Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

NIS2 and board accountability: what must management do?

Adopted 2026-06-16 ยท ≈ 1 min read ยท Dirk Baaijen

Under NIS2 the management body must approve the cybersecurity measures, oversee their implementation, undergo mandatory training, and can be held liable for breaches of these duties.

Short answer: NIS2 makes the management body itself responsible for cybersecurity. Management must approve the risk-management measures, oversee their implementation and undergo training. Member States must provide for the possibility of holding management members liable for breaches of these duties.

The responsibility of the management body (Art. 20)

Article 20 of Directive (EU) 2022/2555 places cybersecurity explicitly at leadership level. The management bodies of essential and important entities must approve the risk-management measures referred to in Article 21 and oversee their implementation. The directive makes clear that this is not an IT detail to be delegated away: it is a governance task.

Liability and training

Article 20 provides that Member States ensure management members can be held liable for breaches of the obligations on risk-management measures. The directive further requires management members to follow regular training so they have sufficient knowledge to identify and assess cybersecurity risks. Management is encouraged to offer comparable training to staff.

What must the board do in practice?

  • Approve โ€” formally decide on the security policy and the Article 21

measures (incl. risk analysis, incident handling, supply chain, continuity).

  • Oversee โ€” periodically review and record implementation and effectiveness.
  • Train โ€” management members complete training on cybersecurity risks.
  • Document โ€” record decisions, approvals and oversight so the duty of care

is demonstrable.

Note: enforcement via national transposition

NIS2 is a directive; the precise sanctions and the shape of liability are set in the national legislation transposing it. For your situation, consult the text of the directive and the European Commission's guidance, and follow the national implementation and the designated competent authority.

Read more: Transport & Logistics. Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): management governance (Art. 20) and risk-management measures (Art. 21).
  2. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission โ€” NIS2: governance and responsibility of management bodies.

Share on LinkedIn

Read next

W

The AI Act for directors: responsibility, liability and oversight

The AI Act makes the board ultimately responsible for responsible AI use. Fines reach 35 million euro or 7% of global turnover. This guide explains what the board must steer on, how to organise oversight, and where personal risk lies.

U

NIS2 duty of care: the security measures

Article 21 of the NIS2 Directive requires essential and important entities to implement ten concrete, risk-based security measures for which management bears ultimate responsibility.

W

AI Act board briefing: a template for the board and management team

A concise template to get the AI Act and AI use onto the board table: what is happening, which risks and deadlines, which decisions are needed, and which oversight questions the board should ask. Adopt it for your next board/management meeting.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.