NIS 2 for the management body in five minutes
NIS 2 is not an IT topic. Article 20 of Directive (EU) 2022/2555 puts the cybersecurity duty on the management body of every essential and important entity, by name. This page is the short version a managing director or board member needs before Monday morning.
Why this is on your desk
If you sit on the management body of a company that NIS 2 covers, Article 20 names you. Not the head of IT, not the CISO, not the external service provider. The directive draws a line from the cybersecurity duties in Article 21 straight to the people who sign for the company.
Three things follow from that. The management body has to approve the risk management measures the company puts in place. It has to oversee that those measures are actually implemented. And its members themselves have to undergo training so they can read what they are approving. The directive says all three.
Germany puts the same rule into national law through §38 BSIG, which calls the same three duties out one by one and adds a personal-liability clause. The clock for all of this has been running since the directive's transposition date of 17 October 2024.
Article 20(1) NIS 2 Directive (2022/2555)
Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.
Article 20 is the governance article of the directive. Paragraph 1 sets the three duties on the management body: approve, oversee, can be held liable. Paragraph 2 adds the training duty for the management body itself and asks the entity to offer regular training to all staff.
CIR (EU) 2024/2690, Annex §1.1
The policy on the security of network and information systems shall lay down the approach of the relevant entities to managing the security of their network and information systems. The risk management framework referred to in point 2.1 shall identify, and provide for the management of, the risks to the security of network and information systems.
The Commission Implementing Regulation does not operationalise Article 20 itself. It operationalises the measures in Article 21 that the management body has to approve under Article 20(1). §1 is the policy umbrella, §2 the risk management framework. For DNS providers, cloud and data centre operators, MSPs and the other sectors named in the CIR Annex, this is what the management body is approving.
§38 BSIG (Germany)
Die Geschäftsleiter besonders wichtiger Einrichtungen und wichtiger Einrichtungen haben die von diesen Einrichtungen nach § 30 zu ergreifenden Risikomanagementmaßnahmen im Bereich der Cybersicherheit zu billigen und ihre Umsetzung zu überwachen.
Germany puts Article 20(1) into national law through §38 BSIG and names the addressee explicitly as the Geschäftsleiter, the natural persons who run the entity. §38(2) adds that members of the management body are liable to the entity for breaches of these duties. §38(3) carries the training duty over. The other member states have parallel transposition laws (Cyberbeveiligingswet in NL, NISG in AT, NIS2-Wet in BE).
Confirm whether the directive applies
NIS 2 applies if the entity sits in one of the sectors named in Annex I or Annex II and meets the size threshold (medium-sized as defined in Recommendation 2003/361/EC, so 50 staff or more than €10 million turnover). A handful of entity types are covered regardless of size: qualified trust service providers, top-level domain name registries, DNS service providers, public administration, sole providers in a member state. The management body's first job is to know which of these applies.
Approve, oversee, train
Article 20(1) gives the management body two operational duties: approve the cybersecurity risk-management measures the entity puts in place under Article 21, and oversee their implementation. Article 20(2) adds a third: undergo training yourself, and have the entity offer regular training to staff. All three duties are named on the management body. None of them sit with the head of IT.
The clock has been running since 17 October 2024
Article 41 NIS 2 set 17 October 2024 as the date by which member states had to transpose the directive. From that date, the duties in Articles 20, 21 and 23 apply to entities in scope. National enforcement runs on national clocks (Germany's NIS2UmsuCG is delayed, but the EU-level duty does not wait for national law). Practitioners treat October 2024 as the operational starting line.
Accountability is on the natural person
Article 20(1) says the management body 'can be held liable' for the entity's infringements of Article 21. §38(2) BSIG turns that into an internal-liability claim: members of the management body are liable to the entity itself for breaches of the duties under §38(1). You can delegate the execution of cybersecurity measures. You cannot delegate the approval or the oversight. The directive draws the line at the people who sign.
Proportionality lets the entity scale to its risk
Article 21(1), second subparagraph, says the measures must be 'appropriate and proportionate' to the risk the entity faces. Six factors go into that call: the entity's exposure, its size, the likelihood of an incident, the severity of the impact (including societal and economic effects), the state of the art, and the cost of implementation. The management body is the body that judges that proportionality call and signs for it. A 60-person Stadtwerk is not expected to spend like a bank.
BSI as competent authority
The Bundesamt für Sicherheit in der Informationstechnik (BSI) is the German competent authority under §29 BSIG. It supervises the §30 BSIG risk-management measures, runs the §32 BSIG incident reporting channel, and operates the §33 BSIG registration portal. For the management body, the BSI is the address for questions, registrations, incident notifications and audits.
ENISA as reference
The European Union Agency for Cybersecurity (ENISA) is the EU-wide cybersecurity agency. Article 18 NIS 2 gives it a state-of-cybersecurity reporting role. It also publishes the Technical Implementation Guidance (TIG) for the Commission Implementing Regulation, including mapping tables onto ISO/IEC 27001:2022 and NIST CSF 2.0. ENISA does not supervise, but auditors and national regulators treat its guidance as a reasonable read.
Aufsichtsrat as parallel oversight
If the entity has a supervisory board (Aufsichtsrat in a German AG, Beirat in a larger GmbH), the management body's NIS 2 duties run in parallel with the supervisory board's existing duties under §111 AktG to oversee management. The supervisory board cannot take Article 20(1) off the management body's plate, but it can ask for the same approval and oversight evidence that NIS 2 expects, and most do.
I delegated this to IT.
You can delegate execution. You cannot delegate approval or oversight. Article 20(1) names the management body as the body that approves the measures and oversees their implementation. §38 BSIG names the Geschäftsleiter as the addressee. The head of IT, the CISO, the external service provider can run the programme. They cannot sign for it on your behalf. The directive draws the line at the people who legally represent the entity.
Let us wait until the national law is final.
Article 20 has applied since the transposition date of 17 October 2024. The German NIS2UmsuCG is delayed, but the directive duty does not wait for national law. The Commission Implementing Regulation 2024/2690 has been directly binding on its sector scope since October 2024 without needing transposition at all. Practitioners treat October 2024 as the operational starting line and document their phasing under Article 21(1) proportionality.
Cybersecurity is an IT problem.
Article 20 deliberately makes it a governance problem. The directive puts the duty on the management body, not on the IT function, because the costs, the risk-acceptance calls and the trade-offs only make sense at that level. The IT team implements the measures. The management body owns the risk picture, signs for the residual risk, and is the body the auditor and the BSI talk to about it.
What we see in the German Mittelstand: the management body holds a working session every quarter, walks through the risk register, signs off on the Article 21 measures that are in scope for that period, and documents the proportionality call in two or three lines. That is the operational shape of Article 20(1) for an entity that does not have a dedicated GRC team.
The training duty under Article 20(2) needs less than people think. There is no EU-accredited certifier for NIS 2 management body training. Enrolment and a completion record are the legal floor. A two-hour course that covers the directive's structure, the entity's own risk picture, and the role of the management body satisfies the wording. The point is that the people who sign can read what they sign.
The platform records the three management-body duties as discrete artefacts. Approvals run as signed sign-offs against the Article 21 measures, with the natural-person name on the record. Oversight runs through the dashboard view that shows implementation status, open risks and effectiveness evidence in one place. Training records sit on the user profile with enrolment and completion dates.
All three feed the same audit trail, so the evidence Article 20 expects (who approved what, when, on what basis) is produced as a side effect of using the platform. The CEO course is included in the platform. The platform is free and open source, with no lock-in.
- Directive (EU) 2022/2555 (NIS 2), Articles 20, 21 and 41 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Commission Implementing Regulation (EU) 2024/2690 (CIR), Annex §1 — eur-lex.europa.eu/eli/reg_impl/2024/2690/oj
- BSI Act (BSIG), §29, §30, §32, §33 and §38 — gesetze-im-internet.de/bsig_2009
- Aktiengesetz (AktG), §111 — gesetze-im-internet.de/aktg
- ENISA Technical Implementation Guidance for CIR (EU) 2024/2690 — enisa.europa.eu