NIS2 Makes Cybersecurity a Leadership Duty

Article 20 of NIS2 requires Member States to ensure that the management bodies of essential and important entities approve the cybersecurity risk management measures taken by those entities and oversee their implementation. Management body members must follow training on cybersecurity to enable them to identify risks and assess cybersecurity risk management practices and their impact.

Three obligations follow from this. Approval requires the management body to consider and formally sanction the security measures in place, not simply receive a report that they exist. Oversight requires ongoing attention to implementation: whether approved measures are working, where gaps have emerged, and what has been done about them. Training is a requirement on individual management body members, not a general training obligation directed at the organisation.

A single board-level presentation from the CISO each year does not satisfy any of these three obligations.

NIS2 uses the term 'management body' rather than 'board of directors' or 'executive team'. National implementing legislation varies in how the term is applied, and the relevant definition in each jurisdiction determines who carries the obligation.

In practice, the management body will typically include the board of directors or equivalent governing body, and in some jurisdictions will extend to senior executives with decision-making authority over the organisation's risk governance. The relevant question is which body has formal responsibility for governance and risk management in that entity.

For groups with multiple legal entities in scope, the obligation applies at entity level. A group-level board decision does not automatically satisfy the Article 20 requirement for each subsidiary that is independently in scope. Evidence of approval and oversight needs to be maintained for each entity separately.

Article 20 sits alongside enforcement provisions that create meaningful personal exposure. Under NIS2, Member States must ensure that natural persons exercising managerial responsibilities within essential or important entities can be held liable for infringements of the security obligations. For essential entities specifically, where a competent authority has issued prior enforcement measures that have not proved effective, it can seek a court order temporarily prohibiting the chief executive officer or legal representative from exercising managerial functions.

This is qualitatively different from most regulatory regimes organisations encounter. The risk is not only the fine. The risk is that a named individual is temporarily disqualified from holding their role.

A supervisory authority investigating an incident or conducting an inspection will want to see what the management body approved, when, and in what form. Board minutes recording a general discussion about cybersecurity are not the same as a formal approval of a defined risk management framework.

Oversight requires periodic reporting to the management body on the implementation of approved measures: whether controls are working, where material gaps exist, what incidents have occurred, and how the risk profile has changed. This reporting needs to be proportionate to the organisation's risk exposure and to the supervisory expectations in the applicable jurisdiction.

Training needs to be tracked at individual level, not reported as an aggregate completion figure. The content must address cybersecurity risk management, not cybersecurity awareness in general. The distinction matters because Article 20 specifically requires training that enables management body members to identify risks and assess risk management practices.