nexalign

Glossary term

NIS2 Art. 20

Also: NIS2 Article 20, Management body responsibility under NIS2

The NIS2 article that makes the management body of an essential or important entity directly accountable for approving and overseeing cybersecurity risk-management measures. Management bodies that fail this duty can be held personally liable.

NIS2 Art. 20 raises cybersecurity from an IT responsibility to a management-body responsibility. Boards must approve the risk-management measures listed in Art. 21, oversee their implementation and undergo regular training.

Practically this means that every material cybersecurity decision — EDR selection, IAM stack choice, sovereign cloud migration, incident-reporting process — must be documented at a quality level that lets the board genuinely oversee it. Policy documents alone are not sufficient.

Organisations that treat Art. 20 as a signature requirement underestimate the liability. Organisations that treat it as an ongoing oversight function build decision-memo infrastructure as the natural response.

Related terms

Decision memo

A short structured document that captures why a decision was made, the options considered, the crite

Audit-ready decision

A decision whose record is structured, evidence-backed and stakeholder-signed to a level that a thir

DORA ICT risk management

The EU Digital Operational Resilience Act regulates the operational resilience of financial entities

NIS2

EU directive on network and information security. Replaces NIS1, widens scope to around 30,000 Germa

AI Act Conformity Assessment

Procedure to demonstrate that a high-risk AI system complies with the EU AI Act before being placed

AI Act Risk Categories

Four-tier classification under the EU AI Act: prohibited (Art. 5), high-risk (Annex I/III), limited

BAIT

BaFin circular that concretises IT requirements for credit institutions. Specifies MaRisk AT 7.2 for

BCM

Discipline for maintaining critical business processes during disruptions. Standards: ISO 22301, BSI

← All termsBook a demo →