SaaSFort
NIS2 Directive · Article 20

NIS2 Article 20 — Management body responsibility

Article 20 is the article a Geschäftsführer reads twice. It moves cybersecurity from an IT-department concern to a personal management-body obligation: management bodies must APPROVE the risk-management measures their entity implements, OVERSEE their implementation, and FOLLOW recurring training. In Germany, §38 BSIG layers personal liability — including potential temporary management bans — on top.

Scan your domain free (60s) See the auditor-handoff pack

Who Article 20 applies to

Every NIS2 in-scope entity (essential AND important). Cannot be delegated to a single CISO without management-body approval still being documented.

What Article 20 obliges you to do

  • Management body APPROVES the cybersecurity risk-management measures under Article 21
  • Management body OVERSEES the implementation of those measures
  • Members of the management body undergo regular cybersecurity training
  • Equivalent training offered to staff with relevant roles
  • Training records kept (BSI guidance: attendance certificates alone are insufficient — content, trainer, duration must be documented)

Common misconception

"My CISO handles this — Art. 20 doesn't apply to me."

False. Art. 20 is explicit that the obligation sits with the management body. A CISO can advise and execute, but the documented approval and oversight must come from the management body itself. §38 BSIG codifies the personal liability dimension in Germany; the burden of proof of approval/oversight shifts to the managing director.

Get the external-posture evidence in 60 seconds

An auditor reviewing Article 20 compliance will ask for evidence. SaaSFort produces the externally-observable portion (TLS, headers, DNS, certs, exposed surfaces) in 60 seconds — mapped to Art. 21 sub-clauses and ISO 27001 Annex A.

Run my free scan See plans from €9/mo

Frequently asked questions

What counts as "regular" training under NIS2 Art. 20?

The Directive does not set a fixed cadence; BSI guidance in Germany expects at least every three years, with detailed records (participants, content, trainer, duration). Many entities adopt annual training to align with their broader compliance calendar.

Can the management body delegate Art. 20 to a committee?

No — approval and oversight must come from the management body itself. A risk-committee can prepare and recommend, but the documented decision and the personal-liability exposure remain with the management body under Art. 20 + §38 BSIG.

What penalty applies under Art. 20 non-compliance?

Up to €10M or 2% of global turnover for essential entities (Art. 34); up to €7M or 1.4% for important entities. Plus a temporary ban from management functions under Art. 32(6) for repeated or severe non-compliance.

§38 BSIG personal liability deep-dive

Related cornerstones: Article 23 — incident response · NIS2 / BSI / ISO 27001 glossary · BSI IT-Grundschutz Bausteine · Industry-specific NIS2 checklists