Article 20 of NIS2 makes the management body personally accountable for cybersecurity risk management. This guide walks through the three duties — approve, oversee, train — and shows exactly what evidence national authorities expect to see during an inspection.
Article 20 of Directive (EU) 2022/2555 (NIS2) is short — two paragraphs — but it is the single most consequential governance clause in EU cybersecurity law. The first paragraph requires Member States to ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by their entity, and supervise their implementation. The second paragraph requires those same management body members to follow training, and to encourage their entity to offer similar training to all employees on a regular basis, so that they gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
"Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities … and supervise its implementation. … Members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis."
Article 20 imposes three distinct obligations on every board member of an essential or important entity. Failing any one of them exposes the organization — and the individual director — to enforcement.
The board must formally approve the cybersecurity measures the organization implements under Article 21. This is not a rubber-stamp exercise. Approval requires a documented decision — minutes of a board meeting, a signed resolution, or an equivalent record — that lists the specific measures (incident handling policy, supply-chain risk plan, business continuity plan, etc.) and confirms that the board has reviewed them. Auditors will ask to see these minutes.
Approval is point-in-time; supervision is continuous. The board must receive periodic reports on how the approved measures are performing, and must evidence that it has reviewed those reports and acted on issues raised. A typical setup is quarterly cybersecurity dashboards presented to the board (or to a designated committee) covering open incidents, gap-assessment progress, supplier risk, and training coverage.
Each board member must follow training adequate to their role. Sufficient knowledge means being able to read a gap-assessment report, challenge investment proposals on technical merit, and recognize when an incident requires escalation. The board must also encourage staff training across the organization. Both obligations require evidence: dated attestations per board member, plus a credible plan for staff awareness across all employees.
National competent authorities — ANSSI in France, BSI in Germany, ACN in Italy, APDC in Portugal — have begun publishing inspection criteria. Across all of them, the Article 20 evidence checklist converges on the following items.
Dated minutes that list the Article 21(2) measures explicitly. Generic boilerplate ("the board approved the cybersecurity strategy") will not pass. Auditors look for specificity: which incident response plan, which supplier risk methodology, which business continuity playbook.
An attestation per board member showing course title, completion date, score (if any), and validity period. ANSSI guidance suggests attestations should be no older than 24 months. The training itself does not need to be certified — but it must be documented.
Dashboards or written reports that the board has demonstrably consumed. "Demonstrably consumed" means board minutes referencing the report, or written board responses to issues flagged. Auditors will pull a sample quarter and trace the report through to a board reaction.
A live risk register that the board signs off at least annually. It must cover NIS2-specific risks: incident response capacity, supply-chain dependencies, critical asset availability, regulatory reporting timing.
Either a dedicated board committee or a named non-executive director with cybersecurity oversight in their charter. For smaller organizations a CISO reporting line directly to a named board member is acceptable, provided it is documented.
Article 20 also requires the board to encourage staff training. Auditors look at training register coverage — what percentage of employees has completed awareness training in the last 12 months — and ask the board to explain gaps.
Article 32(6) of NIS2 allows Member States to temporarily prohibit individuals from exercising managerial functions in essential entities where infringements continue. Article 20(2) makes this enforceable by requiring management body members to undergo training. If a director cannot demonstrate that they followed training appropriate to the entity's risk profile, regulators can escalate from corporate fines to personal sanctions. National transpositions in Germany (NIS2UmsuCG draft), France (loi n° 2024-1039 du 21 mai 2024), Italy (D.lgs. 138/2024), and Portugal echo this language.
What changed in 2026: regulators are no longer waiting for a major incident before checking governance evidence. ANSSI launched routine documentation inspections in Q1 2026 specifically targeting Article 20 evidence at essential entities. Boards that cannot produce training attestations within 48 hours of a request risk being flagged for follow-up enforcement.
BSI issued a formal warning to a mid-sized energy supplier after an inspection found that none of the seven board members could produce a training attestation. The board had completed an internal cybersecurity briefing in 2024 but had no per-director records. BSI gave the entity 90 days to remediate or face a formal sanction.
ANSSI opened a documentation review of fifteen essential entities in the energy and digital infrastructure sectors. Initial findings flagged Article 20 evidence as the single most common gap: nine of fifteen entities had board minutes referencing cybersecurity measures only at the strategic level, with no link to specific Article 21(2) controls.
ACN's first round of inspections under D.lgs. 138/2024 highlighted a recurring weakness: management bodies that had outsourced cybersecurity entirely to MSPs without retaining documented oversight responsibility. ACN's guidance note clarified that Article 20 cannot be delegated, even when day-to-day implementation is.
Building defensible Article 20 evidence is fast if you start with the right artifacts. The minimum viable set — what a Reglyze customer typically prepares in their first month — looks like this.
A dated board resolution approving the cybersecurity risk-management measures (one page, signed by the chair).
Per-director training attestations from a recognized provider, dated within the last 12 months, listing course title and pass score.
A board cybersecurity dashboard template — to be presented quarterly — covering open incidents, gap score, supplier risk top-5, training coverage, and overdue tasks.
A written charter for the board cybersecurity oversight role (committee or named director), signed and added to the corporate governance manual.
An annual risk register sign-off, with the board chair's signature on the cover page and a date.
A training plan for staff that the board has formally encouraged, with a coverage target and a review date.
There is no fixed cadence in the directive text, but emerging supervisory practice converges on the following rhythm. Reglyze's training register defaults to these intervals; you can override per organization.
Every new board member completes a foundational NIS2 module covering Article 20 duties, Article 21(2) hygiene measures, incident reporting timelines, and the entity's own risk profile. A 60-minute self-paced course is typical.
Each director completes a refresher covering regulatory developments (national transpositions, ENISA guidance, sector-specific rules) and updates to the entity's risk register. This is the cadence ANSSI and BSI inspectors expect to see in attestation dates.
Mergers, acquisitions, significant supply-chain restructuring, major incident, or change in scope trigger an additional briefing. Document the trigger event in the training register so the auditor can trace cause and effect.
Audience matters. Board training must be pitched at decision-makers, not at engineers. The content should enable a director to read a gap-assessment report, ask the right questions, and approve or refuse investment proposals on the merits.
Fine structure, recent enforcement, and where personal liability for directors actually applies.
NIS2 Fines & Penalties 2026If you already have an ISMS, you are 80% of the way to NIS2 — here's the delta auditors care about.
NIS2 vs ISO 27001Article 20 also tells the board to encourage staff training. This guide covers the staff baseline.
NIS2 Staff Awareness Training (Article 21(2)(g))What records to keep per participant, retention windows, and what auditors actually export.
NIS2 Training Records — Retention & FormatReglyze's training module ships with a board-ready Article 20 course, per-director PDF attestations, an organization-wide register, and quarterly board reports auto-generated from your live data. Free 10-minute intro available now; full bundle from EUR 149/year.