norppa.io
Guides

NIS2 Guide · 7 min

NIS2 and management responsibility: what boards and leadership must know

NIS2 does something earlier cybersecurity rules largely did not: it puts cybersecurity on the desk of the management body, by name. Leadership must approve the risk-management measures, oversee them, and can be held personally liable if they fail. This guide explains what the directive expects of boards and executives, the questions to put to your security team, what good reporting looks like, and the cost of getting it wrong.

Key takeaways

  • Management bodies must approve and oversee cybersecurity risk-management measures — and can be held liable for failures (Art. 20).
  • Leadership must take cybersecurity training; the duty cannot be fully delegated to IT.
  • Penalties reach €10M or 2% of global turnover for essential entities, €7M or 1.4% for important entities (Art. 34).
  • Boards should expect concise, evidence-based reporting — coverage, remediation speed and open risk — not a once-a-year assurance.

Leadership is named, and on the hook

Under Article 20, the management body of an essential or important entity must approve the entity's cybersecurity risk-management measures and oversee their implementation. This is not a delegable formality: the directive makes leadership responsible for the measures actually being in place and working.

Crucially, members of management bodies can be held liable for the entity's infringements. That accountability is written into the directive itself; how it is framed in practice depends on national transposition. Cybersecurity is therefore a governance matter, not only an IT matter — it belongs on the board agenda alongside financial and legal risk.

The four duties of a management body

In practice, the directive's governance expectations come down to four things leadership must do:

  • Approve the measures — sign off on the risk-management measures (the Art. 21 baseline), with enough understanding to know what you are approving.
  • Oversee implementation — ensure the measures are actually deployed and effective over time, with regular reporting to the board.
  • Take training — members must follow cybersecurity training so they can identify risks and judge the adequacy of the measures (Art. 20(2)); similar training should be offered to staff.
  • Be accountable — own the outcome. Liability for failures rests with the management body, and supervisory authorities can act against leadership directly.

Questions to ask your security team

You do not need to be a security engineer to exercise oversight. A board can discharge much of its duty by asking the right questions and expecting evidence-based answers:

Are we in scope as an essential or important entity — and which of our customers are, pulling obligations onto us through contracts?
Do we have the Art. 21 measures in place, and when were they last reviewed and approved by this body?
Can we meet the 24-hour / 72-hour incident reporting deadlines if an incident — including one at a supplier — affects our services?
How do we manage supplier and third-party cyber risk, and how would we prove it in a supervisory audit?
What are our top open risks right now, and who owns the remediation, by when?

What good board reporting looks like

Oversight needs signal, not a 60-page appendix. A useful NIS2 reporting line to the board is short, comparable over time, and evidence-based:

Coverage

What share of in-scope suppliers and assets is actually monitored — gaps are where surprises come from.

Remediation speed

Mean time to resolve critical and high findings — the trend matters more than any single number.

Open risk

Current critical/high findings and the documented, accepted risks — NIS2 expects managed risk, not zero findings.

Incident readiness

Can the reporting timelines be met, and have they been rehearsed, including for supplier-caused incidents?

The cost of getting it wrong — and right

Penalties under Article 34 reach up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities, and up to €7 million or 1.4% for important entities. Supervisory authorities can also issue binding instructions, order the disclosure of incidents, and — for essential entities — temporarily suspend management functions. For leadership, the reputational and personal-liability exposure can outweigh the fine itself.

Done well, it is often less about new spend than redirecting existing controls: the Art. 21 measures overlap heavily with controls many organisations already run (ISO 27001, business continuity, access control). The shift NIS2 forces is from point-in-time assurance to continuous, evidence-based management — which is also what makes oversight reporting genuinely informative rather than a formality.

Source: Directive (EU) 2022/2555 (NIS2), Articles 20 and 34 — consult your national transposition law for the exact liability and training provisions in your country.

How norppa.io helps

norppa.io turns supplier and third-party cyber risk into the kind of evidence a board can actually use: a clear risk score per supplier, findings mapped to NIS2 articles, and a monthly executive report designed for leadership rather than engineers.

Coverage, remediation history and open risk are visible at a glance, with the full audit trail exportable — so management can demonstrate active oversight, and the same evidence answers a supervisory authority's questions.

Give your board evidence, not assertions

See the executive supplier report — risk score, NIS2 mapping and evidence — in two minutes.

View sample report

Related guides

NIS2 and the supply chain requirement — what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

NIS2 Art. 21(2) — supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

ISO 27001 and NIS2: what your ISMS already covers — and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance — plus how to close the gap.