Who should primarily own cyber risk?

It is essential that every Business Unit has full control over the infrastructure it is dependent on. The responsible manager of the business process owns all the risks the process has internally from a business and operational perspective. (Follow NIS2 or DORA e.g.)
The be able to do so, the following requirements need to be fulfilled:
1.) The full dependency tree from the process to all deliverables, internally and externally
2.) Derive all requirements from top down
3.) The ability to aggregate operational risk from bottom up

Risk management runs the framework and processes how risks are measured and reported and governance sets the frame for decision making regarding risks.

The owner of the cyber risk depends on what it is.  

One example:  If the cyber risk is due to technology obsolescence, then the officer of the company whose function owns such system is the primary owner of the cyber risk with the CIO and CISO being informed.  As an example, if the obsolete system is an HR application.  The assumption is that HR is paying for having the system around and ensuring that technology investments are made in this HR system.  If the system continues to be obsolete, the HR leader owns all risks associated with that system, including cyber risks.  

Another example: If the cyber risk is due to phishing, such risk would be owned by the CISO/CSO.  It is the CISO/CSO's remit to put preventive and reactive measures in place around phishing for the organization.  This could mean phishing tests, spam filters, intrusion detection, intrusion prevention etc.