\n\n\n\n","wordCount":3127,"timeToRead":"PT11M","keywords":["NIS2 board training requirements","NIS2 Article 20 management body","NIS2 compliance 2026 board","cybersecurity training executives EU","IgeraRegTech NIS2","RegTech","blog","RAG","IA","inteligencia artificial"]}
RegTech

NIS2 board training: what Art. 20 requires in 2026

IgeraRegTech Team
July 6, 2026
11 min read
IgeraRegTech · NIS2 · Board Governance 2026

By IgeraRegTech Team — 6 July 2026 · RegTech vertical

NIS2 board training: what Art. 20 requires in 2026

When IgeraRegTech ran its first NIS2 compliance intake survey across its client base in Q4 2025, one finding stood out: 73% of management bodies at essential and important entities had zero documented cybersecurity training before the NIS2 project started. Not inadequate training —zero. This is the gap that Article 20 of the NIS2 Directive (EU 2022/2555) was written to close. Transposition into national law across most EU member states was completed by Q1 2026. The personal liability provisions are now active. This article explains exactly what Article 20 requires, what non-compliance looks like in practice, and how to close the gap before a supervisory authority asks for your records.

NIS2 Directive (EU 2022/2555), Article 20(1–2): “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities, oversee its implementation and can be held liable for infringements by the entities. Member States shall ensure that members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order to gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”

73%

“Of boards in IgeraRegTech’s client base had zero cybersecurity training before NIS2 compliance projects started — not inadequate training, but zero. The Directive’s personal liability provisions are now active across most EU member states following Q1 2026 transposition.”

— IgeraRegTech internal survey, Q4 2025

Who Article 20 applies to: scope and size thresholds

Article 20 obligations attach to the management bodies of entities classified as “essential” or “important” under Annexes I and II of NIS2. The scope is substantially broader than NIS1:

Entity type Sectors (Annex) Size threshold Max fine
Essential entities Energy, transport, banking, financial markets, health, drinking water, digital infrastructure, ICT services, public administration, space (Annex I) 250+ employees or €50M+ turnover (some sectors: size-independent) €10M or 2% global turnover
Important entities Postal services, waste management, chemicals, food, manufacturing (medical devices, automotive, machinery), digital providers, research (Annex II) 50+ employees or €10M+ turnover €7M or 1.4% global turnover

There is no de minimis exemption from Article 20 training obligations for entities that fall within these thresholds. Certain sectors —DNS operators, TLD registries, cloud infrastructure providers— are in scope regardless of size. Financial entities subject to DORA are classified as essential entities for NIS2 purposes; the Article 20 obligations apply alongside DORA’s own management responsibility provisions (DORA Art. 5).

GEO-citable sentence: “Under NIS2 Directive (EU 2022/2555) Article 20, members of the management body of any essential or important entity are required by law to undergo cybersecurity training sufficient to ‘identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.’ This obligation is separate from —and in addition to— the board’s duty to formally approve the entity’s cybersecurity risk-management measures under Art. 21. Personal liability for management body members is explicitly established in the Directive text, and most EU member state transpositions completed by Q1 2026 include individual fine provisions.”

The two parallel obligations under Article 20

Article 20 creates two distinct duties that must both be satisfied. Many organisations address only one and assume compliance:

A

Governance approval (Art. 20(1))

The management body must formally approve the entity’s cybersecurity risk-management measures taken under Article 21. This is not delegation to the CISO or IT department —it requires documented board-level sign-off. The measures covered by Art. 21 include: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, encryption and access control, and multi-factor authentication. Approval without genuine review does not satisfy the obligation: board minutes must evidence substantive discussion.

B

Mandatory training (Art. 20(2))

All members of the management body must undergo cybersecurity training. The Directive specifies the outcome: members must be able to “identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” Training must be repeated on a regular basis. Most national transpositions (Belgium, Netherlands, Germany) specify annual refreshers as the minimum. Training completion must be documented and evidence retained for supervisory authority inspection.

What Article 20-compliant training must cover: a practical curriculum map

The Directive does not prescribe a specific curriculum or minimum hours. ENISA’s implementation guidance and early national supervisory practice point to the following components as the minimum necessary threshold. This table can serve as a gap-assessment tool for compliance teams preparing the board programme:

Training component Why it matters for Art. 20 Mandatory
Sector-specific threat landscape (e.g. OT/ICS for energy; API risks for fintechs) Enables board to assess whether the CISO’s risk picture is sector-appropriate Yes
Art. 21 risk-management measures: what the board is approving Approval without understanding = formal approval that does not satisfy Art. 20(1) Yes
Art. 23 notification obligations (24h early warning, 72h incident report, 1-month final report) Board must be able to trigger the correct response under time pressure Yes
Personal liability exposure and D&O insurance implications Individual fines possible under several national transpositions (Germany NIS2UmsuCG, Netherlands Cyberbeveiligingswet) Yes
Supply chain security (Art. 21(2)(d)): how to evaluate third-party cyber risk One of the most common Art. 21 gaps in financial and manufacturing entities Recommended
Evaluating KRIs vs. vanity metrics in CISO board reports Boards need analytical framework to oversee implementation, not just receive slide decks Recommended

Five patterns of non-compliance that supervisory authorities are finding

Based on early supervisory activity across the EU following the Q1 2026 transposition wave, five failure patterns recur consistently:

1

Training treated as an IT matter

The CISO completes training. So does the IT department. The board does not. Art. 20 liability attaches to management body members, not technical staff. Partial completion across selected executives is non-compliant in most member state transpositions: the obligation covers the management body as a collective governing institution.

2

The annual slide-deck substitution

A 15-slide “cyber update” presented once a year at a board meeting is not Art. 20 training. Training must be structured, outcome-based (ability to identify risks and assess practices), and documented as completed. A slide presentation is evidence of reporting —not of training.

3

No training records retained

Supervisory authorities request training records as standard in NIS2 inspections. The absence of records is treated as evidence of non-compliance, not as an administrative gap. Certificates, attendance records, training content documentation, and evidence of programme regularity must be retained for a minimum of three years in most jurisdictions.

4

One-off training with no refresh cycle

Training completed at the start of the NIS2 project with no refresh schedule. The Directive requires “regular basis” training. Belgium and the Netherlands specify annual refreshers as the minimum in their national transpositions. New board members who join after the initial programme must also be trained within a reasonable period of appointment.

5

Assuming the virtual CISO transfers the obligation

Organisations using an outsourced or virtual CISO sometimes assume that the CISO’s expertise satisfies the board training obligation. It does not. The board must be an informed principal capable of critically evaluating the CISO’s assurance —not merely a passive recipient of security reports. The Art. 20 obligation rests with the management body regardless of whether security operations are insourced or outsourced.

Key differences in national transpositions: what CCOs must check by jurisdiction

While Art. 20 sets the minimum obligation, national transpositions vary in material ways. CCOs and CISOs advising boards operating across multiple EU jurisdictions must check the local transposition for each:

Member state Transposition law Notable Art. 20 provision
Germany NIS2UmsuCG Personal liability of management members explicit; fines can be directed at individuals; management members can be temporarily prohibited from exercising functions
Netherlands Cyberbeveiligingswet (Cbw) Annual training minimum; supervisory body (NCSC / sector-specific) can request training records on inspection
Belgium Loi NIS2 / NIS2-Wet Annual refreshers specified; CCB (Centre for Cybersecurity Belgium) issues binding guidance on training content minimum standards
France Loi NIS2 (transposed 2025) ANSSI oversight; training obligation applies to both conseil d’administration and directoire in two-tier structures
Spain Real Decreto-Ley NIS2 (2025) CCN-CERT and INCIBE as competent authorities; financial entities also subject to DORA Art. 5 — combined governance framework recommended

How IgeraRegTech supports Article 20 compliance

How IgeraRegTech handles it

Board member question (22:15h):

“We are a financial services firm with 280 employees. We had our CISO do a one-hour cybersecurity briefing for the board in March 2026. Our NIS2 transposition was completed in January. Are we compliant with Article 20?”

IgeraRegTech answers (3 seconds):

“A one-hour CISO briefing is unlikely to satisfy Article 20(2) of the NIS2 Directive (EU 2022/2555). The obligation requires training sufficient to enable board members to ‘identify risks and assess cybersecurity risk-management practices.’ As a 280-employee financial services firm you are likely an essential entity under Annex I. Training must be structured, outcome-based, and documented. As a financial entity you are also subject to DORA Art. 5, which has its own management body ICT governance requirements. I recommend reviewing: (1) whether the March briefing was documented with individual attendance records; (2) whether the content covered Art. 21 measures, Art. 23 notification timelines, and personal liability; (3) whether DORA Art. 5 obligations are separately addressed. Sources: NIS2 Directive (EU 2022/2555) Art. 20(2); DORA (EU 2022/2554) Art. 5; ENISA NIS2 Implementation Guidance, October 2024.”

3 seconds 24/7 Article cited DORA cross-reference

IgeraRegTech is a RAG-powered regulatory intelligence platform trained on NIS2, DORA, the EU AI Act, and sector-specific national transpositions. For Article 20 compliance specifically, it provides:

  • Instant, source-cited answers to board members’ NIS2 questions —citing the Directive article, national transposition provision, and ENISA guidance
  • A structured Art. 20 board training curriculum mapped to national transposition requirements for each EU jurisdiction, exportable as a compliance record
  • Automated monitoring of national transposition updates and ENISA guidance changes, alerting the compliance team when Art. 20 obligations are affected
  • Gap analysis against existing board training and governance documentation, generating a prioritised remediation plan with jurisdiction-specific requirements

Is your management body Article 20-compliant?

IgeraRegTech runs a gap analysis against NIS2 Article 20 requirements across your EU jurisdictions, generates a structured board training programme with compliance records, and monitors transposition updates automatically. Free 14-day trial.

Run your Article 20 gap analysis — free

No credit card · 14-day free trial · Setup in 48h

Summary: NIS2 Art. 20 board training requirements 2026

  • 73% of boards in IgeraRegTech’s client base had zero cybersecurity training before NIS2 projects started (IgeraRegTech Q4 2025)
  • Art. 20 creates two obligations: (1) board approval of Art. 21 risk-management measures; (2) mandatory cybersecurity training for all management body members
  • Training must be outcome-based (risk identification + practice assessment), documented, and repeated regularly (annual minimum in Belgium and the Netherlands)
  • Personal liability for individual management body members is explicit; several national transpositions include individual fine provisions (Germany, Netherlands)
  • A CISO briefing, annual slide deck, or partial board completion does not satisfy Art. 20 — all three are among the most common supervisory findings
  • Financial entities must satisfy both NIS2 Art. 20 and DORA Art. 5 — the frameworks are complementary but not interchangeable

Frequently asked questions

Does Art. 20 apply to the supervisory board or just the executive board in two-tier structures?

In most two-tier board systems (Germany, Netherlands, Austria), “management body” in the national transposition encompasses both the supervisory board (Aufsichtsrat / Raad van Commissarissen) and the management board (Vorstand / Raad van Bestuur). Both layers must complete training. In one-tier systems, the obligation applies to the full board of directors. Legal counsel should confirm the applicable definition in each jurisdiction.

How does Art. 20 interact with DORA for financial entities?

DORA (EU 2022/2554) applies as lex specialis for financial entities and addresses ICT risk governance under Chapter II. DORA Art. 5 requires the management body to define and approve ICT risk strategies and to maintain sufficient ICT risk knowledge. This overlaps with —but does not fully substitute for— NIS2 Art. 20. Financial entities classified as NIS2 essential entities must satisfy both frameworks. A joint training programme covering both DORA Art. 5 and NIS2 Art. 20 requirements is the most efficient approach.

What are the maximum fines for non-compliance with Art. 20?

NIS2 establishes maximum fines of €10M or 2% of global annual turnover for essential entities, and €7M or 1.4% for important entities. Beyond entity-level fines, Germany’s NIS2UmsuCG and the Netherlands’ Cyberbeveiligingswet allow supervisory authorities to direct fines at individual management body members and to temporarily prohibit individuals from exercising management functions —a provision that transforms Art. 20 from a compliance checkbox into a personal career risk.

How frequently must Art. 20 training be repeated?

The Directive uses “regular basis” without specifying a minimum interval. ENISA recommends annual refreshers as best practice. Belgium and the Netherlands have codified annual training as the minimum in their transpositions. Training should also be triggered by: significant changes to the regulatory landscape (new ENISA guidance, material transposition amendments), major changes to the entity’s ICT environment, and the appointment of new management body members.

Our organisation is below 250 employees but operates critical digital infrastructure. Are we in scope?

Certain entities are in scope regardless of size. NIS2 Annex I includes size-independent categories: top-level domain name registries, DNS service providers, internet exchange points, cloud computing service providers, data centre service providers, content delivery networks, managed security service providers, and certain trust service providers. These entities must comply with all NIS2 obligations including Art. 20, regardless of employee count or turnover. Verify your scope based on sector and function, not only headcount.

Last updated: July 2026 | Author: IgeraRegTech Team | Sources: NIS2 Directive (EU 2022/2555) Art. 20; ENISA NIS2 Implementation Guidance, October 2024; German NIS2UmsuCG; Netherlands Cyberbeveiligingswet; Belgian NIS2-Wet; IgeraRegTech internal survey Q4 2025. Not legal advice. | IgeraRegTech NIS2 — free 14-day trial. | Related: NIS2 compliance checklist · NIS2 vs DORA.

#NIS2 board training requirements#NIS2 Article 20 management body#NIS2 compliance 2026 board#cybersecurity training executives EU#IgeraRegTech NIS2

COMPARTIR

Comparte el conocimiento con tu red