NIS2.it.com
Back to blog
Governance
NIS2 Article 20: 5 Boardroom Responsibilities Directors Cannot Delegate

NIS2 Article 20: 5 Boardroom Responsibilities Directors Cannot Delegate

10 min read
AD

Alexandre Durand

Editorial Director — Cybersecurity Expert

Article 20 of Directive 2022/2555 moves cybersecurity formally into the boardroom. Management bodies of essential and important entities now carry five personal responsibilities that cannot be fully delegated to IT, to the CISO, or to the audit committee.

Responsibility 1 — Formally approve the cybersecurity risk management measures

The directive requires the board to "approve" (not merely acknowledge) the measures listed in Article 21: risk analysis policy, incident handling, business continuity, supply chain security, cryptography, access control, multi-factor authentication, cyber hygiene, human resources security, and more. Approval must be documented in board minutes with a formal vote, at least annually. A silent noting in the minutes is not approval.

Responsibility 2 — Supervise implementation over time

Approval alone is not enough. The board must receive periodic reports on risk treatment progress, incident history, pentest results, budget consumption, and compliance with internal frameworks (ISO 27001, NIST CSF). Quarterly reporting to the board is becoming the market standard across essential entities.

Supervision requires critical capacity, not just receipt of a report. A board approving a cybersecurity budget at 0.3% of revenue without questioning the ENISA sector median (roughly 1% to 2%) cannot credibly claim to have supervised. This is where the training obligation (Responsibility 4) becomes operational.

Responsibility 3 — Bear personal liability for failure

Article 32(6) allows competent authorities (national CSIRTs, NCSCs, and dedicated NIS2 supervisors) to impose temporary management bans on individual directors in cases of serious non-compliance. Liability is assessed against the duty of care. A director who approved proportionate measures, supervised them with traceable indicators, and allocated reasonable resources will not be held personally liable for an isolated incident. A director who ignored repeated CISO alerts or refused documented budget will be.

Responsibility 4 — Complete mandatory cybersecurity training

Article 20(2) requires management body members to undergo training that enables them to identify cybersecurity risks and management practices, and to assess their impact on the entity's services. Attendance must be logged and presented on audit request. A 4 to 8 hour annual module, refreshed on mandate change, is considered proportionate across most national guidance.

The training obligation extends further: Article 20(2) also requires entities to "encourage" regular training of their staff. Without staff training, the Article 21 obligations on cyber hygiene and human resources security cannot realistically be met.

Responsibility 5 — Allocate adequate resources

Approving measures without budget is empty approval. The board should annually validate three figures: the cybersecurity budget (as a share of IT spend), headcount (CISO, SOC analysts, security engineers), and contracted external services (incident response retainers, auditors, consultants). Mature essential entities report 8% to 12% of IT budget dedicated to cybersecurity, with at least a full-time CISO reporting to the executive committee.

A board that approves an obviously under-dimensioned budget takes a personal risk. After a major incident, the gap between allocated resources and mapped risks becomes central to any personal liability case.

What competent authorities look for in an audit

During an inspection, national NIS2 authorities typically request: board minutes covering cybersecurity (at least one per year expected), the formal approval decision for risk management measures, periodic CISO reports to the board (quarterly expected), training attestations for each member, the signed information security policy, the multi-year security budget plan, the board-validated cyber risk map, and the incident register. Absence of written evidence is treated as absence of diligence.

Where to start on a board that has nothing formalised

The 12-month roadmap breaks down into four steps. First, add cybersecurity as a standing agenda item at board level — quarterly at minimum. Second, organise an initial training session for all members, with individual attestations. Third, task the CISO (or an external provider) with producing a structured file: risk map, treatment plan, budget, tracking indicators. Fourth, formally approve the file in session, with detailed minutes.

Organisations with subsidiaries must note that Article 20 applies at the level of each covered entity, not only at group level. A subsidiary classified as essential or important must have its own management body approve and supervise — a "principle delegation" to headquarters does not satisfy the obligation.

*This article is for informational purposes only and does not constitute legal advice.*

This article is provided for informational purposes only and does not constitute legal advice.