NIS2 creates something that did not exist in EU cybersecurity regulation before: personal liability for board members and senior executives for cybersecurity failures. Article 20 of the Directive makes management bodies — not just the organisation — responsible for approving cybersecurity risk management measures and overseeing their implementation. Where an organisation suffers a significant cybersecurity incident and the competent authority determines that the management body failed to comply with Article 20, individual management body members can be temporarily prohibited from exercising management functions.

This is a fundamental change. Boards and executive leadership teams that have treated cybersecurity as a technical matter delegated to the IT or security function are now personally in the frame.

What Article 20 Specifically Requires

Article 20 establishes three distinct obligations for management bodies:

Approval of cybersecurity risk management measures. The cybersecurity risk management measures required under Article 21 — covering risk analysis, incident handling, business continuity, supply chain security, and the other specified domains — must be approved by the management body. Not noted, not presented to — approved. This requires the management body to have sufficient understanding of what they are approving and why.

Oversight of implementation. Beyond approving measures, management bodies must oversee their implementation. This creates an ongoing governance obligation — receiving regular reporting on cybersecurity programme status, asking informed questions, and holding management accountable for implementation. Management bodies that approve a cybersecurity programme and then do not receive or engage with implementation reporting are not satisfying the oversight obligation.

Cybersecurity training. Article 20 explicitly requires management body members to undergo cybersecurity training and to follow training regularly. The training must be sufficient to allow management body members to identify cyber risks, understand cybersecurity risk management practices, and assess the impact of cybersecurity decisions. This is not a one-off awareness session — it is an ongoing capability development requirement.

The Practical Governance Response

NIS2’s management accountability requirements have a practical governance implication: cybersecurity must appear on the board agenda as a substantive item, not just a technical update. Boards need to receive cybersecurity reporting in terms they can engage with, ask questions that demonstrate oversight, and record their engagement in board minutes.

The three elements of effective board cybersecurity governance under NIS2 are: regular, board-level cybersecurity reporting that presents the organisation’s security posture in risk terms the board can act on; formal board approval of the cybersecurity risk management framework and material changes to it; and documented training that demonstrates management body members have the required competence.

For organisations that have not previously had cybersecurity as a board-level governance matter, this requires building new governance infrastructure — not simply adding cybersecurity to the board agenda and proceeding as before.

At Bitsecura, we help management bodies understand their NIS2 obligations, build the governance structures that satisfy Article 20’s requirements, and present cybersecurity risk in terms that enable genuine board-level oversight. If your board is uncertain what NIS2 requires of them, start a conversation here.


Bitsecura provides NIS2 compliance consulting and cybersecurity services for essential and important entities. Learn more about our NIS2 services.