NIS2 management body liability 2026: what boards must personally do

What Art. 20 actually requires

Paragraph 1: management bodies of essential and important entities must approve the cyber risk-management measures under Art. 21, oversee their implementation, and can be held liable for breaches.

Paragraph 2: management bodies must regularly attend specific training to acquire sufficient knowledge and skills for risk assessment and risk-management practices in cyber. Training duties extend to staff (Art. 20(2) sentence 2).

Who counts as 'management body'

In Germany: AG management board, GmbH managing directors, cooperative board. With co-determination, the supervisory board in its oversight role.

De-facto managing directors (persons who take material leadership decisions without formal appointment, e.g. a group CIO over a subsidiary) can fall within scope.

C-level without board role (typical CISO) is usually not management body, but the board can be liable through delegation and selection error.

What 'approve' and 'oversee' actually means

Approve: a documented board resolution on the cyber risk strategy and the Art. 21 measure catalogue. Not a noting item, but an active approval with date, attendees, votes.

Oversee: regular reporting to the leadership (quarterly or half-yearly) on maturity, KPIs (incident counts, backup tests, training rate), open risks and escalations.

Oversight is not a one-off sign-off. Whoever passes a NIS2 resolution and forgets it for three years risks exactly the personal liability.

Training duty: what really counts

Not a 30-minute online awareness course. Expected is a C-level curriculum: regulatory context (NIS2, DORA, ISO 27001, industry-specific), risk assessment, oversight duty, incident management, resilience strategy, third-party risk.

Training must be documented (attendees, content, trainer, confirmation). Refreshed annually, at minimum on material change.

External trainers (BSI-listed, ISACA, ISC2, university programmes) are common because internal training does not pass external scrutiny.

Liability and D&O implications

Personal liability triggers on breach of Art. 20 duties in connection with Art. 21 and national transpositions. In Germany likely through NIS2UmsuCG complementing sec. 93 AktG and sec. 43 GmbHG.

D&O insurers will probe the NIS2 maturity of insured companies in 2026. Without resolution, training and oversight documentation, premium increases, coverage exclusions or cancellations are realistic.

Supervisory boards are covered to the extent they fail to exercise oversight. Cyber risk must be on the supervisory board agenda.

Practical 6-step roadmap for the management body

1. Run and document the applicability check (see NIS2 thresholds insight).

2. Initial training for the whole management body + supervisory body (or equivalent).

3. Approve the cyber risk strategy and Art. 21 roadmap via formal resolution.

4. Establish a quarterly reporting format (KPIs, open risks, escalation).

5. Document top-3 investment decisions as auditable decision memos (EDR/XDR, IAM, backup, SIEM/SOC).

6. Annual refresher of training and strategy review.

What DecisionOS does

The resolutions and investment decisions Art. 20 demands are at their core structured decisions with stakeholder alignment, evidence and documented accountability. DecisionOS produces these memos audit-ready. For the management body that means: every material cyber investment is on file as a defensible trail that evidences the Art. 20 duties.