NIS2 management accountability is no longer a topic only for the CISO or security team. Under Article 20 of the NIS2 Directive, cybersecurity governance becomes a management responsibility. NIS2 management accountability means the management body of an essential or important entity must approve cybersecurity risk-management measures, oversee their implementation, follow cybersecurity training, and keep evidence that governance decisions were reviewed and acted on.
That changes the board conversation. NIS2 Article 21 explains the cybersecurity measures an essential or important entity must take. Article 20 explains who must approve and oversee those measures.
For EU companies in scope of NIS2, this means cybersecurity governance needs a board-level audit trail. A security policy sitting in a shared folder is not enough. Management needs evidence that security measures were reviewed, approved, monitored, and revisited when risks changed.
This article explains the five management actions under Article 20, what evidence each action creates, and how Dutch companies should read Article 20 while the Cyberbeveiligingswet moves through its final implementation stage.
TL;DR
NIS2 Article 20 makes cybersecurity a management responsibility. Company leadership must approve Article 21 security measures, oversee implementation, complete cybersecurity training, understand liability under national law, and keep governance active over time. The strongest evidence is not a policy document alone. It is the management audit trail: board minutes, training records, oversight reports, and review decisions.
- Article 20 applies to the management bodies of essential and important entities.
- The board cannot approve a generic IT budget and treat that as NIS2 oversight.
- Article 20(1) links liability to infringements of Article 21, subject to national law.
- Article 20(2) requires management body members to follow training.
- The practical evidence starts with board minutes and continues through regular oversight.
Article 20 explains management accountability, but financial exposure sits in a separate enforcement layer. For the fine thresholds and liability context, see the breakdown of NIS2 fines and personal liability for management.
Why Article 20 is different from other NIS2 requirements
Most NIS2 guidance focuses on Article 21. That makes sense. Article 21 covers the cybersecurity risk-management measures that companies must implement, including policies, incident handling, business continuity, supply chain security, vulnerability handling, access control, and security training.
Article 20 is different. It is not mainly addressed to the technical team. It is addressed to the management body.
That distinction matters because Article 20 creates a governance duty. Management bodies must approve the cybersecurity risk-management measures taken to comply with Article 21, oversee their implementation, and can be held liable for infringements by the entity, in line with national law. Article 20(2) also requires management body members to follow training so they can identify risks and assess cybersecurity risk-management practices.
A board cannot simply say, “We left this to IT.” The CISO can design and operate the security programme. The CTO can lead implementation. The compliance officer can coordinate evidence. But Article 20 keeps approval and oversight at management level.
The practical consequence is simple: the board needs to understand what it is approving. A signature on a policy is weak evidence if the minutes do not show what was reviewed, what was approved, who was present, and how implementation will be monitored.
The five management actions under Article 20: what management must do
Article 20 is short, but it creates several practical actions for company leadership. For a company in scope of NIS2, management should be able to show five things: approval, oversight, training, liability awareness, and ongoing governance.
These are not five separate paragraphs in the Directive. There are five management actions that follow from Article 20(1), Article 20(2), and the governance work needed to keep Article 20 evidence current.
Obligation 1: Approve cybersecurity risk management measures
Article 20(1) requires management bodies of essential and important entities to approve the cybersecurity risk-management measures taken by those entities to comply with Article 21. That means approval must refer to the security measures NIS2 expects, not only to a general IT or security budget.
In practice, approval should happen as a board-level agenda item. The management body should receive the Article 21 programme, review the measures, ask questions about risk and coverage, and record the approval in board minutes.
A weak approval record says: “Cybersecurity update discussed.”
A stronger approval record says: “The board reviewed and approved the NIS2 Article 21 cybersecurity risk-management programme, including access control, incident handling, supply chain security, business continuity, vulnerability handling, and training measures.”
The second version creates an audit trail. It shows the board approved a defined programme, not an abstract security ambition.
Obligation box — Article 20(1): Management bodies must approve the cybersecurity risk-management measures taken to comply with Article 21.
Evidence required: Board meeting minutes documenting presentation, review, and formal approval of the Article 21 cybersecurity risk-management programme. The minutes should record the date, attendees, decision, and any conditions or follow-up actions.
Obligation 2: Oversee implementation of security measures
Article 20(1) requires management bodies to oversee the implementation of the approved cybersecurity risk-management measures. The board does not need to manage firewall rules or vulnerability tickets. It does need a controlled process for checking whether the approved programme is being implemented.
This is where many companies create a gap. They approve a security roadmap once, then treat implementation as an IT matter. Under Article 20, the board should receive regular status reporting. That reporting should answer three questions:
- Which measures have been implemented?
- Which measures are delayed or incomplete?
- Which risks require board-level decision or budget?
For higher-risk sectors, quarterly board-level reporting is a practical baseline. For companies with lower risk exposure, the cadence may differ, but the principle is the same: implementation oversight must be documented.
Security incidents should also feed into the board cycle. If a material incident occurs, management should see the incident outcome, the control gap, the remediation decision, and whether the Article 21 programme needs to change.
Obligation box — Article 20(1): Management bodies must oversee the implementation of the cybersecurity risk-management measures they approve.
Evidence required: Quarterly security status reports, board or committee minutes showing review of implementation status, incident escalation records, and documented decisions on unresolved risks.
Incident oversight also depends on timing. If management only hears about a material incident after the reporting window has passed, the governance process is already weak. Leadership should understand how the NIS2 Article 23 incident reporting timeline works, because the 24-hour, 72-hour, and one-month stages affect both operational response and board-level reporting.
Obligation 3: Undergo regular cybersecurity training
Article 20(2) requires members of the management bodies of essential and important entities to follow training. The purpose is not basic awareness only. The training must help them gain enough knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
This matters because Article 20 expects informed approval. A board member cannot assess a cybersecurity risk-management programme if they do not understand the risks, the measures, or the operational impact. Training should cover the management-level topics Article 20 creates:
- what NIS2 requires from the organisation;
- how Article 20 connects to Article 21 measures;
- which risks affect the entity’s services;
- how incidents are escalated and reviewed;
- what evidence is needed for oversight;
- how liability may apply under national law.
A one-hour generic cyber awareness module is unlikely to be enough for board-level accountability. The training should help management make better decisions about risk, funding, priorities, and oversight.
Obligation box — Article 20(2): Management body members must follow training so they can identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Evidence required: Training completion records for all management body members, training content, attendance records, dates, and a training schedule showing regular renewal.
Obligation 4: Personal liability for governance failures
The liability language is in Article 20(1). It says management bodies can be held liable for infringements by the entity of Article 21, in accordance with national law. That means liability will depend on each Member State’s implementation and national liability rules.
For management teams, the practical point is not to speculate about fines against individual directors. The practical point is to remove the governance gaps that make liability easier to argue. A governance failure may look like this:
- the Article 21 programme was never approved by the management body;
- cybersecurity was not on the board agenda;
- the board received no training;
- security incidents never reached management level;
- risks were known, but no decision was recorded;
- the company cannot show who owned cybersecurity oversight.
“We trusted our CISO” is not a strong defence for an Article 20 governance failure. The CISO can run the programme. The management body must approve, oversee, and stay trained enough to assess it.
For board members, this means the audit trail matters. Minutes, training records, risk decisions, incident review notes, and governance frameworks are not admin work. They are the evidence that management took Article 20 seriously.
Personal liability box — Article 20(1): Article 20(1) states that management bodies can be held liable for infringements by the entity of Article 21, in accordance with national law. Do not treat liability as an EU-wide one-size-fits-all rule. Check the national implementation that applies to your entity.
Evidence required: Governance framework documenting board-level cybersecurity responsibility, risk acceptance records, D&O insurance review where relevant, and board minutes showing Article 21 oversight decisions.
Article 20 explains who must approve and oversee security measures. The enforcement layer sits separately, so management teams should also understand how NIS2 fines and personal liability may apply under national law.
Obligation 5: Establish and maintain ongoing security governance
A management body can approve the Article 21 programme once and still fail to govern it properly if the programme is never reviewed again. Cybersecurity risk changes when the company launches new digital services, changes suppliers, enters a new market, acquires another business, or suffers a material incident.
Ongoing governance means the board has a recurring rhythm for cybersecurity oversight. At minimum, this should include an annual review of the cybersecurity risk-management programme. For higher-risk entities, quarterly review may be more appropriate.
The governance rhythm should also include triggered reviews. These happen when something changes enough to affect the risk profile. Examples include a major cloud migration, a new critical supplier, a security incident, a change in regulated services, or a new board member joining.
The goal is to keep management oversight current. Article 20 evidence should show that cybersecurity governance moved with the business, not that the board approved a policy once and left it untouched.
Obligation box — Article 20 ongoing application: Management bodies should keep cybersecurity governance active over time through recurring review, incident review, and risk-based updates to the approved programme.
Evidence required: programme review minutes, post-incident board review records, governance framework updates, board agenda records, and induction evidence for new management body members.
Article 20 turns NIS2 from a technical checklist into a management responsibility. Sunbytes Compliance Readiness helps organisations assess where governance, security measures, and evidence gaps may exist before implementation work becomes urgent.
What Article 20 evidence looks like: the management audit trail
Article 20 evidence should show that management did three things: made informed decisions, monitored implementation, and kept the governance cycle active.
For most organisations, the evidence trail starts with board minutes. Without minutes showing approval and oversight, the company may have technical security measures in place but weak management accountability evidence. Evidence expectations can vary by Member State, sector, authority, and final national implementation.
| Article 20 management action | Document or evidence | What reviewers may look for | Practical frequency |
|---|---|---|---|
| Approve cybersecurity risk-management measures | Board minutes approving the Article 21 programme | Minutes reference specific measures, decision date, attendees, and formal approval | Annual review minimum |
| Oversee implementation | Security status reports and board minutes | Security status appears as a recurring agenda item; open risks and incidents reach management level | Quarterly or risk-based |
| Complete cybersecurity training | Training records per management body member | Training covers NIS2, Article 20, Article 21, risk assessment, incident escalation, and service impact | Regular training cycle |
| Understand liability under national law | Governance framework and risk decision records | Cybersecurity ownership is defined; risk acceptance decisions are recorded; insurance assumptions are checked | Annual review and triggered review |
| Maintain ongoing governance | Annual review and post-incident review records | Programme is updated after incidents, material business changes, or new risk information | Annual plus triggered reviews |
Evidence requirements should be reviewed by a NIS2 compliance specialist before publication as definitive guidance. The Directive sets the governance requirements, while detailed expectations may depend on national law and supervisory practice.
Once leadership understands which records prove approval, oversight, training, and review, the next task is organising that evidence so it can be used during an audit, buyer due diligence request, or supervisory review. A structured management accountability evidence pack helps separate board-level evidence from technical control evidence, so the company can show both governance and implementation.
Dutch board structure and Article 20: the two-tier complication
For Dutch companies, the Article 20 conversation needs one extra layer: board structure.
Many Dutch companies use a two-tier model. The management board — bestuur or Raad van Bestuur — handles day-to-day management and strategic direction. The supervisory board — Raad van Commissarissen — supervises the management board.
Article 20 refers to the “management body.” In a Dutch context, the management board will usually be the primary body for approval and implementation oversight. But supervisory boards should not ignore NIS2. If cybersecurity oversight sits in the supervisory board’s remit, or if the RvC supervises risk governance more broadly, it should be briefed on Article 20 and receive the right oversight information.
For a Dutch BV with a DGA structure, the issue becomes more direct. If the director-major shareholder is the management body, Article 20 responsibility does not get spread across a broad board structure. The DGA needs to understand what has been approved, what is being implemented, and what evidence exists.
What Dutch companies should know before the Cyberbeveiligingswet enters into force
The obligations in the NIS2 Directive will take effect in the Netherlands once the Cybersecurity Act enters into force, while Wbni continues to apply until then for organisations already covered by it.
As of May 2026, the House of Representatives has approved the Cyberbeveiligingswet and the Wet weerbaarheid kritieke entiteiten. The Cbw is expected to enter into force around 1 July 2026, subject to the remaining parliamentary process. Once it enters into force, it will replace the current Wbni for organisations covered by the new Dutch NIS2 framework.
For Dutch organisations, the safest wording is therefore:
- use NIS2 Article 20 as the EU governance standard to prepare against now;
- treat Cbw as the expected Dutch implementation route;
- keep Wbni in mind if the organisation is already covered by the existing Dutch framework;
- verify final Dutch requirements once the Cbw and related secondary legislation are in force.
For Dutch companies, Article 20 preparation should include both the management board and, where relevant, the supervisory board. The management board is usually the primary body for approval and oversight. The supervisory board should be briefed where cybersecurity risk falls within its oversight mandate. For a DGA-led BV, the director should treat Article 20 as a direct governance responsibility.
How Sunbytes supports NIS2 Article 20 compliance for Dutch organisations
Article 20 compliance starts with governance clarity. Leadership needs to know which NIS2 measures have been approved, which gaps remain, and what evidence exists to support the decisions made.
Sunbytes supports NIS2 readiness by helping organisations assess their current security posture, identify gaps against NIS2 requirements, and prioritise remediation work. For leadership teams, this creates a clearer view of where technical controls, governance ownership, and evidence preparation need attention before an audit, buyer due diligence review, or supervisory request.
This is not only a documentation exercise. Article 20 depends on whether the Article 21 security programme is real enough to approve and track. Sunbytes’ cybersecurity work helps map controls to NIS2 expectations and produce evidence that can be reviewed by management.
The broader delivery model also matters:
- Sunbytes’ Business Transformation Solutions support the technical implementation side: secure-by-design architecture, delivery processes, and development work needed to close control gaps.
- Sunbytes’ Accelerate Workforce Solutions support the people-risk layer: vetted teams, access control discipline, onboarding, and offboarding processes that reduce avoidable exposure.
- For Secure engagements, Sunbytes anchors the work in evidence: ISO 27001 certification, DPA discipline, audit trails, and control mapping where relevant. The goal is not a generic statement that the company is “working on NIS2.” The goal is a readiness view that management can use to make decisions.
If your leadership team needs to understand where Article 20 governance gaps may exist, start with the NIS2 compliance readiness service and build a clearer path from security measures to management evidence.
FAQs
NIS2 Article 20 requires management bodies of essential and important entities to approve cybersecurity risk-management measures, oversee implementation, and follow training. Article 20(1) also connects liability to infringements of Article 21, subject to national law. The practical result is that cybersecurity needs board-level approval, oversight, and evidence.
Yes. GDPR Article 5(2) sets the accountability principle for controllers, meaning they must be able to demonstrate compliance. NIS2 Article 20 is more specific about management bodies: it requires approval and oversight of cybersecurity risk-management measures, training for management body members, and liability treatment under national law.
A useful board minute should record five items: the Article 21 cybersecurity risk-management programme was presented, the board reviewed and approved it, the board members present, the date of approval, and any conditions or follow-up actions. The minute should refer to the specific programme or measures reviewed, not just “cybersecurity discussed.”
No. The CISO can design, operate, and report on the security programme, but Article 20 oversight sits with the management body. For Article 20 purposes, the CISO reports to management. The board cannot delegate the entire obligation to the CISO and step back.
NIS2 does not set a single board-review cadence in Article 20. A practical baseline is annual review at minimum, with more frequent review for higher-risk sectors or material changes. Incidents, major supplier changes, M&A activity, and new digital services should trigger additional review.
Article 20(1) says management bodies can be held liable for infringements by the entity of Article 21, in accordance with national law. For a Dutch BV, the exact liability route depends on Dutch implementation and general Dutch liability rules. A DGA or director should not assume that a small board structure reduces the need for documented approval, oversight, and training.
Start with board minutes approving the Article 21 programme, management training records, and a recurring security status report. These three records show approval, training, and oversight. More detailed evidence can then be organised through a management accountability evidence pack.
Let’s start with Sunbytes
Let us know your requirements for the team and we will contact you right away.
