Högskolan i Skövde

The evolving cybersecurity threat landscape and recent legislative advancements in the European Union have brought the role of the Chief Information Security Office (CISO) more attention. This thesis investigates the impact of the NIS2 Directive on the responsibilities, expectations, and strategic positioning of CISOs in the affected organizations. NIS2 seriously broadens the scope of the original NIS Directive by introducing stricter cybersecurity requirements, and adding explicit, more severe obligations and enforcement to now both public and private sectors. Using a combination of a comparative analysis of legal texts, systematic literature review, and semi-structured interviews with industry professionals, this research identifies how the directive reshapes the CISO’s responsibilities in areas such as risk management, incident reporting, regulatory compliance, and internal governance. The findings reveal that NIS2 orders for a more proactive and integrated approach to cybersecurity, adding to the CISOs’ duties. Depending on the organizations, those changes might be well processed if prepared accordingly, but might induce more disorganization in others. This study highlights the need for clearer role definitions through standardization and an enhanced organizational support. The results aim to provide insights for organization leaders, and cybersecurity practitioners looking to better their regulatory transition and strengthen their cyber resilience.