Marcin PajdzikCISOADVISORY
NIS25-minute readMarch 2026

Governing a NIS2 Programme

NIS2 places substantive, ongoing obligations on the management body. Building a compliance position that meets them requires a governed programme, not a series of disconnected improvement initiatives. Organisations that treat NIS2 as a list of controls to check off will find the position they have built is difficult to demonstrate and harder to sustain.

For boards of NIS2 in-scope organisations, the question is whether the programme they are sponsoring will leave a functioning compliance capability or a compliance event. The answer depends on how the programme is designed from the outset.

What Article 20 requires of a programme

Article 20 of NIS2 requires the management body to approve the organisation's cybersecurity risk management measures and oversee their implementation. The obligation is not satisfied by a point-in-time remediation exercise. The management body must be able to demonstrate that it approved the measures, received ongoing reporting on their implementation, and that the controls it approved are maintained and periodically reviewed after the programme closes.

Supervisory authorities have inspection and audit powers and may investigate at any point, not only following an incident. An organisation that has completed a compliance project but built no mechanism for maintaining what it produced, and no reporting structure to keep the management body informed, cannot demonstrate ongoing compliance in the way Article 20 requires. The programme's scope must account for what happens after it closes from the point it begins.

What distinguishes a governed programme

Five elements distinguish a governed programme from a compliance project.

Programme mandate
A formally documented mandate approved at management body level, establishing who holds programme authority, what decisions require management body approval, and what the governance forums are. Without it, the programme cannot make the decisions that arise across twelve to twenty-four months of delivery.
Gap register
An obligation-mapped gap register that connects every workstream deliverable to a specific NIS2 requirement in the applicable national transposition. The register is how the management body understands the compliance position at any point during delivery, and how it carries into BAU as the ongoing status record.
Target operating model
A design of the target compliance state, approved before delivery begins, that specifies what each control looks like when complete, who owns it in BAU, and how it is evidenced and reviewed. This is the standard the assurance phase measures against when the programme approaches close.
Named workstream ownership
Named leads and defined close conditions for each workstream across the full Article 21(2) obligation landscape. A workstream does not close until its deliverables are built, evidenced, and confirmed as ready for named BAU owners to sustain.
Closure and handover record
A formally documented closure record, including the incident notification tabletop exercise result and the programme closure report presented to the management body, with the sustained compliance owner confirmed in post before the programme stands down.

What the management body should ask before approving a programme

Four questions determine whether a programme brief will produce an adequate outcome. First, does a gap register exist that maps planned workstream outputs to specific NIS2 obligations in each relevant jurisdiction, or is the programme scoped to a generic framework? The gap register is the foundation on which every delivery decision rests.

Second, is the target operating model a named programme deliverable, scoped and resourced before delivery begins, or is it deferred to programme close? A model assembled under pressure at the end of a long programme will not receive the governance attention it requires.

Third, does each workstream have a named BAU owner confirmed before the workstream closes? Ownership that is not confirmed before handover is not ownership. Fourth, is the programme closure report to the management body a formal deliverable with defined approval conditions? A programme that closes without formal management body sign-off on the outcome has not completed.

How this affects your organisation

For boards of NIS2 in-scope organisations, the programme brief presented for approval is the point at which the compliance position is shaped. A brief that scopes only to remediation, without a gap register, a target operating model, and named BAU ownership, will not leave a position the management body can stand behind.

Article 20 accountability applies to what exists after the programme closes. The management body that approves a programme brief carries accountability for the compliance position that programme produces.

To discuss how to structure a NIS2 programme that will leave an adequate compliance position, book a 20-minute advisory call.

Book a 20 minute advisory callRead the programme framework All briefings