NIS2 Article 20 has generated more anxiety in the CISO community than perhaps any other provision in recent European cybersecurity regulation. The anxiety is understandable — the word "liability" appears in proximity to "management bodies" and "natural persons" — but much of the conversation around it is imprecise, and imprecision breeds fear that is not proportionate to the actual legal exposure.
Here is what Article 20 actually requires, who it applies to, how Member States are transposing it differently, and what practical steps protect the individuals in scope. This is not legal advice. It is a technical reading of the text and its emerging transposition patterns, written for the security leaders who need to understand their exposure and communicate it accurately to their boards.
What Article 20 Actually Says
Article 20 of Directive (EU) 2022/2555 is titled "Governance." Its two paragraphs establish two distinct obligations.
Article 20(1) requires that "the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities" and "oversee its implementation." It then states that management bodies "may be held liable under national law for infringements" of the entity's obligations under the Directive. The provision concludes by clarifying that this is "without prejudice to national rules regarding liability of public institutions, as well as of civil servants and elected officials."
Article 20(2) requires that "members of the management bodies of essential and important entities are required to follow training" and "shall encourage essential and important entities to offer similar training to their employees on a regular basis."
Several things are conspicuously absent from this text. There is no direct fine on individuals. There is no criminal liability created at the EU level. There is no mechanism by which a supervisory authority can personally fine a board member under the Directive itself. What Article 20(1) does is create a gateway: it authorises Member States to establish liability rules in their national transposition laws. The scope and severity of that liability depend entirely on what each Member State decides.
This distinction matters enormously. Article 20 does not say "CISOs will be fined." It says management bodies must approve and oversee cybersecurity measures, and Member States may hold them liable for failures to do so.
Management Body ≠ CISO: Who Is Actually Liable
The Directive uses the term "management bodies" without defining it exhaustively. Recital 77 provides guidance, referring to "natural or legal persons who are part of the management of the entity by virtue of an agreement, law, or the entity's articles of association" and who are "authorised to represent the entity, take decisions on behalf of the entity, or exercise control over the entity."
In most corporate law systems across the EU, this means the executive board (Vorstand, conseil d'administration, bestuur) and, in dual-board systems, potentially the supervisory board. It means the CEO, CFO, CTO, and other C-suite officers who sit on the management body. In smaller entities, it means the managing director.
It does not automatically mean the CISO. In most European corporate structures, the CISO is not a member of the management body. They report to the CTO, the CRO, or (increasingly) directly to the CEO, but they do not hold a board seat. Unless a CISO is formally appointed to the management body — which is uncommon — they are not within the scope of Article 20(1) liability.
This does not mean CISOs are entirely insulated. National employment law, contractual obligations, and professional negligence standards all create separate exposure. But the specific liability pathway created by NIS2 Article 20 targets the management body, not individual security practitioners.
The practical consequence: CISOs should be less worried about their personal liability under Article 20 and more focused on ensuring that their management body understands and fulfils its approval and oversight obligations. If the board fails to approve cybersecurity measures and an incident occurs, it is the board's exposure — and the CISO's evidence trail of recommendations and escalations — that determines who is accountable.
Member State Variation: Three Transposition Approaches
NIS2 is a Directive, not a Regulation. Member States have discretion in how they transpose its provisions into national law. Article 20's liability language is intentionally flexible, and early transposition patterns reveal three distinct approaches.
Germany: Evolution from IT-SiG 2.0. Germany's transposition builds on the existing IT-Sicherheitsgesetz 2.0 framework. The German approach emphasises the Geschäftsleitung (management body) obligation to approve cybersecurity measures and requires that management body members personally undertake cybersecurity training. Critically, the German transposition includes provisions allowing the BSI to issue instructions to management bodies of essential entities. The liability dimension connects to existing German corporate law (GmbHG, AktG), where management body members already face personal liability for failure to comply with statutory obligations. NIS2 transposition adds cybersecurity governance to the list of such obligations. Damages claims from the entity against its own management body members (Innenhaftung) are the primary liability pathway.
The Netherlands: Extending the Wbni framework. The Netherlands is transposing NIS2 by amending its existing Wet beveiliging netwerk- en informatiesystemen (Wbni). The Dutch approach maintains a pragmatic tone, focusing on the management body's duty of care rather than creating new punitive mechanisms. The liability provisions reference existing Dutch civil law frameworks for management body responsibility. The emphasis is on demonstrating that the management body exercised reasonable oversight — the due diligence defence is built into the structure. For essential entities, the supervisory authority (Rijksinspectie Digitale Infrastructuur) can impose compliance orders that, if violated, escalate to administrative fines against the entity. Personal liability remains a civil law matter between the entity and its management body members.
Belgium: Explicit administrative sanctions. Belgium's transposition takes a more assertive approach. The Belgian law includes provisions for the supervisory authority to temporarily prohibit management body members from exercising management functions — directly implementing the option provided by NIS2 Article 32(5)(b). This is the most muscular version of the Article 20 liability pathway: a competent authority can effectively remove a director from their position for failure to comply with cybersecurity governance obligations. However, this power is limited to essential entities and subject to proportionality requirements.
The variation across these three approaches illustrates why generic statements about "NIS2 personal liability" are misleading. The liability landscape depends on where your entity is established, which supervisory authority has competence, and how that Member State has chosen to implement the Directive's optional provisions.
The Training Obligation: What "Sufficient Knowledge" Means
Article 20(2) requires management body members to "follow training" to "gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."
This is not a checkbox exercise. The training must result in the management body being able to:
- Identify cybersecurity risks relevant to the entity's operations — not at a technical level, but at a strategic level that enables informed approval of risk-management measures
- Assess cybersecurity risk-management practices — evaluate whether the measures proposed by the security team are adequate given the entity's risk profile, sector, and criticality
- Understand the impact of those practices on the entity's services — recognise trade-offs between security controls and operational performance
What constitutes "sufficient knowledge" will be tested by supervisory authorities in enforcement actions. An entity that can demonstrate regular, substantive board-level cyber risk briefings — not just annual awareness slides, but quarterly sessions covering threat landscape changes, control performance metrics, and incident lessons learned — will be in a stronger position than one that can only produce certificates of attendance for generic cybersecurity webinars.
The training obligation also applies to the entity: Article 20(2) requires that essential and important entities "offer similar training to their employees on a regular basis." This creates a documented, recurring obligation that supervisory authorities can audit.
Documentation as Defence
If Article 20 creates accountability, documentation creates the defence. The management body's ability to demonstrate that it fulfilled its governance obligations depends entirely on the quality of its records.
Effective Article 20 documentation includes:
Board-level cybersecurity approval records. Minutes or formal resolutions showing that the management body reviewed and approved the entity's cybersecurity risk-management measures under NIS2 Article 21. These should reference specific measures (incident handling procedures, business continuity plans, supply chain security assessments) rather than generic "we approve the cybersecurity programme" language.
Risk acceptance decisions. Where the management body accepts residual risk — because full mitigation is disproportionate, technically infeasible, or economically unreasonable — the rationale must be documented. This is the management body's primary exposure point: an incident that exploits a risk the board explicitly accepted is defensible if the acceptance was informed and proportionate. An incident that exploits a risk the board never evaluated is not.
Training records. Attendance logs, training materials, and assessment results for management body training. The training content should be substantive enough that an auditor or supervisory authority can verify that it addressed the entity's specific risk profile, not just generic cybersecurity awareness.
Escalation records. Documentation showing that the security team escalated concerns to the management body. This is where the CISO's interests and the board's interests align: a CISO who documented escalation of an unmitigated vulnerability that later led to a breach has created a record that protects the CISO and exposes the board. A board that can show it acted on escalations has a defence; a board that ignored them does not.
Oversight evidence. Records of ongoing monitoring — not just initial approval. Quarterly executive dashboard reviews, control performance reports, and incident trend analyses demonstrate active oversight rather than one-time rubber-stamping.
The Temporary Ban Provision: When Member States Can Remove Directors
NIS2 Article 32(5)(b) provides that, for essential entities, Member States shall ensure that competent authorities have the power to "request the relevant bodies or courts, in accordance with national law, to temporarily prohibit any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity."
This is the provision that generates the most alarm. Read carefully, it is narrower than it appears:
- It applies only to essential entities, not important entities
- It requires a request to a court or relevant body — the supervisory authority cannot unilaterally remove a director in most transposition models
- It targets persons at CEO or legal representative level — not the entire management body
- It is a temporary prohibition, not a permanent bar
- It is subject to national law procedural requirements, which in most Member States include due process protections
The provision is best understood as a last resort for supervisory authorities dealing with management bodies that persistently refuse to comply with cybersecurity obligations despite earlier enforcement measures (compliance orders, administrative fines). It is not a mechanism that will be used against a management body that made a good-faith effort to implement NIS2 measures and experienced an incident despite those efforts.
No Member State had invoked this provision as of January 2026. Its practical impact may be less about actual use and more about the incentive it creates for management bodies to take supervisory authority compliance orders seriously.
Key Takeaways
- Article 20 creates a framework for liability, not automatic personal fines. The Directive authorises Member States to hold management bodies liable; the actual scope and mechanism depends entirely on national transposition. Know your Member State's specific provisions.
- "Management body" means the board, not the CISO. Unless a CISO holds a formal board seat, they are not within the direct scope of Article 20 liability. CISOs should focus on documenting their recommendations and escalations, ensuring the board has the information it needs to fulfil its approval and oversight obligations.
- Documentation is the primary defence. Board approval records, risk acceptance rationale, training evidence, escalation logs, and oversight records collectively demonstrate that the management body fulfilled its Article 20 obligations. Without these records, liability exposure increases materially.
- The temporary ban provision is a last resort, not a first strike. Article 32(5)(b) applies only to essential entities, requires court involvement in most Member States, and targets CEO-level officers who persistently refuse to comply. It is not a credible threat to management bodies that engage in good-faith compliance efforts.