NIS2 is the first EU cybersecurity regulation that explicitly names boards and senior management as personally responsible for compliance. Article 20 requires management bodies of essential and important entities to approve cybersecurity risk management measures, oversee their implementation, and be personally accountable if violations occur. Directors who delegate cybersecurity entirely to IT teams without oversight now carry personal legal exposure.
What Article 20 Actually Says
NIS2 Article 20 ("Governance") states:
- Member states shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures, oversee their implementation, and can be held liable for infringements
- Members of management bodies shall be required to follow training on cybersecurity and shall encourage the entities to offer similar training to their employees on a regular basis
This is not a general corporate governance principle — it is a specific legal obligation in the directive, which member states have transposed into national law. Non-compliance is enforceable.
Who Counts as the "Management Body"?
The directive does not define this precisely, but national implementations generally encompass:
- Board of directors
- Management board or executive committee
- For smaller organisations without formal boards: the equivalent senior leadership group responsible for strategic decisions
In practice, for a startup or scale-up, this means the founders and C-suite. For a larger company, it means the board.
What Approval and Oversight Means in Practice
Approval of cybersecurity risk measures: The management body must formally approve the organisation's cybersecurity risk management programme. This cannot be delegated entirely to the CISO or IT team. The board must:
- Understand the organisation's key cybersecurity risks
- Formally approve the controls and measures adopted to address those risks
- Document this approval (board minutes, resolutions, or equivalent records)
Oversight of implementation: The management body must receive regular updates on cybersecurity:
- Regular reporting on the security programme — incidents, audit findings, risk changes, compliance status
- Specific briefings when significant incidents occur
- Oversight of major security investments and vendor selections
Personal accountability: If the organisation fails to implement required NIS2 measures, the management body is not insulated from liability by the corporate structure. In member states that have transposed Article 20, individual directors and executives can face personal fines or sanctions.
The Training Requirement
Article 20 specifically requires management body members to undergo cybersecurity training. This is not the same as the annual security awareness training that all employees complete. Management cybersecurity training must cover:
- What NIS2 requires from the management body specifically
- How to assess cybersecurity risk at a governance level
- How to read and interpret security reports and incident briefings
- The personal liability implications under NIS2
Document that training has been completed. Authorities may ask for evidence during inspections.
What Happens If Management Fails to Comply
NIS2 Article 32 and 33 give national authorities enforcement powers. For essential entities, these include:
- Warning and binding instructions to implement specific security measures
- Temporary ban on the exercise of managerial responsibilities by the natural person identified as responsible for the violation
The possibility of temporary suspension of managerial responsibilities for named individuals is a significant enforcement tool. A director who oversees a wilful or grossly negligent NIS2 compliance failure may be prohibited from exercising management functions in the entity until the violation is remedied.
Practical Actions for Boards and Senior Management
1. Schedule a NIS2 governance briefing. All management body members should receive a session covering NIS2 requirements, what they mean for the organisation, and the personal liability implications. Document attendance.
2. Create a cybersecurity governance structure. Assign a named executive responsible for NIS2 compliance. Establish a regular reporting cadence to the management body (quarterly minimum).
3. Formally approve the cybersecurity risk management programme. The board should pass a resolution adopting the organisation's NIS2 risk management approach, with the approved controls documented.
4. Define escalation to the board for significant incidents. The management body must be notified promptly of significant NIS2 incidents. Build this into the incident response procedure.
5. Maintain records of board cybersecurity decisions. Board minutes should reflect cybersecurity discussions. In any enforcement investigation, these records demonstrate that management took its obligations seriously.
The Liability Narrative for Enterprise Customers
For SaaS companies selling to enterprise customers who are NIS2 essential or important entities, Article 20 creates a new board-level conversation. Your enterprise buyer's management body is personally accountable for their organisation's NIS2 compliance — which includes the security of their suppliers.
This elevates vendor security reviews from IT procurement decisions to board-level risk management. The security questionnaires and contractual requirements enterprise customers send you are driven by their board's Article 20 exposure.