---
title: NIS2 Cybersecurity Organization Document
description: How to structure the NIS2 cybersecurity organization document (GV.RR-02). Roles, responsibilities, RACI matrix, and reporting lines for compliance.
canonical: https://www.aegister.com/en/cms/insights/nis2-cybersecurity-organization-document-gv-rr-02/
url: /en/cms/insights/nis2-cybersecurity-organization-document-gv-rr-02/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 cybersecurity organization document: how to structure it for GV.RR-02 approval

---

![NIS2 cybersecurity organization document: how to structure it for GV.RR-02 approval](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 cybersecurity organization document: how to structure it for GV.RR-02 approval

January 28, 2026

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
[board approval](/en/cms/keyword/board-approval/)
[ACN](/en/cms/keyword/acn/)
+5

The “Cybersecurity organization” document is one of the mandatory documents in Appendix C and must be approved by governing and management bodies under **GV.RR-02 point 1**. In practice, this document defines who is accountable for cyber decisions, who executes controls, and how escalation and reporting work.

## Key takeaways

- The cybersecurity organization document is explicitly listed in Appendix C and requires formal approval.
- A generic org chart is not enough; governance roles, responsibilities, and decision rights must be explicit.
- The document should connect board oversight, operational ownership, and evidence outputs.
- A structured template reduces ambiguity and accelerates approval cycles.

## What the document must prove

| Governance objective | Minimum expected output | Evidence to maintain |
| --- | --- | --- |
| Clear accountability | Named governance and operational roles | Role appointment records |
| Decision ownership | Defined approval and escalation chain | Approval matrix and minutes |
| Operational continuity | Role substitutes and availability model | Substitution table and handover records |
| Execution traceability | Role-to-control mapping | RACI matrix linked to controls |

## Suggested template structure (practical)

### 1. Purpose, scope, and references

State that the document governs cybersecurity organization under NIS baseline obligations and list legal/ACN references.

### 2. Governance model

Describe board-level oversight, management responsibilities, and reporting cadence.

### 3. Roles and responsibilities

Define each role (for example: governance sponsor, cybersecurity owner, incident decision owner, CSIRT liaison) with clear duties.

### 4. Escalation and decision workflow

Map triggers, decisions, approvers, and response timelines for relevant cyber events.

### 5. Interfaces with other mandatory documents

Show links to risk, incident, continuity, and training documents to prevent governance silos.

### 6. Approval and review cycle

Include formal approval block, next review date, and change-management process.

## Frequent drafting mistakes

1. Using job titles without named accountability.
2. Missing substitute roles for critical functions.
3. No link between governance roles and operational controls.
4. Governance section not aligned with incident-notification obligations already in force.
5. Approval page present but review cadence undefined.

## 20-day implementation checklist

1. Confirm current governance and operational cyber roles.
2. Build a role-to-control RACI map.
3. Define escalation path with approval authority at each step.
4. Add substitute and continuity coverage for critical roles.
5. Align this document with incident-management and risk documentation.
6. Submit for legal/compliance review before board approval.

## FAQ

### Is this document mandatory for board approval?

Yes. Appendix C explicitly lists “Cybersecurity organization” with reference GV.RR-02 point 1 and requires approval by governing and management bodies.

### Can we reuse our existing IT organization chart?

Only partially. You need explicit cybersecurity governance duties, escalation ownership, and accountability evidence, not only reporting lines.

### What is the fastest way to make it approval-ready?

Use a standardized template with fixed governance sections, role catalog, RACI mapping, and pre-filled approval/review blocks.

## Conclusion and next steps

A defensible cybersecurity organization document should make governance decisions auditable and operational execution unambiguous. If your team is still working from fragmented org notes, move to a structured template workflow and close board approval early in the October 2026 path.

## Related reading

- [NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/)
- [NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)
- [NIS2 Legal Architecture and Role Model in Italy: Who Is Accountable for What](/en/cms/insights/nis2-legal-architecture-role-model-italy/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/)

## Official sources

- [ACN – Guida alla lettura delle specifiche di base](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)
- [ACN – Determinazione obblighi di base 379907/2025](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [Gazzetta Ufficiale – Decreto Legislativo 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

Share this post

## Related News

[![NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)

[NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)

[Cybersecurity policies are mandatory under NIS2 Appendix C (GV.PO-01). This guide covers what an approvable policy package must include, a modular template architecture, policy vs procedure distinction, and a 20-day hardening checklist.](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/)

[NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/)

[Appendix C lists 11 documents requiring board-level approval under NIS2 baseline obligations. With incident notification already live and baseline measures due October 2026, this guide maps the full mandatory package and provides a 30-day board-ready activation checklist.](/en/cms/insights/nis2-mandatory-documents-master-guide-board-approval/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+7

[![NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[NIS2 incident management and CSIRT notification plan: practical guide for an approvable RS.MA-01 document](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[The incident management plan is mandatory under NIS2 Appendix C (RS.MA-01). This guide covers what an approvable plan must include, a practical template with CSIRT notification workflow and timing logic, common gaps, and a 20-day hardening checklist.](/en/cms/insights/nis2-incident-management-csirt-notification-plan-rs-ma-01/)

[NIS2](/en/cms/keyword/nis2/)
[Appendix C](/en/cms/keyword/appendix-c/)
+8

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)