NIS2 Article 20 Board Training Requirements: What Your Directors Must Know
NIS2 Article 20 requires your management body to undergo documented cybersecurity training. Here's what the directive demands, what auditors will look for, and how to build an evidence trail that holds up.
Most NIS2 guidance focuses on the technical controls in Article 21 — network segmentation, incident detection, encryption, multi-factor authentication. Those controls matter. But they sit beneath something that tends to get less attention: Article 20, which places the entire cybersecurity programme under the personal accountability of your management body.
This is not a delegatable obligation. The directive does not say your CISO must be trained. It says your board members and senior executives must be trained — and that if they are not, they can be held personally liable for the consequences.
Here is what the directive actually requires, what enforcement looks like across key member states in 2026, and what you need to build to satisfy an auditor.
What Article 20 Actually Says
The relevant text from Directive (EU) 2022/2555 reads:
Article 20(1): Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities pursuant to Article 21, oversee its implementation and can be held liable for infringements by those entities.
Article 20(2): Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order for them to gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Three things stand out in that text.
First, the obligation is personal. The management body — not the security team, not the compliance department — is required to follow training. If a supervisory authority requests evidence of Article 20 compliance, it is asking for proof that directors and senior executives have completed training, not that someone in IT has a CISSP certification.
Second, the standard is functional, not formal. The directive does not require directors to earn a cybersecurity qualification. It requires them to gain "sufficient knowledge and skills" to perform three specific tasks: identify risks, assess cybersecurity risk-management practices, and understand the impact of those practices on services. These are governance competencies, not technical ones.
Third, the liability is individual. Article 20(1) makes clear that management body members can be held personally liable for infringements — not just the organisation. Recital 53 of the directive reinforces this, noting that member states should be able to temporarily prohibit individuals from exercising managerial functions if they bear responsibility for serious or repeated failures.
Who Is In Scope
NIS2 applies to two categories of entity.
Essential entities are organisations in sectors deemed critical to societal and economic function: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. The size threshold is generally 250 employees or more, or annual turnover exceeding EUR 50 million.
Important entities cover a second tier: postal services, waste management, chemicals, food production, manufacturing of certain goods, digital providers, and research organisations. The threshold here is typically 50 employees or EUR 10 million in annual turnover.
For both categories, the management body training obligation under Article 20(2) applies in full. The distinction between essential and important entities matters for enforcement intensity — essential entities face more stringent ex-ante supervision — but it does not affect the existence of the training requirement.
The phrase "management body" is defined broadly. In Recital 32, the directive refers to executive directors, managing directors, and any person who effectively runs the organisation. In practice, this means board members, non-executive directors, and C-suite executives should all be included. If your governance structure sits above the executive layer — a holding board, for example — whether those individuals are in scope will depend on how "management body" is transposed in your jurisdiction.
Country-by-Country Enforcement Status
NIS2 required transposition by 17 October 2024. The picture across member states varies considerably.
Germany published its implementing legislation (NIS2UmsuCG) with a compliance deadline of 17 March 2025 for most organisations — a date that has now passed. The Federal Office for Information Security (BSI) has supervisory authority and has been actively engaging with essential entities on documentation requirements. Germany's transposition is notable for its granularity on what constitutes adequate cybersecurity governance, including specific requirements around risk management approval at board level that map directly onto Article 20(1).
Belgium moved early. By the time of writing, the Centre for Cybersecurity Belgium (CCB) has over 4,500 entities registered under the NIS2 framework. Belgium's transposition (the NIS2 Law of April 2024) includes provisions for administrative fines up to EUR 10 million or 2% of global turnover, and the CCB has indicated that management body training documentation is a primary audit focus.
Italy completed its transposition through Legislative Decree 138/2024, effective from October 2024. The Italian National Cybersecurity Agency (ACN) has primary supervisory responsibility. Entities in scope must register and notify incidents through the ACN portal. Training obligations are in force.
Finland transposed NIS2 through amendments to its Information Society Code. The Finnish Transport and Communications Agency (Traficom) has supervisory responsibility. Finland was among the first member states to have its transposition reviewed as substantially complete by the European Commission.
France published its transposition through Ordinance 2024-821, though secondary legislation implementing the full supervisory framework was still being finalised as of early 2026. ANSSI (Agence nationale de la sécurité des systèmes d'information) has been preparing for enforcement, with public guidance indicating that management body training will be a priority focus when active supervision begins.
For organisations operating across multiple member states, the OpenKRITIS tracker provides a regularly updated country-by-country view of transposition status and enforcement timelines.
What "Sufficient Knowledge and Skills" Means in Practice
The directive's standard — "sufficient knowledge and skills" — is purposefully outcome-based rather than prescriptive. ENISA guidance on NIS2 implementation has elaborated on this in terms that point toward three distinct competency areas.
1. Identifying risks
Management body members do not need to be able to conduct a penetration test. They do need to understand the threat landscape relevant to their organisation — what kinds of attack are plausible, which assets are most exposed, and how those risks compare to the organisation's risk appetite. This is the same kind of contextual risk literacy that boards apply to financial and reputational risk, applied to the cybersecurity domain.
An auditor testing this competency might ask: can a director explain why ransomware is a more significant threat to their operational technology environment than to their finance systems? Can they articulate what their organisation's most critical services are and what could interrupt them?
2. Assessing risk-management practices
This goes beyond awareness. The directive requires directors to be capable of assessing the cybersecurity risk-management measures their organisation has implemented. That means understanding what the measures are, why they were chosen, and whether they are proportionate to the risk.
In practice, this means a director who approves an annual cybersecurity budget should be able to explain — at least in general terms — what that budget is being spent on and how it maps to the organisation's risk profile. "I approved it because the CISO told me to" does not meet the Article 20 standard.
3. Understanding impact on services
The third competency is strategic. Management body members should understand how a significant cybersecurity incident would affect the services their organisation provides — to customers, to the public, and potentially across supply chains. This connects to Article 23 incident notification obligations and Article 21 business continuity requirements: a director who does not understand service impact cannot make sound decisions under the pressure of an active incident.
The Gap Between Awareness Training and Governance Competence
Most organisations that have done "something" for NIS2 training have delivered awareness training. They have run a phishing simulation, shown a video about social engineering, or sent a policy document for acknowledgement. This is not adequate for Article 20 compliance.
Awareness training addresses the behaviour of individual employees — teaching people not to click suspicious links, use strong passwords, or leave screens unlocked. It is valuable. It does not address the governance competencies Article 20 requires.
What Article 20 requires is closer to what corporate governance training produces: directors who can interrogate risk registers, challenge security spend, ask the right questions of their CISO, and make consequential decisions under uncertainty. The competency is not "how do I avoid being phished" but "how do I oversee a cybersecurity programme and bear accountability for its adequacy."
This distinction matters practically. If an auditor asks a director to walk them through the organisation's cybersecurity risk-management approach, and the director can describe phishing awareness but cannot explain the organisation's detection and response capabilities, that is a gap. If they cannot explain how a supplier compromise would be identified and contained, that is a gap. If they were not present when the risk management measures under Article 21 were approved, that is a gap with a named Article behind it.
What Auditors Will Look For
ENISA guidance and early enforcement patterns across member states point to a relatively consistent set of documentation requirements for Article 20.
Training records for named individuals. Auditors want to see that specific members of the management body — not "staff" or "the security team" — have completed training. SCORM completion records from an LMS, attendance records from facilitated sessions, or signed completion certificates all serve this purpose. Undated or generic records are insufficient.
Training content that maps to Article 20(2) competencies. A training completion record that simply states "Cybersecurity Awareness — 30 minutes" will not satisfy an auditor looking for evidence that directors can "assess cybersecurity risk-management practices." The training record should be supported by documentation showing what the training covered and how it addressed the directive's three-part competency standard.
Board minutes reflecting cybersecurity oversight. Article 20(1) requires the management body to approve and oversee cybersecurity risk-management measures. Board minutes should show when cybersecurity was discussed, what was presented, and what was approved. A board that has never discussed cybersecurity at a formal meeting has a significant Article 20(1) problem regardless of what training has been completed.
Evidence of ongoing training. Article 20(2) refers to training "on a regular basis." A one-time training in 2024 is likely to be questioned in a 2026 audit. The evidence trail should show that training is treated as a recurring governance activity, not a one-time compliance exercise.
Role-specific training for relevant executives. ENISA guidance notes that training should be appropriate to the individual's role and the organisation's risk profile. A board chair at a water utility faces different scenarios than a CFO at a managed service provider. Training that is evidently generic may be challenged.
How to Build a Board Training Programme That Meets Article 20
These are the practical steps for an organisation building from scratch or upgrading an existing approach.
Step 1: Map your management body. List every individual who falls within the Article 20 scope as transposed in your jurisdiction. Include non-executives. Include any individuals at holding company level who exercise effective control. This becomes your training register.
Step 2: Define the competency baseline. Before selecting training, articulate what you are trying to achieve against the three Article 20(2) competencies: risk identification, practice assessment, and impact understanding. This gives you a framework against which to evaluate training content and against which an auditor can assess completion.
Step 3: Choose training that produces evidence. Training delivered verbally in a board meeting with no record satisfies neither the competency requirement nor the documentation requirement. Use training methods that produce a completion record. SCORM-based e-learning modules on an LMS produce time-stamped completion data and scores. Facilitated tabletop exercises should be documented with an attendance record and a summary of outcomes.
Step 4: Design for governance competence, not awareness. The training should put directors into scenarios they might actually face: reviewing a risk register with gaps, being presented with an incident notification decision, being asked to approve a supplier security assessment. The learning objective is governance judgement, not personal hygiene behaviour.
Step 5: Connect training to board processes. Training is necessary but not sufficient. Following training, cybersecurity should appear as a standing agenda item. The risk register approved under Article 21 should be reviewed at a board or committee level at least annually. Board minutes should reflect this activity. The training and the governance process should be mutually reinforcing — the training gives directors the capability, the governance process gives them the opportunity to exercise it.
Step 6: Create a repeating cycle. Schedule refresher training aligned with the threat landscape changes relevant to your sector. An annual training cycle, with records updated each year, demonstrates the "regular basis" standard in Article 20(2) and avoids the audit finding that your training is a historical artefact.
For the scenario-based interactive approach that puts directors through realistic incident decisions, our NIS2 board training course is built specifically for this competency standard — covering the Article 20(2) competencies through five scenario modules based on the kinds of decision your management body would actually face. The interactive ransomware scenario is available to try free, without registration.
The Personal Liability Question
Directors at organisations still treating NIS2 compliance as an IT matter should be aware of the enforcement arithmetic. Article 34 of the directive sets maximum fines for essential entities at EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is EUR 7 million or 1.4% of turnover.
But fines are corporate penalties. Article 20 creates something separate: personal accountability for management body members who have failed to approve, oversee, or train. Recital 53 explicitly anticipates the possibility of temporarily prohibiting individuals from holding managerial roles following serious or repeated infringements.
This is not theoretical. It mirrors the trajectory of GDPR enforcement, where early focus on organisations has progressively moved toward examining whether individuals with governance responsibility took their obligations seriously. A director who cannot demonstrate that they completed training, reviewed a risk register, or oversaw the implementation of Article 21 measures is personally exposed in a way that their organisation's legal team cannot fully insulate them from.
A Practical Assessment Before You Build
Before investing in a training programme, it is worth establishing your current position honestly. Common gaps we see when organisations first assess their Article 20 posture:
- Training has been completed by IT staff but not by named management body members
- Board minutes contain no reference to cybersecurity risk management
- The risk register exists but has not been formally approved at board level
- Training records cannot be produced for specific individuals
- Training completed is generic awareness content without documented mapping to Article 20(2) competencies
If any of these apply, they are audit findings waiting to happen. The NIS2 readiness assessment takes two minutes and scores your current posture against the documentation and competency requirements auditors in active enforcement jurisdictions are applying.
Summary
Article 20 is one of the more consequential provisions in NIS2 precisely because it is hard to delegate. The management body must be trained. The training must be documented. The documentation must show that named individuals have developed the governance competencies the directive specifies.
The organisations that will find Article 20 enforcement manageable are those that treat it as a governance process rather than a compliance checkbox — building training into the board calendar, connecting it to existing risk oversight structures, and maintaining records that a supervisory authority can review without finding gaps.
The organisations that will struggle are those that relied on IT awareness campaigns to satisfy an obligation that was always aimed at the boardroom.
If you want to know where your management body stands today, the NIS2 Board Training Readiness Assessment takes two minutes. It maps your current documentation and training posture against the evidence requirements that auditors in Germany, Belgium, Italy, and Finland are already applying.