RACI for NIS 2 in a 60-person organisation
Under Art. 20 NIS 2 the management body is Accountable for risk-management measures by law. RACI is the cheapest way to make sure everyone else knows what that means in practice.
Why RACI for NIS 2
Most Mittelstand teams skip the RACI matrix because it sounds like consultant theatre. Under NIS 2 it is not optional in spirit. Art. 20 NIS 2 puts Accountability on the management body by name; the matrix is just the cheapest way to make Accountable, Responsible, Consulted and Informed legible to the team.
A 60-person organisation cannot afford a CISO, a DPO, a CCO, a head of legal and a head of IT as five different people. One person typically covers two or three roles, and the management body covers the directly-personal-liability ones. RACI documents how that consolidation works without violating the directive.
The matrix matters most at two moments: when a new manager joins and asks who owns which NIS 2 obligation, and when the BSI requests evidence and you need to show that someone signed off.
Art. 20(1) NIS 2 (management body responsibility)
Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.
'Approve' and 'oversee' are Accountable activities in RACI terms. The management body holds A whether or not it delegates R. Delegation is allowed, abdication is not.
§38 BSIG (management body training)
Mitglieder der Leitungsorgane wesentlicher und wichtiger Einrichtungen haben an Schulungen teilzunehmen, um ausreichende Kenntnisse und Fähigkeiten zur Erkennung und Bewertung von Risiken und Risikomanagementverfahren im Bereich der Cybersicherheit sowie ihrer Auswirkungen zu erwerben.
Training is the management body's own obligation, not delegable. RACI shows this as Responsible AND Accountable on the management body row.
Management body
CEO, Geschäftsführer, Vorstand. Accountable for Art. 21 measures by law. Responsible for Art. 20 training, budget approval, risk acceptance over the agreed threshold.
IT lead or CISO
Most 60-person Mittelstand entities do not have a CISO; the IT lead doubles. Responsible for technical implementation of measures, day-to-day operations, supplier technical assessment.
Data protection officer (DPO)
Already in place for GDPR. Under NIS 2 they typically own the customer-notification side (Art. 23(2) NIS 2) and the breach overlap with GDPR Art. 33. Often part-time or external.
HR
Responsible for ORP.3 staff training, joiner/mover/leaver access processes, the personal-data-on-employees side of supplier management.
Compliance or legal
Often outsourced. Responsible for contract clauses with suppliers under Art. 21(2)(d), Art. 23(2) recipient notifications, regulatory correspondence with the BSI.
| RACI matrix | Management body | IT lead or CISO | Data protection officer (DPO) | HR | Compliance or legal |
|---|---|---|---|---|---|
| BSI registration under §33 BSIG | A | R | C | I | C |
| Information security policy under Art. 21(2)(a) | A | R | C | C | C |
| Incident handling under Art. 21(2)(b) | A | R | C | I | C |
| Business continuity under Art. 21(2)(c) | A | R | I | C | I |
| Supply chain security under Art. 21(2)(d) | A | C | C | I | R |
| Management body training under Art. 20(2) + §38 BSIG | A and R | I | C | C | C |
| All-staff awareness training under Art. 21(2)(g) | A | C | C | R | I |
| Incident notification under Art. 23 + §32 BSIG | A | R | C | I | C |
| Recipient notification under Art. 23(2) NIS 2 | A | C | R | I | C |
| Registration update under §33(5) BSIG (2-week deadline) | A | R | I | C | C |
RACI fails when teams treat A and R as the same. Under Art. 20 NIS 2 the management body holds A by law. It cannot delegate A. It can and must delegate R, often to the IT lead or DPO, but the buck still stops at the management body.
Practical consequence: when an audit asks 'who signed off on this risk acceptance?', the answer cannot be 'the IT lead'. It must be a member of the management body, by name, with a date. The IT lead executes; the management body signs.
An MSP arrangement does not move A to the MSP. Art. 20 stays with your management body. Responsibility for execution may live at the MSP, but only inside a contract that defines what they do under Art. 21(2)(d).
The RACI matrix gets a sixth column: external MSP. They sit as R on technical rows, as Consulted on policy rows. The Accountable column never leaves your management body.
- Directive (EU) 2022/2555 (NIS 2), Art. 20, Art. 21, Art. 23, www.eur-lex.europa.eu
- Act on the Federal Office for Information Security (BSIG), §32, §33, §38, www.gesetze-im-internet.de
- BSI IT-Grundschutz ORP.3 (awareness and training), www.bsi.bund.de
- Cooperation Group Common Notification Templates (adopted 26 May 2026) on reporting workflows
This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, BSI IT-Grundschutz, Cooperation Group templates). It does not constitute legal advice within the meaning of §2 RDG. For specific RACI design in your entity, consult a qualified advisor. As at 2026-06-04.