In the NIS2 baseline model, the Governance (GV) domain defines how entities set cybersecurity direction, assign accountability, and maintain oversight. For compliance teams, the practical target is a governance system that links policy approval, risk strategy, role ownership, and supply-chain governance to auditable evidence.
Sources: ACN baseline obligations determination, Legislative Decree 138/2024
Key takeaways
- Governance controls are foundational and drive all other NIS implementation areas.
- GV controls combine context, risk strategy, roles and powers, policy lifecycle, and supply-chain governance.
- Governing bodies and executive management are expected to approve key governance artifacts and review outcomes.
- Evidence readiness is mandatory: governance without records is not operationally defensible.
Sources: ACN baseline obligations determination
GV structure to implement
1. Organizational context (GV.OC)
Define critical objectives, capabilities, and services that governance must protect. This anchors risk decisions and prioritization.
2. Risk management strategy (GV.RM)
Set risk priorities and criteria, then maintain a recurring governance process that reviews risk-management outcomes.
3. Roles, responsibilities, and powers (GV.RR)
Assign cybersecurity roles and decision rights formally, including interaction with governance and escalation paths.
4. Policy framework (GV.PO)
Adopt a policy set for cyber risk management, define review cadence, and ensure governance approval and periodic updates.
5. Supply-chain governance (GV.SC)
Integrate supplier cybersecurity risk in procurement and contract governance, with defined responsibilities and documented controls.
Sources: ACN baseline obligations determination
Governance artifacts and expected evidence
| Governance item | Minimum expectation | Typical evidence |
|---|---|---|
| Cyber governance model | Formalized accountability model | Role matrix, governance charter |
| Policy governance | Approved policy set with lifecycle | Approval records, revision history |
| Risk governance loop | Recurring review and decisions | Governance reports, risk review minutes |
| Supply-chain governance | Supplier-risk controls integrated | Procurement requirements, contract clauses, review logs |
| Governance communication | Decision flow to operations | Escalation procedures, decision registers |
Sources: ACN baseline obligations determination
90-day governance hardening checklist
- Confirm governance owners and approval authorities for cyber risk decisions.
- Validate GV policy coverage against baseline requirements and assign review deadlines.
- Update role and responsibility map with explicit decision rights and escalation triggers.
- Embed supplier cybersecurity requirements in procurement governance.
- Consolidate governance evidence into an audit-ready register.
FAQ
Are GV controls only documentation requirements?
No. GV controls require decisions, accountability, and ongoing governance actions, supported by documentary evidence. Source: ACN baseline obligations determination
Who must approve governance policies?
The baseline framework expects governance-level approval for core cybersecurity policy and related governance artifacts. Sources: ACN baseline obligations determination, Legislative Decree 138/2024
How does GV connect to technical controls?
GV sets scope, ownership, and risk priorities that drive identification, protection, detection, response, and recovery implementation. Source: ACN baseline obligations determination