---
title: "NIS2 Governance: Policies & Accountability"
description: "NIS2 Governance controls (GV): policies, roles, and accountability model. How to structure cybersecurity governance for baseline compliance."
canonical: https://www.aegister.com/en/cms/insights/nis2-governance-gv-policies-roles-accountability/
url: /en/cms/insights/nis2-governance-gv-policies-roles-accountability/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model

---

![NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model

January 30, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[baseline](/en/cms/keyword/baseline/)
+7

In the NIS2 baseline model, the Governance (GV) domain defines how entities set cybersecurity direction, assign accountability, and maintain oversight. For compliance teams, the practical target is a governance system that links policy approval, risk strategy, role ownership, and supply-chain governance to auditable evidence.

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

## Key takeaways

- Governance controls are foundational and drive all other NIS implementation areas.
- GV controls combine context, risk strategy, roles and powers, policy lifecycle, and supply-chain governance.
- Governing bodies and executive management are expected to approve key governance artifacts and review outcomes.
- Evidence readiness is mandatory: governance without records is not operationally defensible.

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## GV structure to implement

### 1. Organizational context (GV.OC)

Define critical objectives, capabilities, and services that governance must protect. This anchors risk decisions and prioritization.

### 2. Risk management strategy (GV.RM)

Set risk priorities and criteria, then maintain a recurring governance process that reviews risk-management outcomes.

### 3. Roles, responsibilities, and powers (GV.RR)

Assign cybersecurity roles and decision rights formally, including interaction with governance and escalation paths.

### 4. Policy framework (GV.PO)

Adopt a policy set for cyber risk management, define review cadence, and ensure governance approval and periodic updates.

### 5. Supply-chain governance (GV.SC)

Integrate supplier cybersecurity risk in procurement and contract governance, with defined responsibilities and documented controls.

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Governance artifacts and expected evidence

| Governance item | Minimum expectation | Typical evidence |
| --- | --- | --- |
| Cyber governance model | Formalized accountability model | Role matrix, governance charter |
| Policy governance | Approved policy set with lifecycle | Approval records, revision history |
| Risk governance loop | Recurring review and decisions | Governance reports, risk review minutes |
| Supply-chain governance | Supplier-risk controls integrated | Procurement requirements, contract clauses, review logs |
| Governance communication | Decision flow to operations | Escalation procedures, decision registers |

Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## 90-day governance hardening checklist

1. Confirm governance owners and approval authorities for cyber risk decisions.
2. Validate GV policy coverage against baseline requirements and assign review deadlines.
3. Update role and responsibility map with explicit decision rights and escalation triggers.
4. Embed supplier cybersecurity requirements in procurement governance.
5. Consolidate governance evidence into an audit-ready register.

## FAQ

### Are GV controls only documentation requirements?

No. GV controls require decisions, accountability, and ongoing governance actions, supported by documentary evidence. Source: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

### Who must approve governance policies?

The baseline framework expects governance-level approval for core cybersecurity policy and related governance artifacts. Sources: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

### How does GV connect to technical controls?

GV sets scope, ownership, and risk priorities that drive identification, protection, detection, response, and recovery implementation. Source: [ACN baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

### Related guides in this series

- [supply chain security requirements](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 Article 23 in Practice: Obligations for Management and Governing Bodies](/en/cms/insights/nis2-article-23-governance-obligations/)
- [NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval](/en/cms/insights/nis2-cybersecurity-policies-document-gv-po-01/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/)

## Official sources

- [ACN - Baseline obligations determination and annexes](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [Gazzetta Ufficiale - Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

Share this post

## Related News

[![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

[![NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2 Supply-Chain Security: Managing Critical Suppliers and High-Impact Procurements](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2 supply-chain security is a governance obligation covering supplier identification, risk assessment, contractual integration, and lifecycle monitoring. Practical guide to GV.SC controls and evidence readiness.](/en/cms/insights/nis2-supply-chain-security-critical-suppliers/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+9

[![NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[NIS2 Documentary Evidence and Audit Readiness: How to Structure Compliance Proof](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[ACN baseline guidance requires documentary evidence as a core compliance element. Practical guide to evidence families, obligation-to-evidence mapping, version governance, and audit-readiness operating model.](/en/cms/insights/nis2-documentary-evidence-audit-readiness/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)