Article 20Governance

EU NIS2 Directive (EU) 2022/2555 Management Body Accountability

Make NIS2 governance real: approval, oversight, training, and evidence.

Output: a management operating model that survives audits, incidents, and authority questions.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 23, 2026
Updated
Feb 23, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 23, 2026
Updated Feb 23, 2026
Overview

NIS2 moves cybersecurity into the management body. Article 20 requires management bodies to approve the measures taken to comply with Article 21, oversee implementation, and follow training so they can understand cyber risk and the impact on the entity's services.

Section 1

What Article 20 requires

This is not a policy-signoff exercise. The management body has to show active direction and oversight of the NIS2 control baseline.

  • Approve the cybersecurity risk management measures taken to comply with Article 21.
  • Oversee implementation and review whether the measures remain appropriate and proportionate.
  • Understand that management body members can be held liable under national law for infringements by the entity.
  • Follow training that gives them sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on services.
  • Offer similar training regularly to employees where relevant.
Section 2

A management operating model that works

The governance model should make decisions visible. Minutes should show what was reviewed, what risk was accepted, what remediation was ordered, and who owns follow-up.

  • Define decision rights for risk acceptance, funding, exceptions, and remediation priorities.
  • Review a cyber dashboard covering top risks, patching, MFA coverage, restore testing, supplier risk, and incident metrics.
  • Set cadence: monthly metrics review, quarterly risk review, and annual crisis simulation.
  • Align escalation thresholds with the Article 23 reporting workflow so reporting decisions do not wait for governance confusion.
Section 3

Training requirement and evidence

Training is mandatory for management body members. Treat it as a recurring control with content that reflects the entity's actual exposure.

  • Curriculum: NIS2 scope, Article 21 measures, Article 23 reporting, supplier risk, crisis decision-making, and national supervisory context.
  • Cadence: onboarding, annual refresh, and targeted updates after major incidents or structural change.
  • Evidence: attendance logs, materials, assessments, and action items tracked in governance minutes.
Section 4

Evidence pack you should be able to produce quickly

Governance evidence is often requested early because it shows whether cybersecurity is truly being steered at management level.

  • Minutes approving the Article 21 baseline and major changes to it.
  • RACI and delegated authority model for risk, exceptions, supplier approvals, and incident escalation.
  • Management review minutes with KPI trends, exceptions, and remediation decisions.
  • Training records, curriculum, and refresh schedule.
  • Post-incident reviews showing management decisions and follow-through.
Recommended next step

Use EU NIS2 Directive (EU) 2022/2555 Management Body Accountability as a cited research workflow

Research Copilot can take EU NIS2 Directive (EU) 2022/2555 Management Body Accountability from getting cited answers and faster research on this topic to a reusable workflow inside Sorena. Teams working on EU NIS2 Directive (EU) 2022/2555 can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU NIS2 Directive (EU) 2022/2555 Management Body Accountability

Start from EU NIS2 Directive (EU) 2022/2555 Management Body Accountability and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU NIS2 Directive (EU) 2022/2555

Review your current process, evidence gaps, and next steps for EU NIS2 Directive (EU) 2022/2555 Management Body Accountability.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Applicability Test | EU NIS2 Directive (EU) 2022/2555 | In Scope? Essential vs Important?
A grounded NIS2 applicability test: map each legal entity to Annex I or Annex II, apply the NIS2 size-cap rule and regardless-of-size triggers.
Article 21 Control Baseline | EU NIS2 Directive (EU) 2022/2555 | Cybersecurity Risk Management Measures
A practical Article 21 control baseline for NIS2: translate Article 21(2)(a) to (j) into owned controls, KPIs, tests, and evidence.
Checklist | EU NIS2 Directive (EU) 2022/2555 | Audit-Ready Owners, Evidence, Acceptance Criteria
An audit-ready EU NIS2 compliance checklist: scope (Annex I/II + size-cap rules), essential vs important classification, Article 21 control baseline.
Compliance Guide | EU NIS2 Directive (EU) 2022/2555 | Build an Audit-Ready Program
A practical EU NIS2 compliance guide: how to run scope and classification, build Article 21 controls, implement Article 23 reporting workflows.
Deadlines and Compliance Calendar | EU NIS2 Directive (EU) 2022/2555 | 16 January 2023, 17 October 2024, 17 April 2025
A practical EU NIS2 deadlines and compliance calendar with the legal anchor dates that matter: entry into force on 16 January 2023.
FAQ | EU NIS2 Directive (EU) 2022/2555 | Scope, Essential vs Important, Article 21, Article 23 (24h/72h)
High-intent EU NIS2 FAQ: who is in scope, how essential vs important works, what Article 21 requires.
Incident Reporting Workflow | EU NIS2 Directive (EU) 2022/2555 | 24h Early Warning, 72h Notification, Final Report (1 Month)
A practical NIS2 incident reporting workflow grounded in Article 23 and Commission Implementing Regulation (EU) 2024/2690: define significant incidents.
National Transposition Tracker | EU NIS2 Directive (EU) 2022/2555 | How to Track Local Laws, Authorities, Portals
A practical NIS2 national transposition tracker: monitor Member State implementation, find competent authority and CSIRT routes.
NIS2 vs ISO/IEC 27001 | How to Reuse Your ISMS for EU NIS2 Directive (EU) 2022/2555
A practical NIS2 vs ISO/IEC 27001 mapping: how to reuse an ISMS (risk assessment, policies, internal audits, management review.
NIS2 vs ISO/IEC 27017 | Cloud Security Mapping for EU NIS2 Directive (EU) 2022/2555
A practical mapping for cloud teams: how NIS2 Article 21 controls and Article 23 reporting apply to cloud service providers and cloud-dependent organisations.
NIS2 vs NIS1 | Directive (EU) 2022/2555 vs Directive (EU) 2016/1148 | Scope, Supervision, Reporting
A practical comparison of NIS2 vs NIS1: what changed in scope and sectors, how essential vs important works.
Penalties and Fines | EU NIS2 Directive (EU) 2022/2555 | Article 32-34 Enforcement + Fine Thresholds
A practical NIS2 enforcement guide: how supervision works for essential vs important entities (Articles 32-33), what enforcement measures authorities can use.
Requirements | EU NIS2 Directive (EU) 2022/2555 | Article 20 Governance, Article 21 Controls, Article 23 Reporting
A practical EU NIS2 requirements breakdown grounded in Articles 20 to 23, the Article 3 and Article 4 guidelines, and Implementing Regulation (EU) 2024/2690.
Scope: Essential vs Important | EU NIS2 Directive (EU) 2022/2555 | Article 3 Classification + What Changes
A practical guide to NIS2 scope classification: how essential vs important entities work (Article 3).
Supply Chain Security Program | EU NIS2 Directive (EU) 2022/2555 | Article 21(d) Supplier Risk + Evidence
A practical NIS2 supply chain security program (Article 21(d)): vendor tiering, security requirements, onboarding/offboarding controls, continuous assurance.