The “Cybersecurity organization” document is one of the mandatory documents in Appendix C and must be approved by governing and management bodies under GV.RR-02 point 1. In practice, this document defines who is accountable for cyber decisions, who executes controls, and how escalation and reporting work.
Key takeaways
- The cybersecurity organization document is explicitly listed in Appendix C and requires formal approval.
- A generic org chart is not enough; governance roles, responsibilities, and decision rights must be explicit.
- The document should connect board oversight, operational ownership, and evidence outputs.
- A structured template reduces ambiguity and accelerates approval cycles.
What the document must prove
| Governance objective | Minimum expected output | Evidence to maintain |
|---|---|---|
| Clear accountability | Named governance and operational roles | Role appointment records |
| Decision ownership | Defined approval and escalation chain | Approval matrix and minutes |
| Operational continuity | Role substitutes and availability model | Substitution table and handover records |
| Execution traceability | Role-to-control mapping | RACI matrix linked to controls |
Suggested template structure (practical)
1. Purpose, scope, and references
State that the document governs cybersecurity organization under NIS baseline obligations and list legal/ACN references.
2. Governance model
Describe board-level oversight, management responsibilities, and reporting cadence.
3. Roles and responsibilities
Define each role (for example: governance sponsor, cybersecurity owner, incident decision owner, CSIRT liaison) with clear duties.
4. Escalation and decision workflow
Map triggers, decisions, approvers, and response timelines for relevant cyber events.
5. Interfaces with other mandatory documents
Show links to risk, incident, continuity, and training documents to prevent governance silos.
6. Approval and review cycle
Include formal approval block, next review date, and change-management process.
Frequent drafting mistakes
- Using job titles without named accountability.
- Missing substitute roles for critical functions.
- No link between governance roles and operational controls.
- Governance section not aligned with incident-notification obligations already in force.
- Approval page present but review cadence undefined.
20-day implementation checklist
- Confirm current governance and operational cyber roles.
- Build a role-to-control RACI map.
- Define escalation path with approval authority at each step.
- Add substitute and continuity coverage for critical roles.
- Align this document with incident-management and risk documentation.
- Submit for legal/compliance review before board approval.
FAQ
Is this document mandatory for board approval?
Yes. Appendix C explicitly lists “Cybersecurity organization” with reference GV.RR-02 point 1 and requires approval by governing and management bodies.
Can we reuse our existing IT organization chart?
Only partially. You need explicit cybersecurity governance duties, escalation ownership, and accountability evidence, not only reporting lines.
What is the fastest way to make it approval-ready?
Use a standardized template with fixed governance sections, role catalog, RACI mapping, and pre-filled approval/review blocks.
Conclusion and next steps
A defensible cybersecurity organization document should make governance decisions auditable and operational execution unambiguous. If your team is still working from fragmented org notes, move to a structured template workflow and close board approval early in the October 2026 path.
Related reading
- NIS2 mandatory documents master guide: what must be approved by the board and what to prepare now
- NIS2 cybersecurity policies document: practical guide for GV.PO-01 approval
- NIS2 Legal Architecture and Role Model in Italy: Who Is Accountable for What
- Aegister NIS2 Compliance Service
- Aegister Virtual CISO Service