NIS2 changed the rules for cybersecurity governance in a way that has still not been fully absorbed by most executive teams. The directive does not merely require organisations to implement security measures — it places personal legal accountability for cybersecurity failures on the individuals who sit in management bodies. If your board has not discussed what this means for its members individually, that conversation is overdue.
What NIS2 Article 20 Actually Says
NIS2 Article 20 is precise about what management bodies must do. They must approve the cybersecurity risk management measures their organisation implements. They must oversee the implementation of those measures. They must undergo regular cybersecurity training. And they bear personal liability for infringements resulting from the organisation's failure to comply with its obligations under Articles 21 and 23.
The word "personal" is load-bearing. This is not corporate liability that attaches to the legal entity alone — it attaches to the individuals who constitute the management body. In most EU member state implementations, this means the board of directors, the supervisory board, and in some jurisdictions, the CEO and CISO as named natural persons. The mechanism for this liability varies by member state, but the directive explicitly requires that member states ensure management bodies can be held responsible.
The training obligation is equally specific. Management bodies must have "sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity." This is not a box-ticking annual e-learning requirement — it is a standard of substantive competence that regulators can test during examinations and that courts can assess in enforcement proceedings.
The Personal Liability Exposure
The enforcement teeth in NIS2 are significant. For essential entities, supervisory authorities can impose fines of up to €10 million or 2% of global annual turnover, whichever is higher. For important entities, the ceiling is €7 million or 1.4% of global turnover. These fines attach to the organisation — but NIS2 also requires member states to hold natural persons in management positions personally accountable where the entity's non-compliance results from their breach of duty.
The most severe personal consequence is the temporary prohibition on holding management functions. NIS2 Article 32(5) explicitly requires that competent authorities have the power to impose "a temporary ban on any person discharging managerial responsibilities" where that person is found to have committed infringements. This is not a theoretical power — several member states have implemented it directly into their transposing legislation, and enforcement authorities have already signalled their intent to use it in cases of systemic governance failure.
This is categorically different from GDPR's liability framework, where organisational fines dominate and individual accountability for executives is rarely pursued. NIS2 was deliberately designed with personal accountability as a deterrent mechanism. The legislative intent is to change board-level behaviour, and the enforcement framework reflects that intent directly.
Enforcement actions under NIS2's predecessor (NIS1) and the first wave of NIS2 transposition enforcement in 2025 have established that regulators will name individuals — not just organisations — in findings of governance failure. The era of cybersecurity being "the CISO's problem" is over; it is now explicitly a board governance matter with personal consequences for those who fail to exercise appropriate oversight.
What Boards Must Now Approve and Oversee
The management body's approval obligation is not a rubber-stamp at year end. It covers the organisation's cybersecurity risk management measures under Article 21 — specifically: policies on risk analysis and information system security; incident handling procedures; business continuity and crisis management measures; supply chain security including third-party relationships; security in network and information systems acquisition, development, and maintenance; policies and procedures for assessing the effectiveness of cybersecurity measures; and basic cyber hygiene practices and cybersecurity training.
Oversight means ongoing engagement, not annual review. Boards are expected to receive regular reporting on the organisation's cybersecurity posture, material incidents, and the effectiveness of controls. The reporting structure — what metrics reach the board, at what frequency, and in what format — should be documented and demonstrably operational before a regulatory examination. Regulators conducting NIS2 supervision will ask for evidence of board engagement, not just evidence that policies exist.
Identity governance is a significant component of what the board must oversee. Privileged access management, the identity lifecycle for critical system administrators, third-party identity controls, and MFA coverage across the organisation are all dimensions of the cybersecurity risk management framework that management bodies are required to approve. If your board cannot articulate your organisation's position on these controls, that is a governance gap with regulatory consequences.
The Training Obligation in Practice
Regulators assessing compliance with the Article 20 training requirement will not be satisfied by a completion certificate for a generic cybersecurity awareness module. The standard is substantive competence: the ability to identify risks, evaluate risk management measures, and assess their impact on the services the organisation provides. This requires training tailored to the organisation's specific threat landscape, regulatory obligations, and technology environment.
Board-level cybersecurity training programmes that meet this standard typically cover: the organisation's threat model and the specific risks it faces; the regulatory framework applicable to the organisation (NIS2, DORA, sector-specific requirements); the identity and access management controls in place and their rationale; incident response obligations and the board's role during a major incident; and the metrics used to measure control effectiveness. Annually is the minimum frequency — organisations in high-risk sectors should consider biannual programmes with quarterly briefings on material developments.
Building a Board-Ready Security Posture
Translating Article 20 obligations into operational governance structures requires three things to be in place. First, a documented cybersecurity governance framework that specifies what the board approves, what it oversees, and how it receives information — with a clear audit trail demonstrating that approvals have occurred and oversight is active. Second, a reporting cadence that gives the board actionable information on the organisation's security posture without requiring them to be technical experts — metrics framed in terms of risk, not technology. Third, a clear line of accountability from the CISO to the board, with defined escalation criteria for incidents and control failures.
The organisations that approach NIS2's executive accountability requirements correctly will find that they produce better security outcomes as well as regulatory compliance. When boards are genuinely engaged in cybersecurity governance — not just annually briefed — the investment decisions, risk tolerances, and programme priorities that result reflect a more complete picture of the organisation's actual exposure. That is the intended effect of the legislation. Meeting it is both a legal obligation and a governance improvement worth pursuing on its own terms.