Corporate boardroom with legal scales and cybersecurity shield representing NIS2 management personal liability under Article 20

Can Your CEO Be Personally Fined Under NIS2? Here’s What Article 20 Says

ByMichael Rewers

Last verified: April 2026. NIS2 (Directive EU 2022/2555) is enforceable since 18 October 2024. Member State enforcement is now active — Germany issued its first NIS2 fine in February 2026.

Corporate boardroom with legal scales and cybersecurity shield representing NIS2 management personal liability under Article 20
Article 20 shifts cybersecurity accountability from the IT department to the management body — with Article 32 enforcing personal sanctions for governance failures.

Most executives believe cybersecurity belongs to the IT department. Under NIS2, that assumption carries personal legal consequences that go beyond corporate fines.

Article 20 of Directive (EU) 2022/2555 places management bodies at the legal centre of cybersecurity governance. Article 32 then gives competent authorities the power to act against individual executives — not just their organisations. The question is no longer whether enforcement will happen. It is whether your board can demonstrate it met its obligations when a regulator asks.

This article explains exactly what Article 20 requires, how Article 32 turns a governance failure into a personal sanction, and the specific documentation your team needs to be audit-ready.

What Article 20 Actually Requires of Your Management Body

Article 20 creates three distinct obligations for management bodies — and the most common compliance failure is treating the first one as sufficient.

Obligation 1: Approve the cybersecurity risk-management measures. Management bodies must formally approve the measures your entity takes under Article 21. This places legal responsibility for the security programme with the board — not the CISO. Approval must be documented, dated, and specific enough to show what was approved and by whom.

Obligation 2: Oversee implementation — on an ongoing basis. The directive uses the verb “oversee,” not “sign off once.” Oversight means continuous engagement: quarterly risk briefings, review of incident reports, documented responses to identified supply chain risks. A board that approves a security policy in year one and never revisits it has not met this obligation.

Obligation 3: Undergo regular cybersecurity training. Member States must require management body members to follow training “on a regular basis” to gain “sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices and their impact on the services provided.” The intent is substantive competence — boards must be able to interrogate what they are approving, not simply rubber-stamp it. In Germany, the minimum training cycle is every three years, with detailed per-director records required.

Training must cover your entity’s regulatory obligations, risk assessment methodology, incident response, supply chain security, and the board’s own governance responsibilities. Failure to fulfil the training obligation is considered a breach of the duty of loyalty and the duty of care — carrying direct personal liability implications.

Article 20 closes with a direct statement: management bodies “can be held liable for infringements” of Article 21. That sentence is the legal bridge to Article 32.

The Article 32 Mechanism: From Governance Failure to Personal Sanction

Most accounts of NIS2 management liability list the provisions without showing how they connect. The enforcement chain has a clear sequence:

  1. Your entity fails to implement adequate Article 21 risk-management measures — for example, no documented incident response procedures, inadequate supply chain controls, or missing access management policies.
  2. Your management body, which was required under Article 20 to approve and oversee those measures, either failed to approve them or failed to oversee their implementation.
  3. That governance failure activates Article 32’s enforcement powers against the individuals at the top.

Article 32(5) — Temporary Management Ban: Competent authorities may request that courts or tribunals “prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level” from exercising those functions. The ban remains in effect until the entity remedies its deficiencies. The right to effective remedy and a fair trial is preserved — but the ban itself is a personal sanction, not a corporate one. Your organisation may continue operating. You, personally, may not hold your role.

Article 32(6) — Personal Liability: Natural persons responsible for compliance “can be held personally liable for breach of their duties.” Member States implement this differently, and the directive’s wording creates a documented legal ambiguity: some jurisdictions interpret it as civil liability to third parties (a form of piercing the corporate veil); others treat it as liability of the individual to the entity itself. The practical consequence depends on your country’s national transposition law — which is why checking your specific jurisdiction matters.

Two facts clarify the scope. First, the Article 32(5) management ban applies only to essential entities — not to important entities. If you are a medium-sized company in an Annex II sector, your executives face Article 32(6) liability but not the management ban. Second, essential entities are subject to proactive ex-ante supervision — regulators can audit before an incident, not only after one. You do not need to have suffered a breach to face enforcement action. Check the NIS2 scope guide to confirm whether you are essential or important, as the consequences differ significantly.

Germany’s BSI Act — Personal Liability Made Concrete

Germany’s NIS2 implementation — the NIS2UmsuCG, enacted November 2025 — translates the directive’s management accountability provisions into binding national law through Section 38 of the updated BSI Act. It provides the clearest picture of how personal liability is being operationalised across the EU.

Three features stand out. First, the definition of “management body” is deliberately broad. Personal liability exposure covers not only the CEO and formal officers, but CFOs, general partners, and senior executives who exercise de facto strategic decision-making power. Responsibility cannot be fully delegated to operational staff or the CISO. If you have meaningful authority over how cybersecurity resources are allocated, you are in scope.

Second, the liability triggers are specific. German law identifies three actions that create personal exposure for management members: inadequate risk assessments, deficient supply chain oversight, and delayed incident reporting. Each maps directly to an Article 21 obligation that management bodies must approve and oversee. If your supply chain security programme lacks board sign-off, or if your entity misses the 72-hour incident reporting deadline, these are the triggers that create personal exposure.

Third, training records must be maintained per director with assessed outcomes. Germany specifies a minimum three-year cycle — but attendance certificates are not sufficient. Competence must be demonstrable, and the records must be available for regulatory inspection.

Germany issued its first NIS2 enforcement action in February 2026 — an fine of €850,000 against a mid-sized cloud service provider for failure to implement adequate risk management measures and incident response procedures. France has opened investigations into 14 entities across healthcare and digital infrastructure. The Netherlands has required sector-wide compliance self-assessments by June 2026. The enforcement trajectory is consistent across jurisdictions.

What Regulators Actually Check

Supervisory inspections focus on documented governance — not just technical controls. Based on the Article 20 oversight obligation and enforcement patterns from the first 2026 actions, auditors look for four categories of evidence:

Evidence Category What Auditors Look For Common Failure
Board minutes Cybersecurity agenda items in each meeting, documented risk reviews, follow-up actions from prior meetings Minutes that omit risk discussions, or approve measures without specifying scope or date
Training records Per-director logs: date, topic, provider, assessed outcome — not just attendance Group training with no individual records; training that predates the entity’s NIS2 designation
Risk register change logs A trail connecting board decisions to risk management updates — evidence oversight drove action Risk registers maintained by IT with no documented board-level input or approval
Supply chain and incident logs Documented supplier risk reviews with board sign-off; incident reports showing board-level escalation Supply chain assessments conducted by procurement with no board awareness or sign-off

The practical standard is direct: if the documentation does not exist, the oversight did not happen — in regulatory terms. “If it isn’t written, linked, and time-stamped, it didn’t happen” is not a metaphor. It is the evidentiary standard supervisors apply.

Board-Level Action Checklist

Seven actions that address each Article 20 obligation and close the most common evidence gaps:

  1. Classify your entity. Essential or important? The personal management ban under Article 32(5) applies only to essential entities. Your liability exposure and supervisory regime are fundamentally different depending on your classification. Verify this first.
  2. Schedule and log director training. Agenda topics must include: NIS2 obligations, risk assessment methodology, incident response, supply chain security, and board governance responsibilities. Record dates, topics, provider, and individual outcomes per director. Minimum frequency: every three years, with documented assessment.
  3. Formally approve your Article 21 security programme in writing. Board minutes must record the approval, the date, and the scope. This is the first document a regulator will request. If it does not currently exist, create it at the next board meeting — then maintain it through structured quarterly reviews.
  4. Establish quarterly cyber governance reviews. Annual sign-offs do not satisfy the “oversee implementation” obligation under Article 20. Quarterly briefings covering security metrics, open risks, supply chain status, and incident activity — all minuted — represent the minimum defensible standard.
  5. Assign a named NIS2 compliance officer with documented authority. Document their scope explicitly. This establishes the delegation chain and clarifies accountability at each level — which matters in any enforcement investigation, even though it does not transfer personal liability from board members.
  6. Review your supply chain security posture at board level. Article 21(d) supply chain security requires documented assessments of your critical suppliers. Board sign-off on the supply chain risk framework and the list of critical third parties must appear in your minutes.
  7. Test your incident reporting process end-to-end. The 72-hour notification window requires a pre-rehearsed escalation path reaching board level. Confirm that board members know their specific role in a significant incident response — and that this has been exercised in a tabletop simulation.

The Bottom Line for Boards

Article 20 is not a procedural checkbox. It is the legal foundation on which Article 32 builds personal consequences. Across EU member states, the trajectory is consistent: management bodies are personally accountable for cybersecurity governance failures, and national regulators now have the tools — and the political mandate — to act on that accountability.

The boards that face the least exposure are those with documented evidence that they engaged: trained, approved, reviewed, and responded. That documentation is the difference between demonstrating due diligence and facing a personal suspension order.

The NIS2 Board Briefing Pack provides the governance templates, training agenda frameworks, and documented approval structures your management body needs to meet its Article 20 obligations — and to show regulators the evidence chain when they ask.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

  1. “Article 20: Governance” — NIS 2 Directive, Article 20 text and analysis
  2. “Article 32: Supervisory and Enforcement Measures for Essential Entities” — NIS 2 Directive, Article 32 text and analysis
  3. “Boardroom Accountability Under NIS 2: Article 20 Redefines Cybersecurity Leadership” — ISMS.online, Full analysis
  4. “NIS 2 Directive: Board of Directors Training” — NIS 2 Directive, Training requirements
  5. “NIS2 in Germany: The New BSI Act Makes Cybersecurity a Board-Level Issue” — Greenberg Traurig LLP, Full analysis
  6. “NIS2 Directive FAQs: Enforcement and Penalties” — European Commission, Official FAQ
  7. “March 2026 Security Regulations: NIS2 Enforcement, DORA Deadlines, GDPR Fines” — Kensai, Enforcement update

Don't miss: