NIS 2: A new challenge for project managers

The NIS 2 Directive introduces a new standard of cybersecurity in the European Union, which affects not only IT departments but also project management itself. Project managers are beginning to face the need to integrate NIS 2 requirements into the planning, execution, and monitoring of projects. For this reason, we organized a professional workshop for the Chamber of Project Managers, where we presented the main challenges arising from the NIS 2 Directive in the context of project management and how to respond to them effectively.

On Wednesday, May 14, members of the Chamber of Project Managers gathered at the premises of Asseco CE Cloud in Prague, and together we immersed ourselves in a topic that strongly resonates across various sectors today – cybersecurity and the NIS 2 Directive.

Under the title “NIS 2 – What Does It Mean for Project Managers,” a workshop was held, led by Peter Brťka, CTO of Asseco CE Cloud and an experienced expert in cybersecurity, and Helena Ulrychová from the Digital and Information Agency. Together, they opened the door to a reality where cybersecurity is no longer a topic exclusively for IT departments.

The project manager as a link in the security chain

The workshop clearly demonstrated that the role of the project manager must adapt to the NIS 2 Directive. In addition to their regular responsibilities, the project manager must also have an overview of the security aspects of the project.

The key recommendation is to cooperate with a cybersecurity expert. Today, no major project can function without someone who possesses specific know-how in the field of cybersecurity. However, this cooperation should not be merely formal – the project manager should understand what risks are present and what the security measures specifically mean for the project team.

We also discussed responsibility. It is important to have clarity about where the project manager’s role begins and ends. If the project manager is responsible for implementing security measures, they also bear personal responsibility for them. And this is no longer just an internal matter – the NIS 2 Directive brings real consequences.

Cybersecurity as a part of responsible project management

It was also emphasized that cybersecurity is not limited to the technical layer. The project manager must have an overview of the entire supply chain. Contracts with partners and suppliers should include provisions related to cybersecurity, and these requirements must be clearly communicated.

Equally important is being prepared for change. Security requirements may evolve during the course of a project, and it is necessary to respond to this through change management. Project documentation should also include a section dedicated to cybersecurity risk management – not as a formality, but as a living management tool.

Where does the role of the project manager end and the role of the information security manager begin?

The discussion about the boundaries between organizational leadership, the project manager, and the security expert sparked exceptional interest. Who is responsible for what? And where do these roles overlap?

The project manager should have a basic understanding of the NIS 2 requirements, be able to translate them into project activities, and actively cooperate with the security specialist. Neither of these roles can function in isolation – only the combination of expert knowledge, experience, and quality project management leads to a result capable of meeting the demands of new regulations.

The workshop was also enriched by a representative from the National Cyber and Information Security Agency, Radek Řičánek, who shared with us specific insights from real cases and oversight of cybersecurity measures implementation. It is always highly valuable when theoretical knowledge is connected with professional practice.