nexalign

Glossary term

NIS2 Art. 20

Also: NIS2 Article 20, Management body responsibility under NIS2

The NIS2 article that makes the management body of an essential or important entity directly accountable for approving and overseeing cybersecurity risk-management measures. Management bodies that fail this duty can be held personally liable.

NIS2 Art. 20 raises cybersecurity from an IT responsibility to a management-body responsibility. Boards must approve the risk-management measures listed in Art. 21, oversee their implementation and undergo regular training.

Practically this means that every material cybersecurity decision — EDR selection, IAM stack choice, sovereign cloud migration, incident-reporting process — must be documented at a quality level that lets the board genuinely oversee it. Policy documents alone are not sufficient.

Organisations that treat Art. 20 as a signature requirement underestimate the liability. Organisations that treat it as an ongoing oversight function build decision-memo infrastructure as the natural response.

Related terms

Decision memo

A short structured document that captures why a decision was made, the options considered, the crite

Audit-ready decision

A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a thir

DORA ICT risk management

The EU Digital Operational Resilience Act regulates the operational resilience of financial entities

← All termsBook a demo →