Key Takeaways
  • NIS2 Article 20 places explicit responsibility on management bodies to approve, oversee, and be accountable for cybersecurity risk management measures.
  • Management must approve cybersecurity measures, oversee their implementation, and undergo cybersecurity training sufficient to assess risks and their impact.
  • Personal liability can be imposed on individual executives for non-compliance, including temporary bans from managerial functions.
  • Board-level cybersecurity governance is no longer optional — it is a legal obligation for all essential and important entities across the EU.
  • Evidence of governance must be documented and available for regulators, including board minutes, training records, and reporting packs.

What Article 20 Requires

Article 20 of the NIS2 Directive (Directive (EU) 2022/2555) is titled "Governance" and establishes three non-negotiable obligations for the management bodies of essential and important entities. It represents one of the most significant shifts in European cybersecurity regulation: the explicit, personal accountability of boards and executives for cybersecurity outcomes.

Prior to NIS2, the original NIS Directive (2016/1148) placed obligations on operators of essential services and digital service providers, but it did not specifically address the role of management bodies. NIS2 corrects this gap. Article 20 states that Member States shall ensure that the management bodies of essential and important entities:

  • Approve the cybersecurity risk management measures adopted by the entity pursuant to Article 21
  • Oversee the implementation of those measures
  • Can be held liable for infringements of the obligations set out in the directive

Furthermore, Article 20(2) requires that members of management bodies undergo training and encourages entities to offer similar training to their employees on a regular basis. The training must enable management body members to gain sufficient knowledge and skills to identify risks, assess cybersecurity risk management practices, and evaluate their impact on the services provided by the entity.

These requirements apply equally to essential entities (such as energy, transport, health, and digital infrastructure operators) and important entities (such as postal services, waste management, food production, and manufacturing). There is no size or sector exemption once an entity falls within NIS2 scope.

Transposition Deadline

EU Member States were required to transpose NIS2 into national law by 17 October 2024. While transposition progress varies, organisations should not wait for full national implementation to begin governance preparations. The directive's requirements are clear, and supervisory authorities are already establishing inspection frameworks.

Who Is the Management Body?

The NIS2 Directive uses the term "management bodies" without prescribing a single corporate structure. This is deliberate — the directive applies across 27 Member States with widely different corporate governance models. The management body is the organ or individual(s) who, under national law and the entity's constitutional documents, are authorised to represent the entity, take decisions on its behalf, or exercise control at the highest level.

Corporate Structures Across Jurisdictions

In practice, the management body typically refers to:

  • Germany (GmbH / AG): The Geschäftsführung (managing directors) or Vorstand (executive board). In a two-tier structure, the Aufsichtsrat (supervisory board) may also bear oversight obligations depending on how the Member State transposes Article 20.
  • France (SA / SAS): The Conseil d'administration (board of directors) or Directoire (management board). The Président and Directeur Général are directly implicated.
  • Netherlands (BV / NV): The bestuur (management board) and, where applicable, the raad van commissarissen (supervisory board).
  • Ireland / UK-style structures: The board of directors, including both executive and non-executive directors.
  • Nordic countries: The styret or bestyrelse (board of directors), with the CEO (administrerende direktør) as part of the executive management.

For entities with a single-tier board (common in Ireland, the Netherlands, and many Central European jurisdictions), all board members — executive and non-executive — are part of the management body. For two-tier structures (common in Germany and Austria), the executive board carries primary responsibility, though the supervisory board's oversight role may also be engaged.

C-Suite and Senior Leadership

Beyond the formal board, the following roles are typically considered part of or directly accountable to the management body for NIS2 purposes:

  • Chief Executive Officer (CEO): Ultimate executive authority and typically a member of the management body
  • Chief Information Security Officer (CISO): Leads cybersecurity programme; reports to or advises the management body
  • Chief Information Officer (CIO): Oversees IT infrastructure; often accountable for implementing technical measures
  • Chief Risk Officer (CRO): Integrates cybersecurity risk into enterprise risk management
  • Data Protection Officer (DPO): Where GDPR and NIS2 obligations overlap, the DPO provides advisory input to the board
Key Point

The management body cannot delegate away its NIS2 accountability. While the board may delegate operational cybersecurity to the CISO or a risk committee, the legal obligation to approve, oversee, and be trained remains with the management body itself. Delegation of tasks does not equal delegation of liability.

Four Core Obligations

Article 20 creates four distinct obligations for management bodies. Each one carries specific expectations regarding documentation, process, and evidence. Understanding these separately is critical because supervisory authorities will assess compliance against each obligation independently.

1. Approve Cybersecurity Risk Management Measures

The management body must formally approve the cybersecurity risk management measures that the entity adopts under Article 21 of NIS2. This is not a rubber-stamping exercise — the directive's intent is that the board understands what it is approving and why.

What must be approved:

  • The entity's cybersecurity risk management framework and methodology
  • Risk assessment results and the risk treatment plan
  • Specific measures under Article 21, including policies on risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability management, cryptography, human resources security, access control, and asset management
  • Cybersecurity policies and acceptable use policies
  • Investment and resourcing decisions for cybersecurity

How to evidence approval:

  • Board meeting minutes explicitly recording the presentation of cybersecurity measures and the board's resolution to approve them
  • Signed approval records on key policy documents
  • Board papers and briefing packs provided ahead of meetings, demonstrating that members had the information needed to make informed decisions
  • Version-controlled policy documents with documented approval workflows

Approval must be an ongoing activity, not a one-off event. Whenever measures are materially updated — following an incident, a change in threat landscape, a new regulation, or a major organisational change — the management body must re-approve the updated measures.

2. Oversee Implementation

Approval without oversight is insufficient. The management body must actively monitor whether the approved measures are being implemented effectively and on schedule. This obligation transforms cybersecurity from a delegated technical matter into a standing board agenda item.

Monitoring mechanisms:

  • Regular board reporting: The CISO or equivalent must report to the board on cybersecurity posture at defined intervals (quarterly at minimum, monthly for high-risk entities)
  • Key Performance Indicators (KPIs): Track implementation progress, control effectiveness, incident trends, vulnerability remediation times, and training completion rates
  • Internal audit results: Audit findings related to cybersecurity must be presented to the board with remediation plans
  • Incident reports: Significant cybersecurity incidents must be escalated to the management body promptly
  • External assessments: Results from penetration tests, red team exercises, and third-party audits should be reported to the board

Reporting lines:

The CISO (or equivalent role) must have a clear reporting line to the management body. Where the CISO reports only to the CIO or to a mid-level IT manager, regulators may question whether the board has adequate visibility and whether genuine oversight is taking place. Best practice is a direct or dotted-line reporting relationship between the CISO and the CEO or the board's risk/audit committee.

3. Undergo Cybersecurity Training

Article 20(2) requires management body members to undergo training to gain "sufficient knowledge and skills to identify risks, assess cybersecurity risk management practices, and evaluate their impact on the services provided by the entity."

This is not a suggestion — it is a legal requirement. The training obligation recognises that management bodies cannot effectively approve and oversee cybersecurity measures if they do not understand cybersecurity fundamentals and the specific risks facing their organisation.

What training must cover:

  • The entity's cybersecurity threat landscape and risk profile
  • Fundamentals of cybersecurity risk management
  • Overview of the measures adopted under Article 21
  • Incident detection, reporting, and response basics
  • Regulatory obligations under NIS2, including notification timelines
  • Supply chain and third-party risk
  • The role and responsibilities of the management body under NIS2

Frequency and delivery:

  • At minimum annually, with additional sessions following significant changes (major incidents, new threat intelligence, updated regulations)
  • Delivered by qualified internal or external cybersecurity professionals
  • Tailored to the entity's sector, size, and risk profile — not generic awareness training
  • Interactive sessions that allow board members to ask questions and explore scenarios

Evidence expectations:

  • Training attendance records signed by each management body member
  • Training materials and agenda preserved for audit
  • Certificates of completion where provided by external trainers
  • Board minutes noting that training was conducted and key topics covered

4. Accept Personal Liability

Article 20(1) states that management bodies "can be held liable for infringements" of Article 21 obligations. Article 32(6) and Article 33(5) further specify that Member States shall ensure that any natural person responsible for or acting as a representative of an essential or important entity can be held personally liable for breaches.

What this means in practice:

  • Liability is personal — not only corporate. Individual board members can face sanctions.
  • Under Article 32(5)(b), supervisory authorities can request that competent bodies or courts order a temporary ban of a natural person from exercising managerial functions at chief executive or legal representative level in essential entities.
  • Financial penalties for essential entities can reach up to EUR 10 million or 2% of global annual turnover (whichever is higher). For important entities, up to EUR 7 million or 1.4% of global annual turnover.
  • The exact mechanisms for personal liability are determined by each Member State's transposition. Some may impose administrative fines on individuals; others may create criminal liability in severe cases.
Critical Distinction

Personal liability under NIS2 is not limited to cases of gross negligence or intentional misconduct. The directive enables liability for infringements — meaning a failure to comply with Article 21 measures, even if the failure was not deliberate. This significantly raises the bar for board engagement with cybersecurity.

Management Training Requirements

The training obligation under Article 20(2) deserves detailed treatment because it represents a new and enforceable requirement that many boards are unprepared for. Unlike general employee awareness training, management body training must enable informed decision-making about cybersecurity at the highest governance level.

Training Content Framework

Training Module Content Outcome
Threat Landscape Current threats relevant to the entity's sector — ransomware, supply chain attacks, nation-state actors, insider threats Board can identify key risks to the organisation
Risk Management Fundamentals Risk assessment methodology, risk appetite, risk treatment options, residual risk acceptance Board can assess whether risk management is adequate
Article 21 Measures Overview of all ten categories of measures: risk analysis, incident handling, BCP, supply chain, network security, vulnerability management, cryptography, HR security, access control, asset management Board understands what has been approved and implemented
Incident Response Detection, notification timelines (24-hour early warning, 72-hour notification, 1-month final report), board's role during a major incident Board knows its role when an incident occurs
Regulatory Obligations NIS2 requirements, supervisory powers, penalties, reporting obligations, Member State-specific requirements Board understands legal consequences of non-compliance
Supply Chain Risk Third-party risk assessment, contractual requirements, monitoring of critical suppliers Board can evaluate supply chain cybersecurity posture
Governance Responsibilities Article 20 obligations, personal liability, evidence requirements, good governance practices Board members understand their personal obligations

Who Should Deliver Training?

Training can be delivered by internal cybersecurity leaders (the CISO or equivalent) or by external specialists. For board-level training, the use of external experts can add credibility and ensure independence. Training providers should:

  • Have demonstrable expertise in NIS2 and European cybersecurity regulation
  • Understand the entity's sector-specific threat landscape
  • Be capable of engaging a non-technical audience at board level
  • Provide written materials and certificates of attendance

Training for Employees

Article 20(2) also encourages entities to offer similar training to employees on a regular basis. While this is framed as encouragement rather than a strict obligation on the management body, it forms part of the broader Article 21 measures (specifically, the requirement for cybersecurity hygiene practices and training). Entities should establish a tiered training programme:

  • All employees: Annual cybersecurity awareness training covering phishing, password hygiene, reporting suspicious activity, and data handling
  • IT and security staff: Technical training aligned to their roles and the entity's technology stack
  • Management body: Governance-focused training as detailed above

Governance Framework

Meeting NIS2's governance requirements demands a structured framework that connects the management body to operational cybersecurity through clear roles, reporting lines, and decision-making processes.

Recommended Organisational Structure

The following structure reflects best practice for NIS2 governance. The exact model should be adapted to the entity's size, sector, and corporate governance arrangements.

  • Board of Directors / Management Body: Ultimate accountability for cybersecurity governance. Approves policies, oversees implementation, reviews risk posture quarterly.
  • Board Risk Committee or Audit Committee: Delegated responsibility for deeper scrutiny of cybersecurity risk. Reviews detailed reporting packs, audit findings, and incident reports. Reports to the full board.
  • Chief Executive Officer (CEO): Executive sponsor for cybersecurity. Ensures adequate resourcing and escalation to the board.
  • Chief Information Security Officer (CISO): Leads the cybersecurity programme. Develops and implements measures under Article 21. Reports to the CEO and/or directly to the board risk committee.
  • Data Protection Officer (DPO): Advises on the intersection of NIS2 and GDPR, particularly for incident notification and data breach implications.
  • Cybersecurity Steering Committee: Cross-functional body comprising CISO, CIO, CRO, Legal, HR, and Operations. Meets monthly to review implementation progress, incident trends, and upcoming changes.

Reporting Cadence

Forum Frequency Key Agenda Items
Full Board Quarterly Cybersecurity risk posture, major incidents, regulatory updates, policy approvals, investment decisions
Board Risk/Audit Committee Quarterly (or monthly for high-risk entities) Detailed KPI dashboards, audit findings, penetration test results, supplier risk reviews, remediation tracking
Cybersecurity Steering Committee Monthly Implementation progress, incident reviews, threat intelligence, training status, vendor assessments
CISO to CEO Fortnightly / Monthly Operational cybersecurity status, escalations, resource needs, emerging risks
Ad hoc Escalation As needed Significant incidents, critical vulnerabilities, regulatory communications, major breaches

Escalation Paths

Clear escalation paths are essential for NIS2 compliance. The management body must be informed promptly when significant cybersecurity events occur. Define escalation thresholds based on:

  • Incident severity: Critical and high-severity incidents must be escalated to the CEO and board within defined timelines (e.g., within 4 hours for critical incidents)
  • Regulatory impact: Any incident triggering NIS2 notification obligations must be escalated to the management body immediately
  • Financial impact: Incidents with potential financial impact above a defined threshold
  • Reputational impact: Incidents likely to attract media attention or affect customer confidence

Board Reporting Template

Effective board reporting on cybersecurity is a core element of demonstrating oversight under Article 20. A well-structured board cybersecurity report should contain the following sections:

Recommended Report Structure

  • Executive Summary: One-page overview of cybersecurity posture, key risks, and any items requiring board action
  • Risk Dashboard: Heat map of top cybersecurity risks, risk trends (improving/stable/deteriorating), and risk appetite alignment
  • Incident Summary: Number and severity of incidents since last report, notable incidents and lessons learned, open incident investigations
  • Compliance Status: NIS2 compliance progress, outstanding actions from previous board meetings, regulatory correspondence and supervisory activity
  • Key Performance Indicators:
    • Patch compliance rate (% of critical vulnerabilities remediated within SLA)
    • Mean time to detect (MTTD) and mean time to respond (MTTR)
    • Security awareness training completion rate
    • Third-party risk assessment completion rate
    • Business continuity testing results
  • Investment and Resourcing: Cybersecurity budget utilisation, upcoming investment needs, staffing status
  • External Threat Intelligence: Sector-specific threats, geopolitical developments affecting cyber risk, newly disclosed vulnerabilities relevant to the entity's technology
  • Actions for Board Approval: Specific items requiring management body decision — policy updates, risk acceptance decisions, investment proposals
Reporting Best Practice

Board reports should be concise (5-10 pages), use visual dashboards where possible, avoid excessive technical jargon, and clearly separate items for information from items requiring decision. The report should be distributed to board members at least 5 working days before the meeting to allow adequate review time.

Evidence of Governance Compliance

When supervisory authorities inspect an entity's NIS2 compliance, they will look for concrete evidence that the management body has fulfilled its Article 20 obligations. Verbal assurances are insufficient — documented evidence is essential.

Obligation Evidence Required
Approval of cybersecurity measures Board minutes explicitly recording the presentation and approval of cybersecurity risk management measures; signed policy documents with approval dates; board papers and briefing packs circulated ahead of the meeting
Oversight of implementation Regular board reporting packs on cybersecurity posture; KPI dashboards presented to the board; documented board questions and follow-up actions; internal and external audit reports presented to the board
Cybersecurity training Training attendance records signed by each management body member; training certificates from external providers; training agendas and materials; board minutes noting the training session and topics covered
Governance structure Appointment letters for CISO, DPO, and other cybersecurity roles; committee terms of reference (risk committee, steering committee); organisational charts showing reporting lines to the management body; role descriptions defining cybersecurity responsibilities
Incident escalation Escalation procedures defining thresholds and timelines; records of incidents escalated to the management body; board minutes noting incident discussion and decisions taken; post-incident review reports presented to the board
Risk acceptance Risk register entries showing residual risks accepted by the management body; board minutes recording risk acceptance decisions with documented rationale; periodic re-review of accepted risks

Personal Liability Under NIS2

Personal liability for cybersecurity failures is the provision of NIS2 that has generated the most attention — and concern — among boards and executives. Understanding the scope and mechanisms of this liability is essential for effective governance.

What the Directive Says

Article 20(1) enables Member States to hold management body members liable for infringements of Article 21 (cybersecurity risk management measures). Article 32(5)(b) goes further for essential entities, allowing supervisory authorities to request that competent bodies or courts temporarily prohibit a natural person responsible for discharging managerial responsibilities at chief executive or legal representative level from exercising those managerial functions.

For important entities, Article 33(5) provides a similar, though slightly less prescriptive, framework for enforcement actions against natural persons.

Sanctions Landscape

Sanction Type Essential Entities Important Entities
Maximum administrative fine EUR 10 million or 2% of total worldwide annual turnover EUR 7 million or 1.4% of total worldwide annual turnover
Temporary management ban Explicitly enabled under Article 32(5)(b) Member State discretion
Compliance orders Binding instructions to implement specific measures Binding instructions to implement specific measures
Public disclosure Supervisory authorities may publicise non-compliance Supervisory authorities may publicise non-compliance

Variation Across Member States

Because NIS2 is a directive (not a regulation), each Member State transposes it into national law with some degree of interpretation. Key areas of variation include:

  • Scope of personal liability: Some Member States may limit personal liability to cases of gross negligence; others may apply it more broadly
  • Criminal vs administrative liability: Some Member States may create criminal offences for the most serious infringements; others will rely on administrative sanctions
  • Duration of management bans: The directive does not specify a maximum duration for temporary management bans, leaving this to national law
  • Enforcement body: Different Member States assign enforcement to different authorities — national cybersecurity agencies, data protection authorities, sector-specific regulators, or dedicated NIS2 supervisory authorities

Entities operating across multiple EU Member States must consider the most stringent transposition and ensure their governance framework satisfies requirements in all jurisdictions where they operate.

Common Governance Gaps

Based on regulatory guidance, supervisory expectations, and emerging enforcement practice, the following governance gaps are the most frequently identified — and the most likely to attract supervisory attention.

Governance Gap Risk Remediation
Rubber-stamping without understanding Board approves cybersecurity measures without genuine comprehension; cannot demonstrate informed decision-making Provide board briefing packs in advance; ensure CISO presents in plain language; record board questions and discussion in minutes
No documented training Management body cannot evidence that members have undergone cybersecurity training as required by Article 20(2) Schedule annual board cybersecurity training; maintain attendance records and certificates; document training content and outcomes
CISO reports too low in the organisation CISO reports to IT director or mid-level manager; board has no direct visibility of cybersecurity posture Establish CISO reporting line to CEO or board risk committee; ensure CISO has standing invitation to board meetings
No regular board reporting cadence Cybersecurity is discussed only after incidents or crises; no proactive oversight demonstrated Establish quarterly cybersecurity reporting to the board; use standardised reporting templates; track actions and follow-ups
Treating governance as a one-off exercise Board approved policies once and considers governance obligations fulfilled; no ongoing oversight or re-approval Implement annual policy review cycle with board re-approval; conduct periodic governance effectiveness reviews
No escalation procedure Significant incidents are not escalated to the management body in a timely manner; board is unaware of material risks Define escalation thresholds and timelines; test escalation procedures through tabletop exercises; document escalation records
Delegating without retaining oversight Board delegates cybersecurity entirely to the CISO without receiving reports or exercising oversight Establish governance framework with clear reporting obligations; board retains approval authority for key decisions
No risk acceptance documentation Board has informally accepted residual risks without documenting the decision or rationale Formal risk acceptance process with board sign-off; documented rationale; periodic re-review of accepted risks

NIS2 Governance vs ISO 27001 Leadership

Many entities subject to NIS2 have already implemented ISO 27001. Understanding the relationship between NIS2 Article 20 governance requirements and ISO 27001 Clause 5 (Leadership) helps organisations leverage existing controls while identifying gaps.

Aspect ISO 27001 (Clause 5) NIS2 (Article 20)
Nature of obligation Voluntary standard; assessed through certification audit Legal obligation; enforced by supervisory authorities with sanctioning powers
Management commitment Top management shall demonstrate leadership and commitment to the ISMS Management body shall approve cybersecurity risk management measures and oversee implementation
Policy approval Top management shall establish an information security policy Management body shall approve the specific measures adopted under Article 21
Roles and responsibilities Top management shall assign and communicate ISMS roles and responsibilities Management body is directly responsible; cannot fully delegate accountability
Training requirement Organisation shall ensure personnel are competent (Clause 7.2); no explicit requirement for top management training Management body members must personally undergo cybersecurity training
Personal liability No personal liability mechanism; non-conformities result in audit findings Explicit personal liability for management body members; temporary management bans possible
Oversight evidence Management review (Clause 9.3) conducted at planned intervals Ongoing oversight with documented board reporting, escalation records, and KPI monitoring
Enforcement Loss of certification; reputational impact Administrative fines up to EUR 10 million / 2% turnover; temporary management bans; compliance orders

Key takeaway: ISO 27001 provides a strong foundation for NIS2 governance, particularly regarding policy framework, risk management, and management review. However, NIS2 goes significantly further in requiring personal training, explicit approval of specific measures, and personal liability. Organisations with ISO 27001 certification should conduct a gap analysis against Article 20 to identify additional governance activities needed.

How Glocert International Helps

NIS2 Readiness Assessment

Glocert International provides comprehensive NIS2 readiness assessments that evaluate your governance framework against Article 20 requirements. Our assessments include:

  • Gap analysis of management body governance practices against Article 20 obligations
  • Review of board reporting mechanisms and escalation procedures
  • Assessment of management training programmes and evidence
  • Mapping of existing ISO 27001 controls to NIS2 requirements
  • Development of board-level cybersecurity reporting templates
  • Governance framework design aligned to your corporate structure and jurisdictional requirements

Learn more about our NIS2 Readiness Assessment service →

Frequently Asked Questions

What does NIS2 Article 20 require of management bodies?

Article 20 of the NIS2 Directive requires management bodies to approve cybersecurity risk management measures, oversee their implementation, undergo cybersecurity training, and accept personal liability for infringements. This applies to boards of directors, executive boards, and equivalent governing bodies across all essential and important entities within scope of the directive.

Can executives be personally liable under NIS2?

Yes. Article 20(2) allows Member States to hold management body members personally liable for infringements. Sanctions can include temporary bans from exercising managerial functions. The exact scope of personal liability varies by Member State transposition, but the directive explicitly enables individual accountability. For essential entities, Article 32(5)(b) specifically provides for temporary management bans.

What cybersecurity training must management bodies undergo?

Management body members must undergo training to gain sufficient knowledge and skills to identify risks, assess cybersecurity risk management practices, and evaluate their impact on services. Training should cover the organisation's threat landscape, risk management methodology, measures under Article 21, incident response basics, and regulatory obligations. NIS2 also encourages offering similar training to all employees on a regular basis. Training should be conducted at least annually and documented with attendance records.

How does NIS2 governance compare to ISO 27001 leadership requirements?

ISO 27001 Clause 5 requires top management to demonstrate leadership and commitment, establish policy, and assign roles. NIS2 Article 20 goes further by requiring management bodies to personally approve risk management measures, undergo cybersecurity training themselves, and accept personal liability. NIS2 is more prescriptive and carries enforceable legal consequences including fines up to EUR 10 million or 2% of global turnover, whereas ISO 27001 is a voluntary standard assessed through certification audits.

What evidence of governance compliance should organisations maintain?

Organisations should maintain board minutes documenting approval of cybersecurity measures, training attendance records and certificates for management body members, appointment letters for cybersecurity roles (CISO, DPO), committee terms of reference, regular board reporting packs on cybersecurity posture, escalation records, and risk register reviews. This evidence demonstrates active governance and will be requested during supervisory inspections. All evidence should be version-controlled, dated, and stored in a manner that ensures integrity and availability.

NIS2 NIS2 Governance Article 20