nis²insights.com

In force since 17 Oct 2024·Day 565·

GovernanceApr 18, 202510 min

NIS2 Article 20: 5 boardroom responsibilities directors cannot delegate

Article 20 of Directive 2022/2555 moves cybersecurity formally into the boardroom. Here are the five responsibilities that now fall personally on directors.

NIS2 Article 20: 5 boardroom responsibilities directors cannot delegateGovernance

The NIS2 Directive — formally Directive (EU) 2022/2555 — entered into force on 17 October 2024. Member States were required to transpose it into national law by that same date. Eighteen months in, the picture across Europe is uneven, but one shift is universal: every in-scope organisation now has personal exposure at the board level.

What is striking is not the volume of obligations. NIS2 codifies a set of practices that any reasonably mature security programme already implements. What is new is that responsibility now rests, explicitly and personally, with management bodies — and that national competent authorities can sanction them directly under Article 32.

Article 20 of the directive — titled simply "Governance" — sits at the heart of that shift. It runs to two paragraphs. Read narrowly, it lists two duties. Read in context, with recitals 80 and 81 and the corresponding paragraphs of Article 21, it sets out five responsibilities that fall on directors personally and cannot be delegated.

1. Approve the cybersecurity programme — with documented understanding

Article 20(1) is unequivocal: management bodies shall approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21. The legal weight is on approve, not on be informed of.

Across European national competent authorities — ANSSI in France, BSI in Germany, INCIBE in Spain, ACN in Italy, NCSC-IE in Ireland — the same expectation surfaces in their published guidance: approval implies documented understanding. A board minute that records a substantive discussion of the entity's risk register, the residual risks accepted, and the trade-offs made between mitigation and operational cost. A signature without that paper trail is, in practice, an opening position for an enforcement action, not a defence against one.

Approval is not a signature. It is a documented, contestable position taken with full knowledge of the risk register.

The non-delegable element here is the understanding, not the act of signing. Boards may rely on the recommendation of the CISO or equivalent — they may not rely on it without challenge.

2. Oversee implementation continuously

The second part of Article 20(1) is often missed: management bodies must also oversee implementation. Approval at a single point in time is not enough. Recital 80 makes this explicit by framing oversight as a continuous obligation tied to the management body's governance role.

What "oversight" looks like, concretely:

  • A standing item on the board agenda, not buried under "any other business".
  • A risk dashboard that reports the delta since the previous meeting, not the static state.
  • A clear escalation path for the CISO or equivalent function to the board chair when material risks emerge between scheduled reviews.

A board that approves the programme in March and next discusses cybersecurity in October will, in nearly every Member State, fall short of this expectation.

3. Accept personal liability — including the management ban

Article 20(1)'s closing clause is where the directive's teeth show: management bodies can be held liable for infringements by the entities of Article 21. The financial dimension is set out in Article 34: up to €10 million or 2 % of worldwide annual turnover for essential entities, whichever is higher; up to €7 million or 1.4 % for important entities.

The non-financial dimension is more striking and less often discussed. Article 32(5) authorises Member States to provide for the temporary suspension of any natural person discharging managerial responsibilities at the level of CEO or legal representative, or a temporary prohibition against them from exercising managerial functions in that entity. In plain terms: a management ban.

Several Member States have transposed this aggressively in their national laws. The point for the boardroom is that accepting these responsibilities is no longer a question of corporate culture. It is a personal exposure, and there is no D&O policy that covers a regulatory disqualification.

4. Follow training, personally

Article 20(2) is unusually direct for a European directive: Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training. Required. Not encouraged, not recommended.

The training is also not delegable. A common misreading is that the CISO can "brief" the board in lieu of formal training. That is not what the article says. The directive frames the training objective explicitly: members of the management body must gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

The directive does not specify hours, and national transpositions vary. Drawn from the published guidance of national competent authorities, a defensible threshold looks like:

  • An onboarding programme of 6 to 12 hours for new directors covering the directive itself, the entity's threat landscape, and the risk register.
  • An annual refresher of 2 to 4 hours covering material changes since the previous session.
  • Documented attendance and content. A simple list of attendees with the date and the materials used is enough.

This is the responsibility on which boards most often fall short. It is also the easiest to fix.

5. Ensure organisation-wide training

The second sentence of Article 20(2) is sometimes filed away as aspirational: Member States shall encourage essential and important entities to offer similar training to their employees on a regular basis. The verb encourage is softer than require.

It is, however, a board-level responsibility. Article 21(2)(g) — which Article 20 explicitly cross-references — lists "basic cyber hygiene practices and cybersecurity training" as one of the categories of measures that essential and important entities shall adopt. That is not encouragement; it is an obligation. The board's role under Article 20 is to ensure the obligation in Article 21 is actually being met.

In other words: the board cannot personally train every employee, but it can — and must — confirm that an employee training programme exists, that it has a measurable cadence, and that completion rates are reported up to it.

What good looks like

Across the published guidance from European national competent authorities, three signals consistently come up.

First: a board minute from the past 12 months that demonstrates substantive discussion of the cybersecurity programme. Not just acknowledgement.

Second: a risk register that is dated, owned at executive level, and traceable to the actions taken since the previous board review.

Third: evidence that the security programme was reviewed independently — by an internal audit function or an external assessor — within the past 12 months, with the findings tabled at the board.

None of these are ambiguous. They are documents. They either exist, or they do not. The work of the next 12 months, for boards that have not yet acted, is to make sure they do.

Sources

  1. Directive (EU) 2022/2555, Article 20 ("Governance").
  2. Directive (EU) 2022/2555, Article 21 ("Cybersecurity risk-management measures"), in particular paragraph 2(g).
  3. Directive (EU) 2022/2555, Article 32(5) (suspension and prohibition of managerial functions).
  4. Directive (EU) 2022/2555, Article 34 (general conditions for imposing administrative fines).
  5. Directive (EU) 2022/2555, recitals 80 and 81 (governance and management training).
  6. Published implementation guidance from national competent authorities: ANSSI (FR), BSI (DE), INCIBE (ES), ACN (IT), NCSC-IE (IE), and ENISA.

Other articles

NIS2 incident notification: the practical 72-hour guideIncident management

NIS2 incident notification: the practical 72-hour guide

Apr 11, 2025·Read · 9 min
NIS2 supply chain security: 5 clauses to require from your suppliersSupply chain

NIS2 supply chain security: 5 clauses to require from your suppliers

Apr 09, 2025·Read · 7 min
A pragmatic risk register template for NIS2 Article 21Risk management

A pragmatic risk register template for NIS2 Article 21

Apr 02, 2025·Read · 6 min