NIS2 and Personal Board Liability: What Every Director Needs to Know
Most cybersecurity regulations target the organisation. NIS2 goes a step further: it targets you personally as a board member.
Article 20 of the NIS2 Directive places responsibility for cybersecurity explicitly with the management body. This means that if your organisation fails to implement adequate cybersecurity measures, you — as an individual director — can be held personally accountable.
This article explains what NIS2 requires from board members, what the consequences of non-compliance look like, and what you should do now.
What does Article 20 actually say?
Article 20 establishes four specific obligations for management bodies:
Does NIS2 Apply to Your Organisation?
1Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes▼No▼2Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
✗NIS2 does not directly apply to your organisation.
Yes▼No▼✓NIS2 applies to your organisation as an Essential or Important Entity.
3Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes▼!NIS2 may apply to your organisation — seek legal advice to confirm your status.
1Does your organisation operate in an essential or important sector (energy, transport, health, digital infrastructure, etc.)?
Yes ↓No →2Does your organisation have 50 or more employees, or an annual turnover exceeding €10 million?
Yes ↓No →3Is your organisation a critical infrastructure provider or a qualified trust service provider?
Yes ↓No →✗NIS2 does not directly apply to your organisation.
✓NIS2 applies to your organisation as an Essential or Important Entity.
!NIS2 may apply to your organisation — seek legal advice to confirm your status.
AppliesPossibly appliesDoes not apply
Let's break these down:
1. Approve risk management measures
The board must formally approve the cybersecurity risk management measures required under Article 21. This means signing off on security policies, risk assessments, incident response plans, and the allocation of resources to implement them.
This is not a one-time event. As threats evolve and the organisation changes, the board must review and re-approve these measures regularly.
2. Supervise implementation
Approval alone is not enough. The board must actively oversee that the measures they approved are actually being implemented. This means regular reporting from the CISO or IT security team, reviewing progress against milestones, and addressing gaps when they arise.
If a breach occurs and the board can show they were actively supervising implementation, their position is significantly stronger than if they simply signed a document and forgot about it.
3. Be personally liable
This is the provision that changes everything. If the organisation fails to comply with the cybersecurity obligations under NIS2, individual board members can be held personally liable.
The directive does not specify exact penalties for individuals — this is left to national implementation. However, member states must ensure that management bodies can be held accountable, and several countries are implementing provisions that include:
- Personal fines for directors
- Temporary bans from exercising management functions
- Public disclosure of compliance failures attributed to management
4. Undergo cybersecurity training
Board members are required to undergo training to ensure they have sufficient knowledge to identify cybersecurity risks and assess the adequacy of the measures in place.
This does not mean every director needs to become a technical expert. But they must understand the organisation's risk landscape well enough to ask the right questions and make informed decisions.
Why is this different from other regulations?
Most regulatory frameworks hold the organisation responsible. NIS2 holds individuals responsible.
Consider the contrast:
| GDPR | NIS2 | |
|---|---|---|
| Who is liable? | The organisation (data controller/processor) | The organisation and individual board members |
| Personal consequences? | Rarely — in extreme cases of negligence | Explicitly written into the directive |
| Board training required? | No specific requirement | Yes — mandatory |
| Active supervision required? | Implied through accountability principle | Explicitly required |
This personal liability model is similar to what exists in financial services regulation, where individual directors can face personal sanctions for compliance failures. NIS2 brings this same level of accountability to cybersecurity.
What are the penalties?
For the organisation
- Essential entities: fines up to €10 million or 2% of global annual turnover
- Important entities: fines up to €7 million or 1.4% of global annual turnover
For individual board members
National implementation varies, but the directive requires member states to ensure management bodies can be held accountable. Consequences may include:
- Personal financial penalties — separate from corporate fines
- Temporary prohibition from exercising management functions in the entity
- Reputational damage — public disclosure of non-compliance and the role of management
- Civil liability — potential lawsuits from shareholders or affected parties
The "I didn't know" defence does not work
Because NIS2 explicitly requires board members to undergo training and actively supervise implementation, claiming ignorance is not a viable defence. The directive is designed to prevent exactly this scenario.
What board members should do now
Immediate actions
- Understand your obligations — read this article, review Article 20 and 21 of the NIS2 Directive, and consult with your legal and compliance teams
- Assess your current state — do you know which Article 21 measures your organisation has in place? Where are the gaps?
- Undergo cybersecurity training — this is not optional under NIS2. Invest in board-level training that covers risk assessment, incident response, and governance
- Formalise your oversight — establish regular cybersecurity reporting to the board. Set up a clear escalation path for security issues
Ongoing governance
- Review and approve security policies — make this a standing agenda item, not an annual checkbox
- Allocate adequate resources — cybersecurity requires investment. If the budget is insufficient, the board shares responsibility for the consequences
- Document everything — NIS2 requires demonstrable compliance. Keep records of board decisions, risk assessments, training completed, and measures implemented
- Monitor supply chain risks — Article 21 requires securing your supply chain. The board must understand key supplier dependencies and their security posture
The bottom line
NIS2 personal liability is not a theoretical concept — it is EU law. The directive explicitly names the management body as responsible for cybersecurity governance, requires individual training, and mandates that member states ensure personal accountability.
The organisations that will navigate this best are those where the board treats cybersecurity as a core governance responsibility — not an IT problem to delegate and forget.
Start with a free NIS2 quickscan
Want to know how prepared your organisation is? Our free NIS2 quickscan assesses your readiness across all 10 Article 21 measure categories in just a few minutes.
Share the results with your board — it's the fastest way to start an informed conversation about what needs to happen.
Read also
- The 10 Article 21 measures explained — What your board needs to approve and supervise
- NIS2 incident reporting deadlines — The 24-hour, 72-hour, and 1-month reporting obligations
- What is NIS2? — The complete overview for those starting from scratch