Art. 20 NIS 2 + §38 BSIG

RACI for NIS 2 in a 60-person organisation

Under Art. 20 NIS 2 the management body is Accountable for risk-management measures by law. RACI is the cheapest way to make sure everyone else knows what that means in practice.

Simon OrzelSimon Orzel·

Why RACI for NIS 2

Most Mittelstand teams skip the RACI matrix because it sounds like consultant theatre. Under NIS 2 it is not optional in spirit. Art. 20 NIS 2 puts Accountability on the management body by name; the matrix is just the cheapest way to make Accountable, Responsible, Consulted and Informed legible to the team.

A 60-person organisation cannot afford a CISO, a DPO, a CCO, a head of legal and a head of IT as five different people. One person typically covers two or three roles, and the management body covers the directly-personal-liability ones. RACI documents how that consolidation works without violating the directive.

The matrix matters most at two moments: when a new manager joins and asks who owns which NIS 2 obligation, and when the BSI requests evidence and you need to show that someone signed off.

Where the obligation sits
The directive names the Accountable side; the transposition adds the training duty.

Art. 20(1) NIS 2 (management body responsibility)

Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.

'Approve' and 'oversee' are Accountable activities in RACI terms. The management body holds A whether or not it delegates R. Delegation is allowed, abdication is not.

§38 BSIG (management body training)

Mitglieder der Leitungsorgane wesentlicher und wichtiger Einrichtungen haben an Schulungen teilzunehmen, um ausreichende Kenntnisse und Fähigkeiten zur Erkennung und Bewertung von Risiken und Risikomanagementverfahren im Bereich der Cybersicherheit sowie ihrer Auswirkungen zu erwerben.

Training is the management body's own obligation, not delegable. RACI shows this as Responsible AND Accountable on the management body row.

Five core roles for 60 employees
Minimum viable role set. Smaller entities consolidate further; larger entities add specialists.

Management body

CEO, Geschäftsführer, Vorstand. Accountable for Art. 21 measures by law. Responsible for Art. 20 training, budget approval, risk acceptance over the agreed threshold.

IT lead or CISO

Most 60-person Mittelstand entities do not have a CISO; the IT lead doubles. Responsible for technical implementation of measures, day-to-day operations, supplier technical assessment.

Data protection officer (DPO)

Already in place for GDPR. Under NIS 2 they typically own the customer-notification side (Art. 23(2) NIS 2) and the breach overlap with GDPR Art. 33. Often part-time or external.

HR

Responsible for ORP.3 staff training, joiner/mover/leaver access processes, the personal-data-on-employees side of supplier management.

Compliance or legal

Often outsourced. Responsible for contract clauses with suppliers under Art. 21(2)(d), Art. 23(2) recipient notifications, regulatory correspondence with the BSI.

RACI matrix: 10 NIS 2 obligations × 5 roles
Read each row: A is Accountable (the buck stops here), R is Responsible (does the work), C is Consulted, I is Informed.
RACI matrixManagement bodyIT lead or CISOData protection officer (DPO)HRCompliance or legal
BSI registration under §33 BSIGARCIC
Information security policy under Art. 21(2)(a)ARCCC
Incident handling under Art. 21(2)(b)ARCIC
Business continuity under Art. 21(2)(c)ARICI
Supply chain security under Art. 21(2)(d)ACCIR
Management body training under Art. 20(2) + §38 BSIGA and RICCC
All-staff awareness training under Art. 21(2)(g)ACCRI
Incident notification under Art. 23 + §32 BSIGARCIC
Recipient notification under Art. 23(2) NIS 2ACRIC
Registration update under §33(5) BSIG (2-week deadline)ARICC
Accountable vs Responsible: the most common trap

RACI fails when teams treat A and R as the same. Under Art. 20 NIS 2 the management body holds A by law. It cannot delegate A. It can and must delegate R, often to the IT lead or DPO, but the buck still stops at the management body.

Practical consequence: when an audit asks 'who signed off on this risk acceptance?', the answer cannot be 'the IT lead'. It must be a member of the management body, by name, with a date. The IT lead executes; the management body signs.

What changes if your IT is outsourced

An MSP arrangement does not move A to the MSP. Art. 20 stays with your management body. Responsibility for execution may live at the MSP, but only inside a contract that defines what they do under Art. 21(2)(d).

The RACI matrix gets a sixth column: external MSP. They sit as R on technical rows, as Consulted on policy rows. The Accountable column never leaves your management body.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Art. 20, Art. 21, Art. 23, www.eur-lex.europa.eu
  • Act on the Federal Office for Information Security (BSIG), §32, §33, §38, www.gesetze-im-internet.de
  • BSI IT-Grundschutz ORP.3 (awareness and training), www.bsi.bund.de
  • Cooperation Group Common Notification Templates (adopted 26 May 2026) on reporting workflows

This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, BSI IT-Grundschutz, Cooperation Group templates). It does not constitute legal advice within the meaning of §2 RDG. For specific RACI design in your entity, consult a qualified advisor. As at 2026-06-04.

Want a RACI tailored to your headcount?
Sign in and the platform produces a starter RACI based on your sector, headcount, and the obligations you select.