Board-Level Cybersecurity Governance Under NIS2

Article 20: The Management Body Obligation

Article 20 of NIS2^[1] establishes two foundational requirements. First, management bodies must approve the cybersecurity risk-management measures adopted under Article 21. Second, they must oversee implementation and can be held liable for infringements. Members must also follow training to gain sufficient knowledge to identify risks, assess cybersecurity practices, and evaluate their impact on services.

These provisions reflect a deliberate policy choice by the European Unionlegislature. The original NIS Directive had no management body obligations. NIS2's personal liability provisions recognise that cybersecurity failures are governance failures—the European Commission specifically cited management bodies' failure to prioritise cybersecurity investment as a systemic weakness NIS2 was designed to address.

Personal Liability in Practice

Article 20 does not create a standalone liability regime but requires member states to ensure management bodies can be held liable for infringements of Articles 21 and 23. The specific mechanism—administrative sanctions on natural persons, civil liability, or temporary prohibition of management functions—is determined by national transposition.

In Italy, D.Lgs. 138/2024^[2] allows the ACN^[3] to impose sanctions on individuals in management functions when non-compliance is attributable to inadequate oversight, and to temporarily prohibit management functions in essential entities. For a PE-appointed director, such a prohibition would extend beyond the specific entity to other board roles and professional standing.

For Private Equity professionals, the liability framework creates direct personal risk. A partner on the board of an essential or important entity has a fiduciary obligation to ensure appropriate cybersecurity measures are adopted and implemented, and must personally have sufficient knowledge to evaluate them. Delegation to management does not eliminate the oversight obligation.

Required Training and Competency

Article 20(2) mandates training sufficient to enable risk identification, practice assessment, and impact evaluation. This is not a recommendation—the competent authority may verify and enforce it. While the directive does not prescribe format or duration, directors must achieve a level of technical literacy beyond general awareness: capable of engaging with security reports, challenging risk assessments, and making informed resource allocation decisions.

For PE-appointed directors, this creates both a practical and evidentiary requirement. Training must be documented with records of content, attendance, and completion. Annual refresher training maintains competency and a current compliance record.

Governance Framework Requirements

Satisfying Article 20 requires a structured governance framework establishing clear board-level accountability, adequate information flow for oversight, and documented engagement with cybersecurity decisions. Define: frequency of board cybersecurity consideration, reporting formats and metrics, escalation procedures for incidents and material risk changes, and the policy approval process. A dedicated committee or assignment to an existing risk/audit committee provides a structured forum.

Risk appetite definition is critical. The management body must articulate acceptable risk levels for service disruption, data compromise, financial loss, and regulatory non-compliance. This provides the framework against which the board approves specific security investments and controls.

Board Reporting

The management body cannot fulfil its obligations without timely, accurate, and comprehensible reporting. Board cybersecurity reports should cover: current threat landscape, status of Article 21 measures including gaps, incident summaries, assessment and audit results, remediation status, material risk profile changes, and relevant regulatory developments.

Calibrate reporting for the audience. Risk-based frameworks, trend analysis, peer benchmarking, and clear articulation of residual risks requiring board attention support governance decision-making far better than raw technical metrics.

PE-Appointed Directors: Multi-Board Challenges

A typical mid-market Private Equity operating partner may sit on four to eight boards simultaneously. If several entities fall within NIS2 scope, the director faces training, approval, and oversight obligations independently for each. A systematic approach is essential.

The PE firm should provide comprehensive NIS2 governance training covering directive requirements, personal obligations, and key cybersecurity concepts, supplemented by entity-specific briefings. A standardised governance framework across portfolio companies—with consistent reporting templates, uniform risk assessment methodologies, and standardised policy structures adapted to each entity's context—allows directors to apply competency efficiently across multiple boards.

The PE firm should maintain portfolio-level oversight of NIS2 compliance to identify systemic risks, allocate resources to entities with the greatest gaps, and demonstrate to LPs that cybersecurity governance is managed as a portfolio-wide discipline.

Implementation Steps

Based on our advisory work with European PE firms and Family Offices, we recommend four steps. First, assess current governance against Article 20—identify in-scope entities, affected directors, and existing structures. Second, deliver management body training covering NIS2 provisions, entity-specific context, Article 21 measures,incident response obligations, and personal liability; maintain documented records. Third, establish the governance framework: board oversight responsibilities, reporting cadence, committee assignment, risk appetite, and policy approval process, formally adopted via board resolution.

Fourth, establish ongoing operations: regular reporting, periodic policy review, annual training refreshment, integration with audit and risk committees, and documentation of all board cybersecurity decisions. Cybersecurity is now a board-level governance responsibility with personal consequences. For PE firms and Family Offices where directors oversee multiple entities, a robust governance framework is both a regulatory necessity and a professional imperative.