Perhaps the most significant shift in NIS 2 compared to its predecessor is Article 20 — Governance. For the first time in EU cybersecurity regulation, management bodies are explicitly required to:
- Approve cybersecurity risk-management measures
- Oversee their implementation
- Be held liable for infringements
- Undergo cybersecurity training
What "Management Body" Means
The directive uses the term broadly. Depending on your organizational structure, this includes the board of directors, executive committee, managing directors, or any body with ultimate decision-making authority. In an SMB, this is typically the CEO and any co-founders or directors.
The Training Requirement
Article 20(2) states that members of management bodies must "follow training" and encourages similar training for employees. This isn't a suggestion — it's a requirement. Regulators will ask:
- When was the last cybersecurity training for your management body?
- What topics were covered?
- Can you provide attendance records?
Building the Evidence Trail
To demonstrate Article 20 compliance, document:
- Board resolutions approving your cybersecurity risk management framework
- Training records with dates, topics, and attendees
- Review minutes from periodic management reviews of the cybersecurity posture
- Delegation matrices showing who is responsible for what
Personal Liability Is Real
Article 32(6) and 33(5) allow member states to hold management body members personally liable for non-compliance. Several member states have transposed this provision strictly. This is not theoretical — it changes the conversation at the board level from "is cybersecurity an IT problem?" to "is cybersecurity a board responsibility?" The answer, under NIS 2, is unequivocally yes.