NIS2 Article 20 is where cybersecurity becomes a governance obligation.

If Article 21 defines the operational measures, Article 20 defines who owns them. It shifts cybersecurity from a technical domain into formal board responsibility with explicit accountability.

This post breaks down what Article 20 requires, what it changes in practice, and what management bodies should be prepared to demonstrate during supervisory review.

What does NIS2 Article 20 require?

NIS2 Article 20 requires management bodies to approve cybersecurity risk-management measures, oversee their implementation, undergo cybersecurity training, and accept potential liability for non-compliance.

Cybersecurity is no longer only an IT responsibility. It is a governance duty.

1. Approval is not symbolic

Article 20(1) states that Member States shall ensure that management bodies:

"approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21"

Approval implies formal responsibility. It means the board has consciously reviewed and endorsed the cybersecurity framework.

This creates a direct structural link:

Article 21 defines what measures must exist
Article 20 defines who must approve them

A management body that has not formally reviewed and approved its cybersecurity risk-management approach cannot credibly claim governance compliance.

2. Oversight is an active obligation

Article 20(1) further requires that management bodies:

"oversee its implementation"

Oversight implies active supervision, not passive reporting. It requires that management bodies:

Receive structured reporting on cybersecurity risk
Understand the organisation's exposure
Challenge whether measures remain appropriate and proportionate
Ensure corrective actions are taken when weaknesses are identified

Oversight without understanding is not oversight. It is delegation without control.

3. Liability is explicitly written into the Directive

Article 20(1) provides that management bodies:

"can be held liable for infringements by the entities of that Article"

This is a fundamental shift.

Cybersecurity failures can now become governance failures. While Member States retain discretion regarding specific liability rules, particularly for public institutions, the principle for private entities is clear: oversight is enforceable.

The signal is unambiguous. Cybersecurity oversight is not symbolic. It carries accountability.

4. Board-level cybersecurity training is mandatory

Article 20(2) states that members of management bodies:

"are required to follow training"

The purpose of that training is explicitly defined:

"in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity"

This is governance training. It must enable management bodies to:

Identify cybersecurity risks
Assess whether risk-management measures are adequate
Understand how cybersecurity practices affect service continuity and resilience

A board cannot oversee what it does not understand.

5. Employee training is reinforced at governance level

Article 20(2) also states that Member States shall:

"encourage essential and important entities to offer similar training to their employees on a regular basis"

While Article 21 makes cybersecurity training mandatory as a risk-management measure, Article 20 reinforces the expectation that training is embedded across the organisation.

Governance and operational training are structurally connected:

Boards must understand cyber risk
Employees must practice cyber hygiene
Management must oversee both

This creates a top-down and bottom-up model of accountability.

What Article 20 really changes

Before NIS2, cybersecurity governance often functioned as a reporting routine:

IT reported to management
Management acknowledged updates
Cybersecurity remained largely technical

Under Article 20:

The management body must formally approve cybersecurity measures
The management body must oversee implementation
The management body must undergo training
The management body can be held liable

Cybersecurity becomes part of fiduciary responsibility.

The question shifts from:

"Is IT handling this?"

to:

"Have we exercised informed and documented oversight as a management body?"

That is a structural governance shift.

Practical checklist for management bodies

If you are part of a management body in scope of NIS2, you should be able to answer:

Have we formally approved our cybersecurity risk-management framework?
How is that approval documented?
What structured reporting do we receive on cybersecurity risk?
How do we challenge whether measures remain appropriate and proportionate?
Have all members undergone cybersecurity training?
Do we encourage regular cybersecurity training across the organisation?
Can we demonstrate informed oversight during supervisory review?

If you cannot answer these clearly, governance maturity may not yet align with regulatory expectation.