RegTech

NIS2 Article 20: What Board Members Must Do Before the Deadline

Equip IgeraSolutions
July 5, 2026
6 min read
RegTech · NIS2 · Cybersecurity Governance 2025

NIS2 Article 20: What Board Members Must Do Before the Deadline

NIS2 Directive (EU 2022/2555) is no longer a future obligation. Most EU member states completed transposition by the end of 2024. Article 20 is one of its most consequential provisions: it places personal liability on management bodies for cybersecurity failures and requires board members to approve cybersecurity measures and undergo formal training. Yet according to the ENISA NIS2 Implementation Survey 2025, 67% of in-scope organisations report that their board has not yet completed Article 20-compliant training. If your organisation is in scope, your board is already exposed.

NIS2 Directive (EU 2022/2555), Article 20: “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and can be held liable for infringements by the entities. Member States shall ensure that members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis.”

67%

“Of in-scope organisations report that their board has not completed Article 20-compliant cybersecurity training, despite NIS2 being transposed across most EU member states. Personal liability for management bodies is now active.”

— ENISA NIS2 Implementation Survey 2025

Who does NIS2 Article 20 apply to?

NIS2 applies to “essential entities” and “important entities” as defined in Annex I and Annex II of the Directive. The scope is substantially broader than its predecessor NIS1:

CategorySectors (examples)Size threshold
Essential entitiesEnergy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, space250+ employees or €50M+ turnover (plus size-independent categories)
Important entitiesPostal services, waste management, chemicals, food, manufacturing (medical devices, automotive, machinery), digital providers, research50+ employees or €10M+ turnover

Article 20 obligations apply to both categories. The management body of any in-scope entity must approve cybersecurity risk-management measures, oversee implementation, and complete training. There is no de minimis exception for smaller entities that fall within the thresholds.

What exactly does Article 20 require in plain language?

Article 20 creates two distinct obligations that run in parallel:

  1. Governance approval: The management body (board of directors, supervisory board, or equivalent) must formally approve the organisation’s cybersecurity risk-management measures. This is not a delegation to the CISO or IT department alone. Approval requires documented board-level sign-off on the measures taken under Article 21 (covering risk analysis, incident handling, supply chain security, cryptography policy, access control, and more).
  2. Mandatory training: Members of the management body are required to undergo cybersecurity training. The Directive specifies that training must be sufficient to “identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” Member states may define minimum hours or curriculum standards in their national transposition laws.

Critically, Article 20 also establishes that management bodies “can be held liable for infringements” by the entity. This is a direct, personal liability provision. In several member state transpositions (including Germany’s NIS2UmsuCG and the Netherlands’ Cyberbeveiligingswet), fines can be directed against individuals in management roles, not just the legal entity.

What does Article 20-compliant training look like?

The Directive does not prescribe a specific curriculum or minimum hours, but ENISA’s technical guidance and early national transpositions point to the following components as necessary for compliance:

  • Understanding of the organisation’s threat landscape and sector-specific risks (e.g. OT/ICS risks for energy entities, third-party API risks for digital providers)
  • Familiarity with the Article 21 risk-management measures the board is approving (incident response plans, business continuity, supply chain due diligence)
  • Ability to evaluate CISO and management team reporting on cyber posture — distinguishing meaningful KRIs from vanity metrics
  • Understanding of notification obligations under Article 23: the 24-hour early warning, 72-hour incident notification, and one-month final report to the competent authority
  • Awareness of personal liability exposure and D&O insurance implications
  • Documented completion, with evidence retained for supervisory authority inspection

Training must be repeated on a regular basis — not a one-time box-tick. As the threat landscape and regulatory guidance evolve, the training must be updated accordingly. Some member state transpositions specify annual refreshers as a minimum.

Real examples: what Article 20 failures look like in practice

The following scenarios illustrate the gap between formal NIS2 transposition and practical board-level compliance:

  • The delegated-and-forgotten board: The CISO presents a cybersecurity framework at a board meeting. The board approves it in principle. No individual board member reviews the specific Article 21 measures. No training is scheduled. A ransomware incident 8 months later triggers a supervisory investigation, which finds no documented board approval of the measures and no training records.
  • The annual slide deck: The board receives a 12-slide “cyber update” once a year from IT. No board member has taken a structured training programme. The 12 slides do not cover incident notification obligations or supply chain risk. The competent authority concludes training obligations under Article 20 are not met.
  • The trained CEO, untrained board: The CEO and CFO completed a cybersecurity course. Other board members did not. In most member state transpositions, “the management body” means the collective governing body, not select members. Partial completion is non-compliant.

Common mistakes organisations make on Article 20

MistakeWhy it mattersCorrect approach
Treating Article 20 as an IT matterLiability attaches to management body members, not the IT teamBoard-level programme with documented individual completion
One-off training with no refreshDirective requires “regular” training; threat landscape changesAnnual minimum; update when significant regulatory or threat changes occur
Approving cyber measures without reviewing themFormal approval without genuine oversight does not satisfy Article 20Board minutes must evidence substantive discussion; CISO reports reviewed by board
No training records retainedSupervisory authorities will request evidence; absence is treated as non-complianceCertificates, attendance records, and training content documentation retained for minimum 3 years
Assuming SME size exemptionSome entities are in scope regardless of size (e.g. certain DNS providers, TLD registries, critical infrastructure operators)Verify scope based on sector and function, not only headcount

How IgeraRegTech helps management bodies meet Article 20

IgeraRegTech is a RAG-powered regulatory intelligence platform trained on NIS2, DORA, the EU AI Act, and sector-specific guidance. For Article 20 compliance, it provides:

  • Instant, source-cited answers to board members’ Article 20 questions — citing the specific directive article, national transposition law, and ENISA guidance
  • A structured NIS2 board training curriculum mapped to Article 20 requirements, exportable as a compliance record
  • Automated monitoring of national transposition updates across EU member states, alerting the compliance team when Article 20 guidance changes
  • Gap analysis against current board training and governance documentation, generating a prioritised remediation plan

How IgeraRegtech handles it

Board member question:

“We are an energy company with 300 employees. Our board approved a cybersecurity policy last year but no one has done formal NIS2 training. Are we compliant with Article 20?”

IgeraRegtech answers:

“As an energy company with 300 employees you are an essential entity under NIS2 Annex I. Article 20(2) requires management body members to undergo cybersecurity training — a policy approval alone does not satisfy this obligation. The training must cover risk identification and assessment of cybersecurity risk-management practices. You should schedule board training now and document completion. Source: NIS2 Directive (EU 2022/2555), Article 20(2); ENISA NIS2 Implementation Guidance, October 2024.”

3 seconds24/7Source cited

Is your management body Article 20-compliant?

IgeraRegTech runs a gap analysis against NIS2 Article 20 requirements, maps your current board governance documentation, and generates a structured training plan with compliance records. Free 14-day trial.

Run your Article 20 gap analysis — free

Summary: NIS2 Article 20 for boards

  • Article 20 applies to management bodies of essential and important entities — both categories have transposed into national law across most EU states by end 2024.
  • Two obligations: (1) formal board approval of cybersecurity risk-management measures; (2) mandatory cybersecurity training for all management body members.
  • 67% of in-scope organisations have not yet completed Article 20-compliant training (ENISA NIS2 Implementation Survey 2025).
  • Personal liability for management body members is explicit in the Directive text and several national transpositions.
  • Training must be repeated regularly, documented, and evidence retained for supervisory authority inspection.
  • IgeraRegTech provides structured Article 20 board training mapped to national transposition requirements, with automated compliance records.

Frequently asked questions

Does Article 20 apply to the supervisory board or just the executive board?

Article 20 refers to the “management body” of the entity. The definition varies slightly between EU member state transpositions, but in two-tier board systems (common in Germany, the Netherlands, Austria, and Scandinavia), the obligation typically applies to both the supervisory board and the management board. In one-tier systems (UK model companies operating in the EU, many Southern European structures), it applies to the board of directors. Legal counsel should confirm the applicable definition in each relevant jurisdiction.

What are the fines for non-compliance with Article 20?

NIS2 establishes maximum fines of €10M or 2% of global annual turnover for essential entities, and €7M or 1.4% of global annual turnover for important entities. Critically, several member state transpositions allow supervisory authorities to impose fines directly on management body members and to temporarily prohibit individuals from exercising management functions. Germany’s NIS2UmsuCG, for example, introduces management personal liability explicitly.

How does Article 20 training differ from general cybersecurity awareness training?

General cybersecurity awareness training (phishing simulations, password hygiene, device security) is aimed at employees and is covered by the encouragement to extend training to staff in Article 20(2). Article 20 board training is a governance-level obligation: it focuses on the management body’s ability to approve risk-management measures, oversee implementation, and assess the adequacy of the organisation’s cyber posture from a strategic perspective. The two types of training are complementary but not interchangeable.

Does Article 20 interact with DORA for financial entities?

Yes. Financial entities (banks, investment firms, insurance undertakings, and others covered by DORA) are subject to DORA’s ICT risk management requirements under Chapter II, which similarly require management body responsibility and training on ICT risks (DORA Article 5). Financial entities that are also NIS2 essential entities must ensure their governance frameworks satisfy both sets of requirements. DORA applies as lex specialis for the financial sector, but NIS2 gaps not covered by DORA still apply. IgeraRegTech covers both frameworks.

How frequently must Article 20 training be repeated?

The Directive uses the term “regular basis” without specifying a minimum interval. ENISA implementation guidance recommends annual refreshers as best practice. Several member state transpositions (including those of Belgium and the Netherlands) specify annual training as the minimum. Training should also be triggered by significant regulatory changes (new ENISA guidelines, material updates to national transposition) or major changes to the organisation’s threat landscape or ICT environment.

Our organisation uses a third-party CISO. Does Article 20 still apply to board members?

Yes. The use of a virtual CISO or outsourced security operations does not transfer the Article 20 training obligation away from the management body. The board must still be able to “identify risks and assess cybersecurity risk-management practices.” Relying entirely on a third-party CISO’s assurance without board members having the training to critically evaluate that assurance does not satisfy the obligation. The board must be an informed principal, not merely a passive recipient of security reports.

Article by the Igera Solutions editorial team. Based on NIS2 Directive (EU 2022/2555), ENISA NIS2 Implementation Survey 2025, and national transposition guidance, updated July 2026. Not legal advice.

COMPARTIR

Comparte el conocimiento con tu red