Article 20 Can Get a Director Suspended: The 3 Legal Obligations NIS2 Governing Bodies Must Meet
Most NIS2 compliance programs treat board involvement as a formality — a cybersecurity briefing circulated before an annual sign-off. The NIS2 Directive takes a different view. Article 20 places three legally binding obligations directly on governing bodies, each with an independent evidence requirement, and Article 32(5) gives competent authorities the power to temporarily prohibit a director from exercising managerial functions when those obligations go unmet.
This article examines the statutory text of Article 20 precisely — what it actually says, what each obligation legally requires as documented evidence, and how the enforcement mechanism works in practice.
What Is a “Management Body” Under Article 20?
Article 20 applies to the management bodies of essential and important entities. The directive does not define “management body” — a deliberate omission that DLA Piper’s analysis describes as making NIS2 “notably vague” on composition, seniority, remit, and organisational position.
In practice, this maps to the board of directors or equivalent governance structure in each member state. Ireland’s implementing legislation offers the most detailed definition available from any transposed national law: “a body or group of individuals vested with the authority and responsibility for the oversight, direction and control of an entity.” That encompasses the full board — not only executive directors or the CEO.
For multinational groups, the ambiguity creates real compliance risk. Each subsidiary may constitute a separate essential or important entity with its own management body and its own Article 20 obligations. A group-level cybersecurity approval does not automatically discharge the governance duties of subsidiary boards operating under different national transpositions.
The Three Obligations — Verbatim from the Directive
Article 20 contains two paragraphs. The legal obligations are precise and cumulative.
Article 20(1) states:
“Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”
Three things are required in a single sentence: approval of the risk management measures adopted under Article 21, ongoing oversight of their implementation, and exposure to personal liability for infringements of those measures. The liability clause is not a standalone provision — it attaches directly to the governance obligation. A management body that approves but does not oversee is not fully compliant.
Article 20(2) adds the training obligation:
“Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”
Training is mandatory for management body members. Providing equivalent training to employees is encouraged at directive level — though member states may strengthen this requirement during national transposition. The guide to NIS2 cybersecurity training requirements covers the organisation-wide obligations.
What “Approve” Legally Requires — and Why Rubber-Stamping Fails
The word “approve” in Article 20(1) is not equivalent to passive ratification. A sign-off on a cybersecurity policy drafted and presented by the CISO, without substantive documented discussion, is unlikely to satisfy a competent authority during supervisory review.
Three elements distinguish genuine approval from a rubber stamp:
- Agenda specificity. Cybersecurity risk management must appear as a substantive item on the board agenda — not folded into “governance updates” or covered in a written report without oral presentation or discussion. A standing quarterly cybersecurity item is the baseline most regulators will look for.
- Documented deliberation. Board minutes must record that specific measures were reviewed and approved, with questions raised and decisions made. “Cybersecurity framework noted” does not constitute approval. Minutes should be specific enough to identify which Article 21 measures were under discussion at that meeting.
- Resolution linkage. A formal board resolution — naming the specific measures approved, the date, and the board members present — provides the strongest evidence. Generic resolutions approving “the cybersecurity framework” in one line are weaker than resolutions that reference the specific Article 21 measures being ratified.
Delegation to a cybersecurity subcommittee or audit committee does not discharge the Article 20(1) obligation. A subcommittee can prepare, review, and recommend; the management body itself must approve. A minute showing subcommittee sign-off without a subsequent full board resolution leaves an evidentiary gap that a supervisory review will expose.
The Training Obligation: What “Sufficient Knowledge and Skills” Means
The training requirement in Article 20(2) carries a functional benchmark: management body members must gain knowledge and skills sufficient “to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” The directive does not mandate any specific qualification, certification, or training provider.
For a board member without a technical background, this means understanding the entity’s principal threat categories, why the Article 21 measures were selected for the entity’s risk profile, and what a significant cybersecurity incident would mean for operational continuity and regulatory exposure. It does not require technical expertise — it requires informed decision-making capability.
Several national implementations describe the training obligation as ongoing. A board that completed a cybersecurity briefing in 2023 with no documented training since faces an evidentiary gap. The expectation under active enforcement regimes is annual refresher training, attributed to named individuals, with attendance records available for audit.
The subject matter for training should map to the 10 risk management measures under Article 21. Board members who can articulate why specific measures were selected for the entity’s risk environment — not just that they were approved — provide the strongest evidence of “sufficient knowledge.”
Personal Liability: Who Article 20 Holds Accountable
Article 20(1) states that management body members “can be held liable for infringements” of Article 21. This is an enabling clause: the directive requires member states to create personal liability mechanisms, but the specific legal standard varies by jurisdiction.
Matheson’s analysis of Ireland’s General Scheme ties personal liability to breaches occurring “with the consent or connivance of, or attributable to any wilful neglect” of a director. This is a high threshold — it requires knowing or reckless failure. However, a director who approved cybersecurity measures without any documented evidence of genuine board-level engagement would find it difficult to rebut a wilful neglect finding if a material breach followed.
Italy’s implementation takes a more direct approach, providing for “incapacity to perform managerial functions” as an accessory administrative sanction applicable to individual management body members. Crucially, the mechanism is warnings-based: personal sanctions apply when a director fails to adopt necessary measures after a formal warning from the competent authority. Immediate individual penalties on first supervisory contact are not contemplated by the directive.
For boards governing pan-European entities, the personal liability standard is not uniform. The directive enables liability; each jurisdiction determines the threshold, enforcement body, and procedural safeguards. The full overview of NIS2 personal liability for board directors covers the member-state enforcement landscape in more detail.
The Article 32(5) Suspension Mechanism Explained
Article 32(5) gives competent authorities the power to “prohibit temporarily any natural person who is responsible for discharging managerial responsibilities at chief executive officer or legal representative level…from exercising managerial functions.” Three points are essential for understanding how this provision operates.
It is not an immediate sanction. The suspension power arises only after an entity has failed to comply with enforcement measures already issued. The sequence is: competent authority identifies non-compliance → issues binding instructions or formal warnings → entity fails to remedy → suspension considered. A first-contact supervisory finding does not result in director suspension without prior notice and a documented opportunity to remediate.
It targets CEO and legal representative level specifically. Article 32(5) does not apply universally to every board member. It targets natural persons “responsible for discharging managerial responsibilities at chief executive officer or legal representative level” — those with operational authority to implement compliance measures. Individual non-executive directors face personal liability under Article 20(1) through national law, but the Article 32(5) suspension tool is directed at the executive function.
It is temporary by design. The prohibition applies “only until the entity concerned takes the necessary action to remedy the deficiencies or comply with the requirements of the competent authority.” It is a compliance pressure mechanism, not a disqualification. Remediation ends the suspension.
What a Compliant Board Cybersecurity Agenda Item Requires
Article 20 specifies no documentation format, but the obligations to “approve” and “oversee implementation” imply an evidentiary standard. Competent authorities conducting supervisory reviews request board minutes as their first line of governance evidence. The following elements, documented at each substantive board meeting, constitute the minimum record:
| Element | What It Must Show |
|---|---|
| Agenda item | Cybersecurity listed as a substantive item with reference to the Article 21 measures under review |
| Measures reviewed | Specific Article 21 measures presented — risk assessment, access control, supply chain policy, incident response |
| Implementation update | Progress against the prior approval cycle — measures implemented, measures outstanding |
| Board deliberation | Questions raised, decisions made, concerns noted — enough detail to show active engagement |
| Formal resolution | Named motion, vote record, and approval date attributable to individual board members |
| Training status | Confirmation that management body members’ cybersecurity training is current and dated |
This record does not need to be lengthy. A structured single page per meeting satisfies the requirement. What it must not be is absent or generic — a supervisory review that finds no dated cybersecurity board resolutions, no training records, and no implementation progress notes will not treat retroactively compiled documentation as contemporaneous evidence.
Key Takeaways
- Article 20 places three non-delegable obligations on management bodies: approve risk management measures taken under Article 21, oversee their implementation, and follow cybersecurity training.
- “Approval” requires documented deliberation — agenda specificity, minutes recording substantive discussion, and a formal resolution linked to specific measures. Passive ratification does not meet the standard.
- Training is a mandatory, ongoing obligation with a functional benchmark: board members must be capable of identifying risks and assessing the adequacy of the entity’s cybersecurity practices.
- Personal liability under Article 20(1) is an enabling clause — standards vary by jurisdiction, but the evidentiary burden rests on directors to demonstrate genuine engagement.
- Article 32(5) suspension targets CEO and legal representative level for essential entities, follows prior warnings and non-compliance, and is temporary pending remediation.
- Board governance records must be built contemporaneously. A compliance programme without dated board approval records has no evidence base to present to a competent authority.
Frequently Asked Questions
Can a board delegate Article 20 approval obligations to a cybersecurity subcommittee?
A subcommittee can prepare and recommend, but cannot discharge the obligation. Article 20(1) places approval and oversight duties on the management body itself. A subcommittee minute approving a cybersecurity framework, without a subsequent full board resolution, leaves the entity without the required management body approval. Delegation of preparatory work is standard governance practice; delegation of the approval act is not compliant.
Does Article 20 apply to important entities as well as essential entities?
Yes. Article 20(1) applies to “essential and important entities” without distinction. Personal liability applies to both categories. The difference lies in the supervisory regime: Article 32, which includes the suspension power, governs essential entities. Article 33, which applies to important entities, provides for reactive rather than proactive supervision, with a narrower range of enforcement tools available to competent authorities.
What triggers personal liability — a cyber incident or governance failure?
Governance failure is the trigger. Article 20(1) enables liability for “infringements of Article 21” — meaning failure to have adequate risk management measures in place or failure to oversee their implementation. An incident that occurs despite a well-documented governance record does not automatically create personal director liability. A governance failure — no board approvals, no training records, no implementation oversight — creates liability exposure even if no incident has occurred.
Sources
This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.
- Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 — EUR-Lex
- Article 20: Governance — NIS-2-Directive.com
- Article 32: Supervisory and Enforcement Measures in Relation to Essential Entities — NIS-2-Directive.com
- NIS2 Directive Explained Part 2: Management Bodies Rules — DLA Piper (November 2025)
- NIS2 Directors’ Personal Liability for Lack of Compliance — DLA Piper (2024)
- NIS 2 — A New Era for Management Bodies — Matheson
