk justification lack regulatory credibility. Supervisors expect organizations to explain why specific security measures were chosen and how they address identified business risks.
This capability area examines whether cybersecurity policies and structures enable enforcement and supervision. Effective governance requires more than policy documents-it demands operational structures that translate policy intent into consistent practice and provide mechanisms for oversight.
Approved Policies & Procedures
Comprehensive cybersecurity policies formally approved by management, covering all essential domains including access control, incident response, business continuity, and supplier security. Policies must be current, accessible, and demonstrably implemented.
Governance Bodies
Established committees or steering groups that support cybersecurity decision-making with defined membership, meeting cadence, and authority to allocate resources and approve risk treatment plans.
Decision Pathways
Clear escalation and decision paths that define when and how cybersecurity matters reach management attention, including thresholds for incident escalation and risk acceptance authority levels.
Policy-Practice Alignment
Verifiable alignment between stated policy requirements and operational practice, demonstrated through monitoring, compliance checks, and enforcement of policy violations.
Policies are meaningful only when they enable action and provide clear guidance for decision-making. Organizations must demonstrate that governance structures actively shape security outcomes rather than existing as compliance artifacts.
This capability area focuses on whether governance is reviewed and improved over time through systematic evaluation and response to lessons learned.
Static governance fails under evolving threat conditions. Organizations must establish mechanisms that capture insights from incidents, audits, and assessments, then translate those insights into governance enhancements.
Periodic Review
Management review of cybersecurity risk at defined intervals
Incident Analysis
Follow-up on security incidents and near-misses
Audit Response
Action on findings from internal and external assessments
Corrective Actions
Tracking and verification of governance improvements
Continuous improvement requires documented processes for capturing lessons learned, prioritizing governance enhancements, and measuring the effectiveness of changes. Management must demonstrate awareness of governance maturity trends and articulate plans for addressing identified weaknesses.
Evidence supporting this domain must demonstrate real governance activity, not merely policy existence. Supervisors evaluate whether documented governance processes reflect actual management engagement and result in measurable risk management outcomes.
Management Meeting Records
Minutes from management or board meetings that include cybersecurity risk discussions, showing active engagement with security posture, incident reviews, and risk acceptance decisions with supporting context and debate.
Risk Documentation
Risk assessment registers, treatment plans, and control selection documentation that demonstrate systematic risk evaluation and the linkage between identified threats and implemented security measures.
Decision Records
Documented risk acceptance decisions signed by accountable management, including residual risk statements, compensating controls, and timeframes for risk remediation or reassessment.
Oversight Reports
Regular reports to management on security metrics, incident summaries, and compliance status, plus records of supervisory communications demonstrating transparent engagement with authorities.
Supervisory Expectation: Supervisors expect to see decision trails, not just documents. Evidence must demonstrate that governance processes influenced actual security outcomes and management exercised informed oversight.
Understanding typical failure patterns helps organizations recognize and address governance vulnerabilities before they result in regulatory findings. The following patterns represent the most frequent causes of NIS2 enforcement actions in the risk management and governance domain.
Delegation Without Oversight
Cyber risk delegated to technical teams without management understanding or periodic review. Management cannot explain security posture or risk decisions to supervisors, revealing absence of genuine governance.
Disconnected Assessments
Risk assessments performed to satisfy compliance requirements but not acted upon. Identified risks remain untreated, and assessment outcomes do not influence security investment or control prioritization.
Uninformed Implementation
Controls implemented based on vendor recommendations or industry standards without management understanding of what risks they address or why they were selected over alternatives.
Supervision Readiness Gap
Inability to explain security decisions during supervisory review. Management lacks working knowledge of cybersecurity measures and cannot articulate the rationale behind risk treatment choices.
These failures often result in direct regulatory findings and enforcement actions. Supervisors view governance failures as more serious than technical vulnerabilities because they indicate systemic weaknesses in risk management capability.
This page serves as a reference for assessing and improving governance readiness under NIS2. Use the frameworks and evidence requirements described here to evaluate your organization's current state and identify gaps that require management attention.
Primary Use Cases
Assess management readiness for NIS2 supervision through structured evaluation of governance maturity
Translate governance gaps into regulatory exposure by mapping weaknesses to enforcement risk
Structure executive discussions on cyber risk using the capability areas as conversation frameworks
Prepare evidence for supervisory review by organizing governance artifacts according to regulatory expectations
Core NIS2 Question
Risk Management & Governance answers a fundamental question that supervisors ask during every review:
"Can management explain and defend its cybersecurity decisions?"
Organizations that can answer this question affirmatively, with supporting evidence of active governance, demonstrate NIS2 readiness. Those that cannot face significant regulatory and operational risk.