Compliance with the NIS 2 Directive and GDPR is, first and foremost, a governance issue.
Organizations overseeing critical processes must structure themselves according to a command logic similar to military doctrine—founded on the distinction between strategic and operational levels—in order to implement the accountability and risk governance mechanisms required by both the NIS 2 Directive and GDPR.
At the top, management and executive bodies define the strategic vision, taking responsibility for decisions, while downstream, management translates these directives into action.
This article analyzes the central role of the strategic level in data protection and cybersecurity, showing how EU legislation has explicitly adopted this model based on the separation between command and operations.

The Right Question Isn't "What to Do" but "Who Decides"

When an organization is required to make its processes compliant with NIS 2 or GDPR requirements, attention almost always focuses on tools. Discussions center on measures, controls, and technological solutions, as if compliance depended primarily on equipment or technical skills.
Yet, before asking "what to do," it would be necessary to pose a key question, often avoided because it's uncomfortable: who decides?
Organizations overseeing critical processes find themselves in a condition of permanent risk exposure, where every choice produces concrete and sometimes irreversible effects.
In these contexts, only one type of architecture can work: one that distinguishes the strategic level from the operational level.
This is a functional necessity that has now become a precise legal requirement, incorporated in Article 23 of Legislative Decree 138/2024 (the so-called NIS 2 Decree), which places the responsibility for risk management at the strategic level.

The Strategic Level as the Place of Command

The responsibility for building an organization's asset protection system lies at the strategic level. This is where command is concentrated, occupied by management and executive bodies—Board of Directors, CEO, general management, C-Level.

In this domain, the vision takes shape, translated into binding strategic directives and transformed into organizational mission. These are real decisions, intended to orient the entire organizational structure on:

• what risk is acceptable;

• what deserves priority protection;

• how information systems, networks, and data must be governed;

• where responsibility begins and ends.

When this strategic level is missing or remains implicit, the organization loses its center of gravity and operational functions begin to move in misalignment, producing documents, procedures, and controls that, while appearing formally correct, don't respond to a unified design.

The result is a fragmented system, incapable of withstanding the pressure of constantly evolving risks.

The need for process governance founded on policies deliberated at the apex level doesn't represent a merely formal approach but rather is an established practice recommended by major international information security standards. ISO/IEC 27001:2022, in fact, requires Top Management to:

• define an information security policy consistent with context and strategic objectives (clause 5.2);

• demonstrate leadership and direct commitment in defining, approving, and supporting the management system (clause 5.1);

• assign roles, responsibilities, and authority clearly and formally (clause 5.3).

 

With NIS 2, Command Becomes Mandatory

The NIS 2 Directive has made explicit the logic being described.

Article 23 of Legislative Decree 138/2024, which transposed the NIS 2 Directive into national law, and the operational requirements established by the National Cybersecurity Agency (ACN) with determination No. 379907 of December 18, 2025, assign to the management and executive bodies of essential and important entities the responsibility to:

• define cyber risk management policies;

• approve implementation plans;

• oversee system effectiveness.

Command, therefore, is no longer one organizational choice among many but a duty that cannot be delegated. The related responsibility is non-delegable and cannot be transferred to operational-level managers.

The resulting principle is simple and rigorous: those who govern the organization must also govern its risks.

Thus, with NIS 2, cybersecurity ceases to be a technical function and assumes its real nature as a command responsibility.

Directly connected to this responsibility is also a fundamental obligation: the application of Article 30 of Legislative Decree 138/2024, which requires essential and important entities to list, describe, and classify activities and services relevant to the security of networks and information systems.

This is an obligation that cannot be postponed, because in the coming weeks many organizations will have to initiate and complete this work by June 30, 2026.

Article 30 requires a reasoned mapping of the activities that constitute the organization's critical backbone to be communicated to ACN through the information-sharing platform. Essentially, the regulation requires:

• understanding what must be overseen with priority;

• which processes are essential;

• which services expose to greater risk;

• which assets must be protected with reinforced measures.

This requirement represents a strategic passage: you cannot govern what you don't know precisely, and without this awareness, every security policy risks remaining abstract, every operational plan risks failing.

In this framework, cybersecurity is confirmed as a matter of command, vision, and responsibility. A domain where leadership decides, the organization knows, and only then becomes capable of protecting its information systems and networks.

 

GDPR: Policies as Written Command

GDPR doesn't use military language but fully adopts its logic, doing so through the structure of its regulations, particularly when it introduces the concept of data controller's internal policies.

Recital 78 and Article 24, paragraph 2, place the controller's internal policies at the center of the accountability mechanism, clarifying that they are necessary acts to demonstrate compliance with personal data protection principles. They are therefore acts of strategic relevance and, due to this particular nature, direct expression of the organizational leadership's will.

The controller's internal policies allow proving that:

• there exists an organizational vision on personal data processing;

• this vision is formalized, known, and communicated internally and is reviewed and updated over time.

An updated, coherent, and applied policy tells a precise story: that of an organization that knows what it's doing.

In this sense, the controller's processing policies function as true internal sources of privacy law, because they determine how the organization interprets and applies the principles and requirements established by GDPR.

When these policies don't exist or aren't approved by leadership, the personal data protection system may continue to produce documents and procedures but, lacking a direction to follow, becomes effectively ungovernable.

 

Vision, Coherence, and the DPO's Role

Within this architecture, the Data Protection Officer (DPO) performs a function often misunderstood. Article 39, paragraph 1, letter b) of GDPR assigns them not only surveillance of regulatory compliance but also that of the controller's policies.

This means the DPO doesn't merely control the formal correctness of processing but is also called to verify coherence between strategic decisions and operational practices.

The DPO thus becomes a guardian of organizational legality, capable of:

• making decision voids visible;

• signaling distances between what is declared and what is done;

• returning to organizational leadership the responsibility that is properly theirs.

The DPO thus also becomes a custodian of system coherence.

 

When Command Is Missing

When command is missing, the organization continues to appear active: documents multiply, procedures are adopted, and meetings follow one another. However, the system moves without a common direction.

In the absence of clear strategic decision-making, rules arise reactively and thus it happens that:

• each function oversees its own space;

• each manager protects their own perimeter;

• each process builds limited solutions.

The result isn't greater security but a disorderly accumulation of measures that don't integrate and, indeed, end up weakening each other.

Without unified direction, even operational decisions diverge.

Responsibility thus fragments until it dissolves.

These critical issues become evident when a security incident occurs. In those moments the organization moves but doesn't decide: activities multiply while command is absent.

It's the sign of merely formal compliance that works on paper but not in operational reality.

Thus, the system seems to hold until it's put under pressure; at the first significant event, the absence of a true chain of command emerges clearly.

NIS 2 and GDPR were conceived to avoid exactly this outcome. They don't function as simple lists of measures but as true governance regulations; in fact, before indicating what to do, they clarify who must decide. Because a system, even if imperfect, remains governable only when command is clear; if instead command is missing, no procedure can guarantee real protection or substantial compliance.

 

Conclusions

At this point, the picture is clear. Compliance with NIS 2 and GDPR doesn't arise from good procedures or well-selected technologies. It's the result of a system of decisions and responsibilities that starts at the top and takes shape through management.

The strategic level is where leadership defines policies, assumes responsibilities, and establishes which risks are acceptable and which aren't.

Without this foundation, no operational structure can function coherently because when command is missing, activities proceed without guidance and thus decisions disperse, procedures multiply without logic, and responsibility weakens.

The system may appear active, but in reality remains exposed, fragile, and purely reactive.

When instead leadership exercises its role, the entire organization finds a point of reference. Operational plans have direction, controls follow logic, people know what they must do and why they do it.

In the next article, the analysis will shift to this second level to understand how strategic directives are translated into plans, processes, controls, and management systems, and why operations, while essential, neither can nor should substitute command.