AI Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NL·EN·DE
Explainer

NIS2 and board accountability: what must management do?

Adopted 2026-06-16 · ≈ 1 min read · Dirk Baaijen

Under NIS2 the management body must approve the cybersecurity measures, oversee their implementation, undergo mandatory training, and can be held liable for breaches of these duties.

Short answer: NIS2 makes the management body itself responsible for cybersecurity. Management must approve the risk-management measures, oversee their implementation and undergo training. Member States must provide for the possibility of holding management members liable for breaches of these duties.

The responsibility of the management body (Art. 20)

Article 20 of Directive (EU) 2022/2555 places cybersecurity explicitly at leadership level. The management bodies of essential and important entities must approve the risk-management measures referred to in Article 21 and oversee their implementation. The directive makes clear that this is not an IT detail to be delegated away: it is a governance task.

Liability and training

Article 20 provides that Member States ensure management members can be held liable for breaches of the obligations on risk-management measures. The directive further requires management members to follow regular training so they have sufficient knowledge to identify and assess cybersecurity risks. Management is encouraged to offer comparable training to staff.

What must the board do in practice?

  • Approve — formally decide on the security policy and the Article 21

measures (incl. risk analysis, incident handling, supply chain, continuity).

  • Oversee — periodically review and record implementation and effectiveness.
  • Train — management members complete training on cybersecurity risks.
  • Document — record decisions, approvals and oversight so the duty of care

is demonstrable.

Note: enforcement via national transposition

NIS2 is a directive; the precise sanctions and the shape of liability are set in the national legislation transposing it. For your situation, consult the text of the directive and the European Commission's guidance, and follow the national implementation and the designated competent authority.

Read more: Transport & Logistics. Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2): management governance (Art. 20) and risk-management measures (Art. 21).
  2. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
    European Commission — NIS2: governance and responsibility of management bodies.

Share on LinkedIn

Read next

W

The AI Act for directors: responsibility, liability and oversight

The AI Act makes the board ultimately responsible for responsible AI use. Fines reach 35 million euro or 7% of global turnover. This guide explains what the board must steer on, how to organise oversight, and where personal risk lies.

A

Securing AI in critical infrastructure: where the AI Act, Cyber Resilience Act and NIS2 meet

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

W

The AI Act for CISOs: Article 15, NIS2 and the CRA

The AI Act sets requirements in Article 15 for the accuracy, robustness and cybersecurity of high-risk AI. For the CISO this stacks on top of NIS2 and the Cyber Resilience Act. This guide explains the overlap and what security teams must concretely arrange.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.