Art.20.1 NIS2

NIS2 Art.20.1: Management Body Accountability and Governance

What This Control Requires

Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by those entities of that Article.

In Plain Language

Cybersecurity is no longer something boards can delegate entirely to IT and forget about. NIS2 makes management bodies - boards of directors, executive management - directly accountable for approving, overseeing, and ensuring the effectiveness of cybersecurity measures.

The personal liability provision is the real game-changer here. Management body members can be held individually liable for infringements of Art.21. That gives every board member a direct personal stake in making sure adequate cybersecurity is in place and functioning. It is designed to ensure security gets the attention, resources, and priority it deserves at the top of the organisation.

On top of accountability, Art.20.2 requires management bodies to undergo cybersecurity training themselves and to encourage regular training for all employees. The intent is clear: senior leaders must be informed enough to make meaningful decisions about security strategy, resource allocation, and risk acceptance.

How to Implement

Define the management body's cybersecurity governance responsibilities formally within your governance framework. This should cover approval of the cybersecurity strategy and risk management policies, regular oversight of effectiveness, approval of risk acceptance decisions above defined thresholds, and allocation of adequate resources.

Establish a regular reporting cadence to the management body. Board cybersecurity reports should include current risk posture and key risk indicators, significant incidents and their impact, NIS2 compliance status, security investment effectiveness, and emerging threats and strategic risks.

Make cybersecurity a standing board agenda item at least quarterly. Significant incidents or material risk changes should trigger immediate ad-hoc reporting.

Organise cybersecurity training for every management body member. Cover NIS2 requirements and personal liability implications, the threat landscape relevant to your organisation, fundamentals of risk management, how to read and interpret security reports and metrics, and their specific responsibilities under the directive.

Document all management body decisions on cybersecurity - approvals, risk acceptance decisions, resource allocation. Detailed minutes that show active engagement with security matters are essential evidence.

Consider establishing a board-level cybersecurity committee or designating a board member with specific security oversight responsibility. Ensure the CISO or equivalent has a direct reporting line or regular access to the management body.

Review your directors' and officers' liability insurance to confirm NIS2 liability exposure is covered. Get legal advice on the specific implications for management body members in your jurisdiction.

Evidence Your Auditor Will Request

Board or management body minutes showing cybersecurity oversight and approvals
Governance framework document defining management body cybersecurity responsibilities
Regular cybersecurity board reports and risk dashboards
Management body cybersecurity training records
Risk acceptance decisions documented and approved by appropriate authority

Common Mistakes

Cybersecurity treated as a purely IT operational matter without meaningful board oversight
Management body approves policies without understanding them or their implications
Board reports focus on technical details rather than risk and business impact
Management body members have not received cybersecurity training
No documented evidence of board-level cybersecurity decision-making

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.1	Related
SOC 2	CC1.2	Related

Frequently Asked Questions

Can management body members delegate their cybersecurity responsibilities?

Day-to-day cybersecurity operations can absolutely be delegated. But ultimate accountability for approving and overseeing risk management measures stays with the management body. They can rely on committees, CISOs, and advisors for input and execution, but personal liability remains with them. There is no way to delegate that away.

What kind of cybersecurity training is expected for board members?

It does not need to be deeply technical, but it must be substantive. Board members should come away able to understand cybersecurity risks and their business impact, evaluate whether proposed measures are adequate, make informed decisions about security investment and risk acceptance, and fulfil their oversight duties effectively. Generic awareness training is not sufficient here.

Track NIS2 compliance in one place

AuditFront helps you manage every NIS2 control, collect evidence, and stay audit-ready.

Start Free Assessment