Management Accountability Under NIS2: Why Cybersecurity Is Now a Board Issue

The Legal Basis: Article 20 of NIS2

Article 20 of the NIS2 Directive is titled "Governance" and establishes the core management accountability framework:

1. Management bodies must approve the cybersecurity risk management measures adopted by the organization
2. Management bodies must oversee the implementation of those measures
3. Management bodies are accountable if their organization infringes NIS2 obligations due to governance failures
4. Management body members must undergo training to maintain sufficient knowledge to identify and assess cybersecurity risks and their business impact

These requirements apply to all NIS2-covered entities — both Essential and Important.

What Does "Cybersecurity Governance" Mean in Practice?

Approval Authority

The board or equivalent governing body must formally approve:

• The organization's cybersecurity risk management framework
• Significant changes to cybersecurity strategy or major investment decisions
• Incident response plans and business continuity policies
• The organization's NIS2 compliance program

This means cybersecurity decisions can no longer be delegated entirely to the IT department. Board sign-off is required for foundational security posture decisions.

Oversight Responsibility

Boards must actively monitor and review cybersecurity:

• Regular reporting from the CISO (Chief Information Security Officer) or equivalent to the board
• Board-level KPIs for cybersecurity performance
• Review of significant incidents and near-misses
• Oversight of the organization's compliance with NIS2 obligations

Training Obligations

NIS2 explicitly requires that management body members have sufficient cybersecurity knowledge. This does not mean all directors must become security experts — but they must understand:

• The cybersecurity risk landscape relevant to their organization
• The business impact of potential cybersecurity incidents
• NIS2 obligations and the consequences of non-compliance
• Basic cybersecurity concepts relevant to their sector

Many organizations are incorporating NIS2-specific board briefings and annual cybersecurity training sessions for senior leadership as a result.

Personal Liability: What Can Happen to Individual Executives?

When an organization is found to have infringed NIS2 due to management failures, national supervisory authorities can:

1. Issue personal fines against individual managers responsible for the failure
2. Temporarily prohibit a natural person from exercising managerial functions (essentially banning an executive from their role)
3. Require public announcement identifying the responsible natural persons

This is a substantial departure from the traditional model where regulatory fines fall entirely on the corporate entity. With personal liability on the table, cybersecurity decisions now carry direct personal financial and professional consequences for executives.

Why This Change Was Made

The inclusion of management accountability in NIS2 was a deliberate policy choice by EU legislators. The rationale was clear: previous cybersecurity frameworks failed in part because organizational leadership did not treat cybersecurity as a strategic priority. When cybersecurity was treated as a purely technical matter owned by the IT team, investment was chronically underfunded and governance was inadequate.

By making management personally accountable, NIS2 aims to:

• Drive cybersecurity to the top of the corporate agenda
• Ensure adequate resources are allocated to security programs
• Create cultural change — security is a business risk, not an IT problem
• Align incentives — executives now have personal financial and professional skin in the game

The CISO's Evolving Role

NIS2's management accountability framework significantly elevates the role of the Chief Information Security Officer (CISO) or equivalent:

• CISOs need direct reporting lines to the board (not buried under the CTO or CIO)
• CISOs need sufficient authority and budget to implement required measures
• CISOs need support from legal, compliance, and operations teams
• CISO recommendations that are rejected by management must be documented — to protect both the CISO and to demonstrate governance

Organizations that don't yet have a designated CISO-equivalent should consider appointing one or engaging an external vCISO (virtual CISO) to provide the required governance function.

Practical Steps for Boards and Senior Management

A Note on D&O Insurance

Directors and Officers (D&O) liability insurance is worth reviewing in light of NIS2's personal liability provisions. As personal liability for cybersecurity failures becomes more concrete, D&O policies may need to be updated to address potential cybersecurity-related personal liability claims. Consult your insurance broker for guidance.

The Cultural Shift: From IT Problem to Business Risk

The deepest impact of NIS2's management accountability provisions may be cultural. The most successful organizations will be those that genuinely internalize cybersecurity as a business risk to be managed at the highest level — not a compliance box to be checked.

This means:

• Cybersecurity is discussed at the same level of seriousness as financial risk, legal risk, and reputational risk
• Investment decisions on cybersecurity are made with the same rigor as other significant capital expenditures
• The "tone from the top" on security is clear, consistent, and credible

Organizations that achieve this cultural shift will not only be better positioned for NIS2 compliance — they will be genuinely more secure and more resilient.