Board and Management Accountability Under NIS2
How NIS2 Article 20 creates direct obligations for boards and senior management — including mandatory training, personal liability, and what governing bodies must actually do.
NIS2 Article 20 represents a fundamental shift in how cybersecurity governance is treated under EU law. For the first time, the directive creates direct, personal obligations for the management bodies of covered entities — not just corporate obligations. This means that board members and C-suite executives can no longer delegate cybersecurity responsibility downwards and walk away from accountability.
This Is New and Consequential
Personal management liability is a genuinely new development that distinguishes NIS2 from most previous cybersecurity regulation. Board members and senior executives at Essential Entities can be temporarily banned from holding management positions if they are found personally responsible for serious NIS2 violations. Legal counsel strongly advise boards to treat NIS2 compliance as a governance priority — not just an IT matter.
What Article 20 Requires
Article 20 creates the following explicit obligations for management bodies:
- Approve security measures — the management body (board) must approve the cybersecurity risk-management measures taken by the entity
- Oversee implementation — the management body must oversee the implementation of those measures
- Acquire knowledge and training — management body members must undertake training and encourage employees to do the same
- Be accountable for infringements — where the entity fails to comply with NIS2 due to failure of management oversight, the management body members can be held personally liable
Mandatory Management Training
Article 20(2) explicitly requires that management body members of Essential and Important Entities follow training programmes to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on services. Training should cover:
- The NIS2 Directive — scope, obligations, timelines, and penalties
- Cybersecurity risk management — how to read and challenge a risk assessment
- Significant incident scenarios and what the board's role is during a crisis
- Supply chain security — why it matters and what board oversight looks like
- The personal liability provisions and when they apply
- Emerging cyber threats relevant to the organisation's sector
- How to review and challenge the security metrics presented by the CISO
Personal Liability in Practice
For Essential Entities, Article 32(5) of NIS2 allows national competent authorities to temporarily prohibit a natural person who is responsible for or acting as a legal representative of an Essential Entity from exercising managerial functions. This sanction applies when the entity repeatedly fails to comply with NIS2 requirements, and the failure is attributable to the management body's negligence or failure of oversight. The prohibition is temporary and must be proportionate, but the reputational and professional consequences are severe. For Important Entities, similar personal liability applies but without the management ban sanction.
What the Governing Body Must Do
To fulfil its NIS2 obligations, the board or governing body should:
- Formally approve the organisation's information security policy at least annually
- Review and approve the results of the annual risk assessment
- Receive quarterly reports from the CISO on key security metrics and incidents
- Review and approve the budget allocated to cybersecurity
- Ensure there is a named individual with cybersecurity responsibility and that they have adequate resources
- Review the incident response plan at least annually
- Ensure management training on cybersecurity is completed and recorded
- Review the supply chain security programme at least annually
- Formally approve the organisation's NIS2 compliance posture and any accepted residual risks
Best Practices for Boards
- 1Create a board-level cybersecurity agenda item — cybersecurity should appear on every board meeting agenda as a standing item
- 2Appoint a board cybersecurity champion — consider appointing one board member as the lead for cybersecurity oversight, with specific training and responsibilities
- 3Demand clear, accessible reporting — require the CISO to provide security metrics in business terms, not technical jargon
- 4Challenge assumptions — boards should actively question whether security measures are adequate, not simply accept management assurances
- 5Engage in incident response exercises — at least annually, the board should participate in a tabletop exercise covering a major cyber incident scenario
- 6Document all governance activities — maintain minutes of board discussions on cybersecurity, evidence of training completion, and records of policy approvals
Document Everything
In the event of a regulatory investigation, the ability to demonstrate that the board actively engaged with cybersecurity — through meeting minutes, training records, and signed-off policies — is the single most important factor in establishing that the management body fulfilled its Article 20 obligations. Start building this evidence trail immediately.