clouds and a lock

From an IT topic to a management responsibility.

Cyber security was long viewed as a purely technical matter, with the assumption that technical safeguards would be enough. NIS2, however, makes it clear that risks can emerge across entire business processes—from production and procurement to HR and customer management.

Information security is therefore a leadership responsibility that requires:

  • clear management commitment
  • defined roles and responsibilities
  • regular risk reviews, and
  • structured decision‑making processes.

While IT remains essential for implementation, overall risk accountability sits at the organisational level.

Cyber security isn’t a project with a defined end point—it’s a long‑term management responsibility.

Erich Butta, Service Innovation, Quality Management & Compliance, Bechtle Austria

Asset inventory – Transparency equals control.

Effective risk management starts with transparency, yet many applications, data sets and dependencies have grown organically over time and remain only partially documented.

An organisation-wide asset inventory provides the essential foundation, covering:

  • business‑critical processes
  • information assets and data
  • applications and infrastructure
  • sites and physical components, and
  • supplier and service‑provider dependencies.

This enables risks to be assessed at the asset level by clarifying the consequences of a failure, identifying affected regulatory requirements, and estimating how long operations would be impaired.

This means risks become tangible—and easier to prioritise.

Structured implementation based on clear guiding principles.

For many organisations, ISO 27001 offers a proven methodological framework. In addition, European guidelines define central implementation areas ranging from governance and risk management to business continuity, incident handling, supply‑chain security and continuous improvement.

What matters is not the number of measures but their traceability and effectiveness, and documented decisions, clear ownership structures and an actively maintained ISMS provide the foundation.

Developing existing systems based on risk.

Very few organisations operate on a “greenfield” basis, as long‑standing applications and legacy systems remain part of everyday operations.

NIS2 does not demand complete modernisation but rather an appropriate, documented approach to managing risks. Technical and organisational measures—such as role‑based access controls, multi‑factor authentication or structured authorisation processes—can significantly strengthen security without having to replace entire systems.

Strengthening business continuity and crisis readiness.

A key aspect of implementation is ensuring operational capability during a crisis. Business‑impact analyses, recovery strategies and regular emergency tests verify whether processes, responsibilities and communication channels will hold up when it matters.

These tests are not just an IT exercise. They evaluate the organisation as a whole and significantly enhance resilience.

Supply chain and continuous improvement.

Cyber risks do not stop at organisational boundaries, which is why security requirements must be firmly embedded in procurement and supplier management.

At the same time, information security is an ongoing discipline. Regular reviews, effectiveness checks and clear management reporting ensure that protective measures remain aligned with evolving threats and regulatory expectations.

More than compliance.

NIS2 is not a project with a fixed end date. When implemented properly, cyber security becomes a permanent element of modern corporate governance—comparable to quality or occupational safety standards.

Organisations benefit from more stable systems, clearer decision‑making pathways and increased trust among customers and partners.

Success is not about perfection but about starting with structure, setting clear priorities and driving consistent improvement.