Artifact GuideEU

NIS2 Article 20 Management body accountability

Turn NIS2 governance duties into a board-ready evidence record for approval, oversight, training, and accountability.

Use this guide to connect Article 20 duties to Article 21 cybersecurity risk-management measures, ENISA evidence examples, and practical reporting lines for essential and important entities.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

NIS2 Article 20 makes cybersecurity governance a management-body duty, not only a security-team task. Essential and important entities need a record showing that the management body approved the Article 21 cybersecurity risk-management measures, oversaw implementation, followed required training, and received enough information to understand risk and service impact.

Section 1

What does NIS2 Article 20 require from management bodies?

Article 20 requires Member States to ensure that management bodies of essential and important entities approve the cybersecurity risk-management measures used to comply with Article 21 and oversee their implementation. It also says management bodies can be held liable for infringements by the entities of Article 21, subject to the national liability rules that apply to public institutions, public servants, and elected or appointed officials.

The practical decision is whether the board, executive committee, public-sector management body, or equivalent governing body has a documented approval and oversight path for the measures that protect the entity's network and information systems.

  • Identify the exact management body that approves the Article 21 measures.
  • Record the Article 21 measure set being approved, including technical, operational, and organisational measures.
  • Document how implementation is overseen after approval, not just the approval date.
  • Escalate national-law questions about individual liability to legal counsel instead of treating Article 20 as a standalone penalty rule.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 is the primary source for management-body approval, oversight, liability, and training duties.
European Commission - NIS2 Directive overview
Commission overview confirms that NIS2 brings top-management accountability into cybersecurity governance.
Section 2

How should teams scope the accountability record?

Start with entity classification. Article 20 applies to management bodies of essential and important entities, so the accountability record should point to the entity's NIS2 scope analysis, sector mapping, and Member State implementation position.

Then connect the governance record to Article 21. A management-body approval is weak if it only approves a high-level statement; it should identify the policy, risk framework, incident handling, supply-chain, business continuity, access control, asset, training, and effectiveness-assessment measures that the entity relies on for compliance.

  • Link the record to the entity classification decision and the applicable Member State transposition analysis.
  • List the Article 21 measures or policy pack that the management body approved.
  • Separate EU-level NIS2 obligations from country-specific procedures, authority expectations, and liability rules.
  • Use a change trigger when the entity launches a new covered service, changes its risk profile, changes governance structure, or has a significant incident.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 is tied to Article 21 cybersecurity risk-management measures for essential and important entities.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
For covered digital and ICT service sectors, the implementing regulation supplies detailed technical and methodological requirements connected to Article 21.
ENISA - NIS2 technical implementation guidance
ENISA guidance provides practical evidence examples for implementing the Article 21 measures in the sectors covered by Implementing Regulation (EU) 2024/2690.
Section 3

What evidence should prove approval, oversight, and training?

The evidence should show that the management body understood what it approved and had a route to monitor implementation. ENISA's technical guidance treats the policy on the security of network and information systems as the highest-level security policy and says it should include the date of formal approval by the management bodies.

For covered entities using the implementing regulation and ENISA guidance, useful evidence includes the approved security policy, topic-specific policies, management review records, training records, briefings to management bodies, direct reporting lines, residual-risk approvals, and documented policy updates after significant incidents or major changes.

  • Keep board or management-body minutes, resolutions, approval packs, and policy version history.
  • Store evidence of management-body cybersecurity training, including attendance, materials, and dates.
  • Show that at least one security leader or accountable role can report directly to the management body on network and information system security.
  • Keep residual-risk acceptance and risk-treatment approvals with the risk register, not in a separate slide deck.
  • Document annual reviews and event-driven reviews after significant incidents or significant operational or risk changes.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 requires management-body training so members can identify risks and assess cybersecurity risk-management practices and service impact.
ENISA - NIS2 technical implementation guidance
ENISA gives evidence examples for management-body approval, training, reporting, direct reporting lines, and risk acceptance.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
The annex requires documented security policies, responsibilities, and risk-management arrangements for entities in the regulation's scope.
Section 4

Which edge cases make management-body accountability easy to get wrong?

The most common mistake is treating Article 20 as a one-time board approval. NIS2 links approval to ongoing oversight, training, and the Article 21 risk-management system. A stale approval record will not explain how management was informed when risks, services, suppliers, or incidents changed.

Another risk is assuming the same evidence works in every Member State. NIS2 is an EU directive implemented through national law, and Article 20 expressly leaves certain public-sector and individual-liability questions to national rules.

  • Do not rely on a generic annual cyber update if it does not identify Article 21 measures and implementation status.
  • Do not treat external certifications or supplier attestations as a substitute for management-body approval and oversight.
  • Do not let delegated security ownership hide the direct reporting line or the management body's own training duty.
  • Do not write legal conclusions about personal liability without checking the applicable Member State law.
  • Do not bury significant incident lessons learned outside the management review and policy update process.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 separates EU-level management-body duties from national liability rules for public institutions and officials.
ENISA - NIS2 technical implementation guidance
ENISA recommends management-body review after significant incidents or significant changes to operations or risks.
Section 5

Implementation checklist for NIS2 management body accountability

Use this checklist before treating Article 20 as implemented. The goal is to make the governance record clear enough for legal review, audit review, security leadership, and a future regulator question.

Keep the checklist near the underlying evidence so the next review can reuse the same record instead of rebuilding the management-body narrative from memory.

Does NIS2 require the board or management body to approve cybersecurity risk-management measures?

Yes. Article 20 requires Member States to ensure that management bodies of essential and important entities approve the cybersecurity risk-management measures used to comply with Article 21 and oversee implementation.

What training evidence should be saved for NIS2 Article 20?

Save management-body training records, workshop or seminar attendance, training materials, dates, and evidence that the training helped members identify risks and assess cybersecurity risk-management practices and their service impact.

Can the security team own NIS2 management-body accountability alone?

No. Security can prepare evidence and run controls, but Article 20 accountability needs management-body approval, oversight, training records, and a documented reporting line from security leadership to the management body.

  • Entity classification confirms whether the organisation is an essential or important entity.
  • The accountable management body is named, and its approval authority is documented.
  • The approved Article 21 measure set is identified by policy, register, control baseline, or risk-treatment plan.
  • Management-body oversight cadence, reporting format, and escalation triggers are documented.
  • Cybersecurity training for management-body members is complete or scheduled and tracked.
  • Risk-assessment results, residual-risk acceptances, and major policy exceptions have accountable approval.
  • Review triggers cover annual review, significant incidents, governance changes, service changes, supplier changes, and material risk changes.
  • Source URLs, short quotes, approval dates, reviewer names, and evidence locations are saved with the record.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Article 20 provides the legal basis for approval, oversight, liability, and training elements in the checklist.
ENISA - NIS2 technical implementation guidance
ENISA guidance supports the evidence items for policies, review records, direct reporting lines, risk acceptance, and training.
European Commission - NIS2 Directive overview
Commission overview gives broader NIS2 context on sectors, risk-management duties, reporting, supervision, and enforcement.
Recommended next step

Build a board-ready Article 20 governance record

Sorena can help convert this guidance into approval packs, training records, oversight calendars, risk signoff evidence, and source-linked review notes for NIS2 implementation.

Research workflow
Open Research Copilot for NIS2

Ask source-linked questions about Article 20, Article 21, management-body evidence, and national implementation dependencies.

Explore next step
Talk to Sorena
Talk through governance evidence

Review your approval workflow, training evidence, oversight cadence, and management-body reporting gaps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Article 20 provides the legal basis for approval, oversight, liability, and training elements in the checklist.
"oversee its implementation"
ENISA - NIS2 technical implementation guidance
enisa.europa.eu
Referenced sections
  • ENISA guidance supports the evidence items for policies, review records, direct reporting lines, risk acceptance, and training.
"records of the management review"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview gives broader NIS2 context on sectors, risk-management duties, reporting, supervision, and enforcement.
"wider scope, clearer rules"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.