The NIS2 Directive does not only impose cybersecurity obligations on technical teams. It also places direct responsibility on the management bodies of organisations.

Article 20 introduces a governance shift. Cybersecurity is no longer treated purely as an operational IT matter. It becomes a matter of organisational leadership and oversight.

One of the mechanisms used by the Directive to achieve this shift is a training requirement for members of the management body.

This article explains what NIS2 requires regarding management body training, why this requirement exists, and what organisations should be prepared to demonstrate in practice.

What does NIS2 require for management body training?

NIS2 requires members of the management bodies of essential and important entities to follow cybersecurity training so they can identify risks and assess cybersecurity risk management practices within their organisation. The objective is to ensure that leadership has sufficient knowledge to approve, oversee, and be accountable for the cybersecurity measures required under the Directive.

Article 20(2) states:

Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

This requirement introduces a clear expectation. Those responsible for approving and overseeing cybersecurity measures must have sufficient knowledge to understand the risks involved.

Why management body training is required

Article 20 establishes that management bodies must approve and oversee cybersecurity risk management measures implemented under Article 21.

The Directive states:

Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.

This creates a governance responsibility that goes beyond formal approval.

If management bodies must approve and oversee cybersecurity measures, they must also understand the risks those measures are designed to address.

Training therefore serves a specific purpose. It enables leadership to exercise meaningful oversight rather than simply endorsing technical decisions made elsewhere in the organisation.

The Directive also clarifies that these liability provisions are without prejudice to national law governing the liability of public institutions, public servants, and elected or appointed officials. As a result, specific liability frameworks may differ for public sector entities.

Management training versus employee training

Article 20(2) distinguishes between two types of training obligations.

Member States must ensure that members of the management body follow cybersecurity training. This is a mandatory requirement.

The same provision also states that Member States shall encourage entities to offer similar training to employees on a regular basis. This creates a softer expectation rather than a strict obligation.

However, this distinction is nuanced. While Article 20 only "encourages" employee training, Article 21(2)(g) explicitly lists "basic cyber hygiene practices and cybersecurity training" as one of the minimum cybersecurity risk management measures that entities must implement. Employee training therefore becomes effectively mandatory through the operational requirements of Article 21, even though Article 20 frames it as an encouragement.

In practice, this means leadership training is treated as a governance requirement under the Directive, while employee training is addressed through operational cybersecurity measures.

This distinction reflects the structure of the Directive. Article 20 focuses on governance responsibilities, while Article 21 focuses on operational cybersecurity risk management.

What the training is intended to achieve

The Directive does not prescribe a specific curriculum. However, Article 20(2) clearly defines the expected outcome.

Management bodies must gain sufficient knowledge and skills to:

identify cybersecurity risks
assess cybersecurity risk management practices
understand the impact of cybersecurity measures on organisational services

This does not mean board members need deep technical expertise. The requirement is about risk literacy and governance capability.

In practice, management bodies should understand topics such as:

the organisation's cybersecurity risk exposure
the potential impact of cybersecurity incidents on operations and services
the role of risk management measures required under Article 21
how human behaviour, supply chain risk, and operational practices influence cybersecurity outcomes

The objective is to enable informed oversight rather than technical execution.

Proportionality and the expected level of knowledge

The level of knowledge expected from management bodies should also be interpreted through the proportionality principle established in Article 21(1).

Cybersecurity measures must be appropriate and proportionate, taking into account factors such as the entity's size, its exposure to risks, and the likelihood and severity of incidents.

The same logic applies to leadership training. A large essential entity operating critical infrastructure will require deeper cybersecurity risk literacy than a smaller organisation with more limited exposure.

This proportionality principle allows organisations to design training programs that are aligned with their specific risk profile.

Enforcement and liability

NIS2 reinforces management accountability through enforcement powers granted to competent authorities.

Under Article 32(5)(b), authorities may temporarily prohibit natural persons acting as chief executive officers or legal representatives from exercising managerial functions if an entity fails to comply with the Directive.

Article 34 also introduces administrative fines. For essential entities, these may reach up to 10 million euros or 2 percent of total worldwide annual turnover.

These enforcement powers give practical consequences to the governance obligations introduced in Article 20. Management bodies are not only responsible for approving cybersecurity risk management measures. They may also face personal consequences if those responsibilities are not exercised properly.

What the Directive leaves open

The Directive intentionally leaves several aspects of the training requirement undefined.

It does not specify:

how frequently management body training must occur
the minimum duration of training programs
whether training must be delivered internally or by external providers
how training effectiveness should be assessed

These details are left to Member State transposition and organisational implementation.

As a result, organisations retain flexibility in designing leadership training programs as long as the objective of enabling effective oversight is achieved.

Questions supervisory authorities may ask

Organisations preparing for NIS2 implementation should expect supervisory authorities to assess how leadership fulfils its governance responsibilities.

Examples of questions authorities may ask include:

Have members of the management body received cybersecurity training?
Does the training help leadership understand the organisation's cybersecurity risk exposure?
Are management bodies able to assess cybersecurity risk management practices implemented under Article 21?
Can leadership meaningfully review and oversee cybersecurity risk management measures?
Is there documentation demonstrating that governance responsibilities are exercised in practice?

If organisations can answer these questions clearly and support them with documentation, they will be better prepared to demonstrate compliance with the governance expectations introduced by the NIS2 Directive.