Cybersecurity is making its way onto boards of directors. The Authority: strategic decisions cannot be delegated
The Cybersecurity Agency has updated its FAQs on the NIS 2 Directive: boards of directors are responsible for approving security strategies, whilst only the operational implementation may be delegated
Key points
Cybersecurity is moving right up to the top levels of organisations. With the update to the FAQs on the NIS 2 Directive, the National Cybersecurity Agency, headed by Andrea Quacivi, makes it clear that corporate governing bodies cannot simply take note of the decisions made by technical departments. Strategic decisions on cybersecurity are the direct responsibility of boards of directors or, where applicable, sole directors. And they cannot be delegated.
Nis 2: approval rests with senior management
The first clarification concerns the documents provided for in Article 23 of the NIS Decree. Their approval is the exclusive responsibility of the collegial body or the single-member body. The message is clear: senior management must take direct responsibility for strategic decisions relating to cybersecurity. It cannot delegate this function to other departments, managers or internal bodies. However, the tasks required to translate those decisions into concrete and operational measures may be delegated.
Strategy at board level, implementation by technical departments
The new FAQs thus draw a clear distinction between governance and management. It is the responsibility of the governing bodies to define the guidelines and strategic planning for security measures. Procedures, operational instructions and manuals, on the other hand, remain the responsibility of the relevant technical departments, which may draw them up and update them without having to refer back to the board of directors each time. Strategic responsibility therefore remains at the top level. Operational implementation may be entrusted to those responsible for the day-to-day management of cyber security.
A single document or several coordinated documents
The Agency also clarifies that NIS entities may organise their documentation according to the model they consider most suitable for their own structure. Organisations may therefore choose whether to combine guidelines, measures and planning in a single document or to distribute the content across several coordinated documents. It is not the form used that matters, but the existence of a coherent documentation system capable of clearly distinguishing strategic decisions from technical activities.
Technical updates do not always make it back to the board of directors
A further clarification concerns subsequent amendments. Updating the technical and organisational documents referred to in the strategic documentation does not automatically require re-approval by the governing bodies.

