Art. 20(2) NIS 2

NIS 2 management body training under Article 20(2)

NIS 2 says the management body itself has to be trained on cybersecurity. Not the CISO. Not the head of IT. The board, the managing directors, the people who sign off on the risk-management measures under Article 20(1).

Simon OrzelSimon Orzel·

The short version

Article 20 NIS 2 is the governance article. Paragraph 1 says the management body has to approve the risk-management measures, oversee their implementation, and can be held personally responsible if it does not. Paragraph 2 adds the training piece: the management body itself takes training, and the entity offers regular training to all staff.

Training is not delegable. The directive names the management body specifically. Sending the CISO on a course does not discharge the duty. The people who sign off on Article 21 measures need enough knowledge to understand what they are signing.

Germany puts this rule into national law through §38(3) BSIG. The wording mirrors the directive. This page walks Article 20(2), the practical duty, and the German transposition in that order.

The legal source
Two layers. The directive (binding on every EU country, and the only EU layer here, because the Commission Implementing Regulation does not cover Article 20). The national transposition (in Germany: §38(3) BSIG).

Article 20(2) NIS 2 Directive (2022/2555)

Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall require essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

This is the source rule. It names the management body by name and ties the training content to risk identification, risk assessment, cybersecurity management practices, and the impact on the entity's services. It also creates the staff training duty for essential and important entities.

Commission Implementing Regulation (EU) 2024/2690

The CIR sets technical and methodological requirements for the measures in Article 21(2). It does not cover Article 20.

Unlike Article 21, Article 20 has no implementing regulation. The directive text is the standard. National authorities and ENISA fill in the practical detail; there is no CIR section to point at.

§38(3) BSIG (Germany)

Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen müssen regelmäßig an Schulungen teilnehmen, um ausreichende Kenntnisse und Fähigkeiten zur Erkennung und Bewertung von Risiken sowie von Risikomanagementpraktiken im Bereich der Cybersicherheit und deren Auswirkungen auf die von der Einrichtung erbrachten Dienste zu erwerben.

§38 BSIG sits inside the NIS2 implementation law (NIS2UmsuCG) and is in force as of 2026. It is the German operational anchor for the personal training duty. §38(1) and (2) BSIG add the approval duty and the personal liability piece. Registration under §33 BSIG was due 6 March 2026.

The three core elements of the duty
Article 20(2) has three moving parts. Each one has to be visible to an auditor. None of the three can be skipped.
Part 1

Management body itself takes training

The members of the management body have to be trained. Personally. The directive uses the plural ('members'), so every managing director, every board member with operational responsibility, is in scope. Enrolment and completion proof is the legal floor. The platform stores both.

Part 2

Entity offers training to all staff

The entity has to offer training to its employees on a regular basis. 'Regular' is not defined; annual is the operational norm under Grundschutz ORP.3. Awareness for everyone, role-specific training for IT staff. The duty applies to the whole workforce, not just the technical team.

Part 3

Content covers risk plus management practices plus service impact

The directive names four content blocks: identify risks, assess risks, understand cybersecurity management practices, understand the impact on the services the entity provides. A generic phishing simulation does not cover all four. A management-grade course does.

Two rules that shape the duty
Two ground rules that decide how Article 20(2) is judged in practice. Both are binding. Both are short.

Personal duty on the management body (Article 20(1) and 20(2))

The management body cannot delegate this to the CISO, the head of IT, or the data protection officer. Article 20(1) ties the approval duty to the management body. Article 20(2) ties the training duty to the same people. The two sit together by design. The reason: if you sign off on the risk-management measures, you need to understand what you are signing.

Proportionality applies via Article 21(1)

Article 21(1) says cybersecurity measures must be 'appropriate to the risk posed', taking account of size, exposure, likelihood, severity, state of the art, and cost. The training requirement reads through the same lens. A 60-person Stadtwerk needs a serious, documented training; it does not need a multi-week executive programme. What the directive does not allow is no training.

How national regulators actually run this
The EU sets the rule. Each country transposes it. The substance is the same across the Union. The local mechanics differ a little.
Germany

BSI / §38(3) BSIG

Germany copies the directive wording almost verbatim in §38(3) BSIG. The BSI Handreichung for §38 (April 2026) is non-binding research input only, not a curriculum. The BSI does not run an accreditation scheme for Article 20 training. Enrolment plus completion proof is the legal floor.

EU-wide

ENISA Technical Implementation Guidance

ENISA's TIG covers the Article 21 measures. Article 20 sits outside the TIG's scope because there is no CIR to implement here. ENISA does cite Article 20 in its broader NIS 2 material, but it has not issued formal training criteria.

Other member states

National transposition laws

Every member state has transposed Article 20(2) (Netherlands: Cyberbeveiligingswet, Austria: NISG, Belgium: NIS2-Wet). Same duty, same content blocks. Different reporting channels and different supervising authorities. None of them runs an accreditation body for Article 20 training either.

Three traps we see all the time
Three assumptions that turn up in almost every audit-prep call with a managing director. All three create gaps an auditor will find.

  • We delegated this to our CISO.

    You cannot. Article 20(2) names 'the members of the management bodies' explicitly. Sending the CISO on a course does not discharge the duty. The CISO can run the programme, pick the provider, build the content. The training the directive requires is for the people who sign off under Article 20(1).

  • We ran a security awareness module, so the management body is covered.

    User awareness training is not management training. Article 20(2) lists four content blocks: identify risks, assess risks, understand cybersecurity management practices, understand the impact on services. 'Do not click phishing links' is not on that list. The management body needs training in management practices, not in user behaviour.

  • Our D&O insurance covers personal liability, so the training is optional.

    It does not. §38(2) BSIG creates personal liability for breach of the management duties under §38. Insurance is something you add on top. It does not remove the underlying obligation, and the training itself is what reduces the underlying risk of breach. Skipping the training raises the liability, it does not lower it.

How real Mittelstand boards actually do this

There is no accreditation body for Article 20 training. No DAkkS scheme, no TÜV mark, no Big Four certification required. Article 20(2) names enrolment and completion. That is the legal floor. Anything beyond that is optional and risk-driven, not law-driven.

What works in the German Mittelstand: a structured course covering the four content blocks (risk identification, risk assessment, management practices, service impact), enrolment recorded against each management body member by name, completion proof stored with the audit trail, refresh on a regular cadence. That holds up under Article 20(2). It also lines up with §38(3) BSIG and the BSI's own framing in the §38 Handreichung.

How we handle this on the platform

We built the CEO course exactly for this. The course covers the four content blocks Article 20(2) names: risk identification, risk assessment, cybersecurity management practices, and the impact on the services the entity provides. Each lesson is short. The course is built for managing directors, not for security engineers.

The platform records enrolment against each management body member by name, captures completion proof, and stores both in the audit trail. The same record satisfies the §38(3) BSIG documentation expectation. The course is free, and so is the platform underneath it.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 20 — eur-lex.europa.eu/eli/dir/2022/2555/oj
  • BSI Act (BSIG), §38 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)
  • BSI Handreichung zur Geschäftsleitungsschulung nach §38(3) BSIG, v1.0, 17 April 2026 (non-binding)
  • ENISA NIS 2 materials on management responsibilities — enisa.europa.eu
  • IT-Grundschutz ORP.3 (Awareness and Training)
Train the management body without hunting for a provider
Our CEO course covers the four content blocks Article 20(2) names. Enrolment and completion proof captured automatically. Free, open source, no lock-in.
Open the free CEO course