NIS2: Governance and Accountability
Governance and Accountability [Art 20]
Rule: Management bodies of essential and important entities must approve cybersecurity risk management measures, oversee implementation, and can be held personally liable for infringements.
Management Body Duties [Art 20(1)-(2)]
The management body (board, directors, executives) must:
| Duty | Requirement |
|---|---|
| Approve measures | Approve cybersecurity risk management measures taken under Art 21 |
| Oversee implementation | Supervise the implementation of those measures |
| Be accountable | Can be held liable for infringements |
| Receive training | Undergo training to understand cybersecurity risks |
Who Is the “Management Body”?
| Entity Type | Management Body |
|---|---|
| Company | Board of directors, managing directors |
| Partnership | Managing partners |
| Public entity | Executive management, agency heads |
Varies by Member State corporate law, but generally: persons with executive decision-making authority.
Mandatory Training [Art 20(2)]
Management body members must:
…follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.
Training must cover:
- Cybersecurity risks relevant to the entity
- Risk management practices
- Impact of cyber risks on services
- Understanding of Art 21 measures
Personal Liability [Art 20(1)]
Member States shall ensure that the management bodies… can be held liable for infringements of this Article.
Management can face:
- Personal administrative sanctions
- Disqualification from management positions
- Potential civil liability (varies by Member State)
What “Oversight” Requires
Active oversight means:
- Regular reporting — Receiving cybersecurity status reports
- Resource allocation — Ensuring adequate budget and staff
- Risk awareness — Understanding top cyber risks
- Incident escalation — Being informed of significant incidents
- Third-party oversight — Understanding supply chain risks
Board Agenda Items
Suggested recurring items:
- Cybersecurity risk assessment updates
- Incident statistics and trends
- Compliance status with Art 21 measures
- Supply chain risk review
- Training completion rates
- Audit findings and remediation
Documentation for Compliance
| Document | Purpose |
|---|---|
| Board minutes | Evidence of approval and oversight |
| Training certificates | Proof of management training |
| Risk reports | Regular briefings to management |
| Approval records | Sign-off on security policies |
Delegation
Management can delegate operational implementation but cannot delegate:
- Ultimate accountability
- Approval of risk management measures
- Liability for infringements
Comparison with Other Regimes
| Regime | Management Responsibility |
|---|---|
| NIS2 | Approve, oversee, liable, must train |
| GDPR | General accountability (Art 5(2)) |
| DORA | Management body approval + training |
| UK Corporate Governance | Board responsible for risk management |
Practical Steps
- Brief the board — Educate on NIS2 requirements
- Schedule training — Arrange cybersecurity training
- Establish reporting — Regular cyber updates to board
- Document approvals — Formal sign-off on policies
- Review insurance — D&O coverage for cyber liability