TL;DR
NIS2 Article 20 makes management bodies (boards, managing directors, CEOs) personally liable for cybersecurity breaches. They must actively approve security measures, attend training, and can be temporarily suspended from their functions for gross negligence. Delegating to a CISO does not remove this liability.
The personal liability of executives for cybersecurity is the biggest change that NIS2 brings compared to all previous EU cybersecurity rules. Before NIS2, cybersecurity was largely the IT department's problem from a personal liability perspective. NIS2 Article 20 ends that.
This article explains what Article 20 specifically requires, who is affected, what consequences are at stake, and how executives can protect themselves.
What Article 20 Specifically Requires
The full text of NIS2 Article 20 contains four core obligations for management bodies:
1
Approval of cybersecurity measures
The management body must actively approve the cybersecurity risk management measures required by Article 21. Passive acknowledgement is not enough. There must be documented approval.
2
Oversight of implementation
The management body is responsible for overseeing the implementation of security measures. It must receive regular reports on the security status and act when there are material deviations.
3
Obligation to attend training
Management body members must attend training on cybersecurity risks. The training must be sufficient to enable them to identify risks and make informed decisions. Attendance must be documented.
4
Promoting employee training
The management body is also responsible for promoting regular cybersecurity training for all staff and making sure such training actually takes place.
Who Counts as a 'Management Body'?
NIS2 does not define 'management body' exhaustively and defers to national company law. In practice, the following persons are affected in most EU countries:
Board of directors members
Overall responsibility for strategic decisions
Managing directors
Operational management and legal representation
CEO / Chief Executive
Highest operational leadership
CTO / CSO in executive role
Where part of the formal management body
Supervisory board (context-dependent)
Depending on national transposition and involvement
Equivalent governing bodies
E.g. Executive Committee, Management Board
Senior employees below the formal management body (for example, a CISO who is not on the board) can also be held liable if they were given clear responsibilities and grossly neglected them. The primary liability under Article 20, however, lies with the formal management body.
The Training Obligation: What Is 'Sufficient'?
NIS2 requires the training to be sufficient to identify cybersecurity risks and assess their impact on the services provided by the entity. Article 20(2) specifies that the training must be repeated regularly.
What this means in practice has not yet been fully settled in regulatory guidance. However, ENISA and several national authorities have published guidelines. The following content is considered a minimum standard for management training:
âFundamentals of cyber threats (ransomware, phishing, supply chain attacks)
âThe 10 NIS2 Article 21 measures: overview and management body responsibility
âThe 24h/72h/1-month notification obligations under Article 23
âPersonal liability risks for management bodies under Article 20
âOverview of current cyberattacks and their impact in the organisation's sector
âOutline of the NIS2 fine structure and enforcement practice
âRole-specific actions in an emergency (approvals, communications, escalation)
âAt least annual repetition or following material changes
đ Quick TestFind out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
Check NIS2 Scope âWhen Can Executives Be Suspended?
NIS2 Articles 32(5) and 33(5) give authorities the power to require the temporary suspension of executives in Essential and Important Entities in response to repeated or serious violations. This is one of the sharpest sanctions in the entire NIS2 framework.
â ī¸PreconditionsSuspension is only possible if the entity has repeatedly or grossly neglected its obligations. A single instance of non-compliance will generally not lead to suspension. There must be a pattern of non-compliance or a single particularly serious violation.
âąī¸DurationThe suspension is temporary and must be proportionate. NIS2 specifies no maximum duration. The precise rules are for national law to determine. Some member states have set maximum periods of three to six months.
đPersons affectedThe suspension targets natural persons in executive functions (CEO, board members). It does not mean the dissolution of the company, only the removal of that person from their management function for a defined period.
đŖPublic disclosureNIS2 allows authorities to publish information about violations, including the responsible natural persons. A suspension can therefore become publicly known, which brings additional reputational damage.
Does Delegating to a CISO Remove Liability?
This is one of the most common questions from boardrooms. The short answer: No. Appointing a CISO or IT security officer is good practice, but it does not transfer the management body's responsibility under NIS2 to that person.
Article 20 is clear: the management body is responsible and can be held liable. Delegating operational tasks to a CISO is permitted and sensible. But the management body must still actively approve the measures, oversee implementation, attend training themselves, and make sure the resources for adequate cybersecurity are in place.
âšī¸ The important distinction
A CISO can be held liable for gross operational negligence. But that does not relieve the management body of its own responsibility under Article 20. Both can be held liable at the same time.
Practical Steps for Executives
1
Formally determine NIS2 applicability
Have it checked and documented whether your organisation qualifies as an Essential or Important Entity. Obtain a written legal opinion or use your competent authority's classification. This step protects you from the allegation that you ignored your own applicability.
2
Formally approve security measures
Have the cybersecurity strategy and Article 21 measures approved as a standalone agenda item at a board meeting. Record the approval in the meeting minutes. This is your evidence to a regulator.
3
Complete training and document it
Attend a NIS2 training for executives and retain attendance evidence (certificate, invitation, attendance list). Repeat at least annually. Training providers specialising in NIS2 management training issue corresponding certificates.
4
Receive regular security reports
Require quarterly reports from the CISO or IT security officer on the implementation status of security measures, current threats, and open risks. If you receive no reports, you are not meeting your oversight obligation.
5
Provide resources
NIS2 requires the management body to provide sufficient resources for cybersecurity. Document budget approvals for cybersecurity measures explicitly. Rejected CISO budget requests can be used as evidence of negligence in a damage case.
Differences Between Essential and Important Entities
The obligations under Article 20 apply to both entity types. The difference lies in supervisory intensity:
| Aspect | Essential Entity (Art. 32) | Important Entity (Art. 33) |
|---|
| Supervision type | Proactive (ex-ante): authority can inspect at any time | Reactive (ex-post): authority acts on specific cause |
| Art. 20 application | Yes, full application | Yes, full application |
| Max. fine (entity) | âŦ10M or 2% turnover | âŦ7M or 1.4% turnover |
| Suspension possible | Yes (Art. 32(5)) | Yes (Art. 33(5)) |
| Audit frequency | Regular, including unannounced | When there is evidence of violations |
How is your compliance status?
First check whether NIS2 applies to your organisation, then assess your Article 21 measures.
Frequently Asked Questions
Can a board member be personally fined?âž
NIS2 itself primarily provides for fines against the entity as a legal person. The personal liability under Article 20 relates primarily to suspension. Whether individual countries additionally provide for personal monetary fines depends on national transposition. Germany and Austria have introduced personal liability provisions in their NIS2 implementing laws.
Does Article 20 also apply to non-profit organisations and public bodies?âž
Yes. NIS2 generally applies to public bodies and non-profits where they operate in one of the 18 sectors. The liability rules under Article 20 apply correspondingly to their management bodies, although national implementing laws may contain special rules for public entities.
Does D&O insurance protect against NIS2 liability?âž
Directors & Officers (D&O) insurance policies generally cover personal liability claims. Coverage of NIS2-specific sanctions depends on the policy terms. Check your D&O policy for exclusions relating to regulatory sanctions and speak with your insurer about the NIS2 context.
What counts as 'gross negligence' under NIS2?âž
NIS2 does not define this precisely. In legal practice, gross negligence typically means a particularly serious failure to meet the standard of care required by the circumstances. In the NIS2 context, this could mean: no security measures despite known risks, no training despite authority requests, or ignoring incident notification obligations.
How often must management training be repeated?âž
NIS2 requires 'regular' training. ENISA recommends at least once per year. Additional training should be provided following material changes in the threat environment, after a security incident, or when there are changes to the management body. The training must be sufficient in content to enable identification and assessment of risks.