NIS2 requires companies to establish structured governance, implement technical security measures, and maintain demonstrable incident-response processes, for which CISOs must assume full responsibility at board level.