Most NIS2 briefings I have seen presented to boards focus on the compliance programme: what the organisation needs to implement, what controls are required, what the incident reporting timeline is. They spend relatively little time on the governance fact that changes the board’s relationship to cybersecurity in a way that no previous regulation has.
Article 20 of NIS2 requires that management bodies of essential and important entities approve cybersecurity risk management measures, oversee their implementation, and — critically — can be held personally liable for non-compliance.
Personal liability, in this context, is not theoretical. The Directive gives Member States the authority to impose temporary bans on natural persons exercising management functions in an entity found to be in breach. Combined with financial penalties that can reach EUR 10 million or 2% of global turnover for essential entities, the NIS2 liability structure is the most direct regulatory intervention in director personal accountability for technology governance that has appeared in EU law.
Understanding what this means for a director’s obligations — not the company’s compliance obligations, the director’s personal obligations — is a governance question that is underserved in most NIS2 briefings.
Who is in scope
NIS2 applies to essential entities and important entities across sixteen sectors. The essential entity categories include: energy (electricity, oil, gas, hydrogen), transport (air, rail, road, water), banking and financial market infrastructure, health, drinking water and wastewater, digital infrastructure (DNS providers, TLD registries, cloud computing services, data centres, content delivery networks, managed service providers), and public administration.
Important entity categories include: postal and courier services, waste management, manufacture of critical products (pharmaceuticals, medical devices, chemicals), food, digital providers (online marketplaces, search engines, social networks), and certain manufacturing sectors.
The threshold is company size: for most sectors, entities with 50 or more employees and an annual turnover or balance sheet exceeding EUR 10 million are in scope. Some sectors have no size threshold.
If your company falls in scope — and if you operate in any of these sectors in the EU, it probably does — the Article 20 personal liability provision applies to your management body. In most EU jurisdictions, that means the board and the executive team.
What Article 20 specifically requires
The Directive’s requirements for management bodies are three:
First, approve cybersecurity risk management measures. The management body must formally approve — not just acknowledge — the organisation’s cybersecurity risk management measures. The implication: cybersecurity risk management is a board-level decision, not purely a management delegation. The board cannot treat cybersecurity as an operational matter and expect its governance obligation to be satisfied by receiving quarterly briefings.
Second, oversee implementation. The management body must oversee the implementation of the approved cybersecurity measures. Oversight requires mechanisms: board reporting from the executive team, assurance processes, and board access to information that would reveal whether the measures are functioning. Oversight also requires competence: Article 20 requires that management body members receive regular training “in order to have sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.”
Third, be liable for non-compliance. This is the provision that changes the governance calculation. A director who has received a briefing but not approved measures, or who has approved measures but not overseen their implementation, or who has done both but cannot demonstrate they have done so, is personally exposed to the liability the Directive attaches to management body non-compliance.
The training obligation: a specific governance requirement
The training obligation in Article 20 is more specific than most boards have been told. It is not a suggestion that directors should be aware of cybersecurity in general. It is a requirement that management body members receive training sufficient to identify risks and assess cybersecurity risk management practices.
This is a measurable standard. A director who has not received structured cybersecurity training cannot demonstrate that they have sufficient knowledge and skills to assess whether the cybersecurity measures they are approving are adequate. The regulatory question is not whether the director is an expert — it is whether they have undertaken training that gives them the capability to exercise the oversight function the Directive assigns to them.
For most boards, the practical implication is a structured cybersecurity training programme for all board members, documented and dated, with a renewal schedule. This is not a significant burden — a half-day structured programme delivered annually satisfies the spirit of the requirement. The governance failure is boards that have received cybersecurity briefings framed as “here is what the company is doing” rather than “here is what you need to understand to fulfil your oversight obligation.”
The transposition question
NIS2 is a Directive, not a Regulation, which means it was transposed into national law across EU Member States by October 2024. The specific liability provisions — including the mechanisms for personal liability and the penalties attaching to management bodies — are determined by how each Member State transposed the Directive.
The UK, having left the EU, has the Network and Information Systems (NIS) Regulations 2018 and their subsequent updates. The UK’s framework does not replicate NIS2’s personal liability provisions directly, but the UK government’s post-Brexit cyber security review indicates further convergence with NIS2 standards is expected.
For boards of UK companies with EU operations, the EU transposition in the relevant Member States applies to those operations. For boards of companies operating exclusively in the UK, the UK NIS framework applies — though the governance principles are similar.
The governance implication: a company operating in multiple EU jurisdictions may be subject to NIS2 transpositions in several national laws simultaneously. The board should have confirmed — from legal counsel with EU cybersecurity regulatory expertise — which jurisdictions’ transpositions apply to the organisation and what the specific liability provisions are in each.
The governance position the board should be able to demonstrate
If a competent authority or a regulator asks the board to demonstrate compliance with Article 20, the board should be able to produce:
- A board minute recording formal approval of the organisation’s cybersecurity risk management measures, dated within the last 12 months
- Evidence of board-level oversight of cybersecurity — typically a standing cybersecurity item in board reporting, with documented review
- Evidence of director training on cybersecurity, with dates and a description of the programme
- A description of the board’s assurance mechanism — how the board receives evidence that the cybersecurity measures it approved are functioning
If the board cannot produce these four things, the governance position is not defensible against an Article 20 investigation, regardless of the quality of the organisation’s technical cybersecurity.
The Quantum Risk: What Directors Need to Know covers NIS2 personal liability in the context of the broader cybersecurity and quantum risk picture — including what the training obligation means in practice, how the post-quantum cryptography migration intersects with NIS2 compliance, and what the combined governance structure for a board managing both risks looks like.
For independent advisory support on cybersecurity governance at board level, visit Quantum Security Defence or contact Steven directly.
