NIS 2 management liability: what governing bodies are accountable for

What Article 20 actually says

Article 20 requires the management body of an essential or important entity to approve the cybersecurity risk management measures taken to comply with Article 21, oversee their implementation, and be held liable for infringements by the entity. The management body is also required to follow training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices.

The training obligation extends to ensuring employees of the entity have access to similar training on a regular basis.

What counts as the management body

The directive uses "management body" without defining it. National transpositions clarify. In most member states the management body is the company board (executive and non-executive directors) and the senior management team that reports to the board. For limited liability companies, the executive directors collectively form the management body.

For SMEs without a formal board, the founders or owners typically form the management body for NIS 2 purposes.

Personal liability in national transpositions

The directive leaves the structure of liability to member states. National transpositions diverge. Some examples of what individual national transpositions add:

• Germany (NIS2UmsuCG, expected to enter into force in 2026 after delays) creates personal liability for management body members for damages resulting from failure to implement required measures, with the option for the company to indemnify only under restrictive conditions.
• Belgium (NIS 2 Act) provides for temporary bans from management positions for management body members in cases of serious or repeated failures.
• Italy (Decreto Legislativo 138/2024) makes management body members personally subject to administrative fines for specific categories of failure.
• Netherlands (Cyberbeveiligingswet) makes management body members personally liable for compliance with the duty of care.

Training: what is required

The directive does not prescribe curriculum, but the language ("sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices") sets a substantive bar. Generic e-learning is not enough.

Practical content for management body training includes: the entity’s risk register and risk acceptance position, the threat landscape relevant to the sector, the entity’s incident response capability and the most recent test results, supply chain risk and the largest dependencies, the regulatory state of play including upcoming national or EU obligations.

Cadence: at least annually, with refreshers triggered by material changes to risk or by significant incidents.

What to document

• Board minutes recording approval of the Article 21 cybersecurity risk management measures. Specifically: which measures were approved, on which date, and by which members.
• Board minutes recording oversight of implementation. Quarterly review of cybersecurity programme status is a defensible cadence.
• Training records per management body member. Date, content, attendance, completion.
• Records of escalations from the security function to the management body, including how each was addressed.
• Where the management body has delegated cybersecurity oversight to a committee, the delegation, the committee’s charter, and the committee’s reports to the full management body.

Where this lands for an SME

For an in-scope SME without a formal board, the founders carry the management body obligations. The documentation looks different from a large enterprise but the substance is the same. A weekly founder-and-security-lead review with written minutes, an annual training session with a named external trainer and certificate, and a documented incident response test go a long way.