The NIS2 Directive introduced something genuinely new to European cybersecurity law: personal liability for senior management. Article 20 now requires management bodies to approve, oversee, and take direct responsibility for cybersecurity risk management measures.
What Article 20 Actually Requires
Management bodies must approve the cybersecurity risk management measures their organization implements. They must be kept informed, and — crucially — they are required to follow relevant cybersecurity training to ensure they can fulfill this oversight function. This isn't delegatable to the CISO. The obligation sits at board level.
// Key Requirement
Member states must ensure that management bodies of essential and important entities can be held personally liable for infringements of NIS2 obligations — including temporary prohibitions from holding managerial positions.
Three Governance Structures That Satisfy NCA Expectations
National Competent Authorities across EU member states have begun publishing enforcement guidance. Three governance structures consistently appear in inspections: a formal security committee with board representation, documented approval workflows for significant security decisions, and a structured briefing cadence from the CISO to the board — at minimum quarterly.
Penalties and Enforcement Timeline
For essential entities, NIS2 administrative fines reach €10 million or 2% of global annual turnover, whichever is higher. Beyond fines, Article 32 allows NCAs to issue temporary prohibitions from senior management positions. Most EU member states transposed NIS2 by the October 2024 deadline. Enforcement is active.