The National Cybersecurity Agency has updated its FAQs regarding the NIS 2 directive, clarifying that corporate boards of administration are responsible for approving strategic cybersecurity decisions, while operational implementation can be delegated to technical structures. Under the updated guidelines, companies must ensure that strategic decisions—such as defining security policies and planning—are made by the board or equivalent governing body. Operational tasks like creating procedures, instructions, and manuals remain under the responsibility of technical teams, which can update these documents independently without requiring board approval each time. Companies have flexibility in organizing their documentation, either through a single unified document or multiple coordinated acts, as long as there is a coherent system distinguishing strategic decisions from technical execution. Additionally, updates to technical and organizational documents do not automatically require reapproval by the board.
Bias read (Center): The article provides a neutral explanation of updated regulatory requirements related to cybersecurity governance within corporations. It does not take a stance on the regulation itself, nor does it favor any particular political perspective. The content focuses strictly on clarifying legal and行政职责,




