Management Accountability (NIS2)

NIS2 places direct accountability on management for cybersecurity. Management bodies in essential and important entities must approve the cybersecurity measures that are implemented and can be held personally liable for non-compliance. In addition, mandatory training is a requirement.

Back to Dictionary

What does management accountability mean under NIS2?

One of the most significant innovations in the NIS2 directive compared with the original NIS Directive is the explicit placement of accountability at management level. Cybersecurity is no longer solely the IT department's responsibility – the directive requires that top management is actively involved and accountable.

NIS2 Article 20 stipulates that management bodies of essential and important entities must approve the measures taken to manage cybersecurity risks and oversee their implementation.

Specific requirements for management

Under NIS2, the management body (board of directors, executive management or equivalent) is subject to the following obligations:

Approval: Management must formally approve the cybersecurity measures the organisation implements.
Oversight: Management must supervise that the measures are implemented effectively.
Training: Management members are required to undergo appropriate cybersecurity training.
Personal liability: Management members can be held personally liable for breaches of NIS2 requirements.

Personal liability is new: Under the previous NIS Directive, it was primarily the organisation that was liable. NIS2 means that individual management members can, in certain cases, be subject to a temporary ban from exercising management functions in the event of serious or repeated non-compliance.

The training requirement

NIS2 Article 20(2) requires that management members undergo training to acquire sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services the entity provides. Employees must likewise be offered relevant training.

The training does not need to make management members technical experts. The focus is on ensuring they can make informed decisions about cybersecurity and understand the consequences of inaction.

Consequences of non-compliance

For breaches of NIS2 requirements, including insufficient management engagement, the following sanctions may be imposed:

Administrative fines (up to EUR 10 million or 2% of global turnover for essential entities)
Orders to bring the infringement to an end
In serious cases: a temporary ban from exercising management functions

Frequently Asked Questions about Management Accountability (NIS2)

Can management members be held personally liable under NIS2?

Yes. NIS2 provides for personal sanctions against management members, including in serious cases a temporary ban from exercising management functions. This is a significant new escalation compared with the previous NIS Directive.

What must management be trained in under NIS2?

Management must have sufficient knowledge to identify cybersecurity risks and assess the organisation's security practices. The training does not need to make them technical experts, but they must be able to make informed decisions about cybersecurity.

Does NIS2 require management to approve cybersecurity measures?

Yes. NIS2 Article 20 requires that management bodies formally approve the cybersecurity risk management measures the organisation implements and oversee their execution.

What fines can be imposed for non-compliance with NIS2 management requirements?

Essential entities can face administrative fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher. In addition, management members may be subject to a temporary ban from exercising management functions.

How does NIS2 management accountability differ from the original NIS Directive?

The original NIS Directive primarily held the organisation liable. NIS2 introduces explicit personal accountability for management members, including mandatory approval of measures, obligatory training, and the possibility of personal sanctions.