Skip to main content
Advisory & Programmes

NIS2 liability for directors

What Articles 20 and 32 change for you personally as a director

NIS2 moves cybersecurity from the IT department to the management body. In Article 20, Directive (EU) 2022/2555 makes it explicit that the management body of an essential or important entity approves the cybersecurity measures itself, oversees their implementation, and undergoes demonstrable training. Article 32 gives regulators the instruments to enforce this, up to and including a temporary ban on a manager holding office at essential entities. For you as a director, this is no longer a report from your CISO that you note for the record. It is an act with your name under it.

Why NIS2 addresses the director directly

The European legislator made a choice that earlier directives lacked. NIS1 set requirements for organisations, not for individuals. NIS2 does. The recitals to the directive state that a culture of risk management only takes hold when the management body commits to it personally. The legislator translated that recital into two operational articles: Article 20 on governance, and Article 32 on supervision and enforcement. Both run in one direction: they place accountability with named individuals, not with a job title or a department.

For the Dutch implementation, this entered into force on 1 December 2025 through the Cybersecurity Act. The State Inspectorate for Digital Infrastructure (RDI) and sector regulators such as DNB and the AT have been designated to assess compliance. On its website, the NCSC has published a set of documents on what directors must be able to demonstrate in concrete terms. Draw a single line from those documents to the boardroom and it becomes clear that supervision no longer focuses on whether policy exists, but on the evidence that the management body knows that policy, weighs it and steers it.

Who exactly does Article 20 apply to

NIS2 distinguishes two categories. Essential entities are organisations in sectors the directive designates as critical and that exceed a size threshold: energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration and space. Important entities are organisations in a second ring of sectors, including postal services, waste management, chemicals, food, the manufacture of certain goods, digital providers and research. Both categories fall under Article 20. The difference between essential and important lies not in whether the management body is responsible, but in how strict the supervision is and which sanctions are available.

For you as a director, this means three things. Either you know whether your entity is essential or important, or you do not. If you do not, that is itself a governance shortcoming. Either you know which entities in the group fall under which category, or you have it worked out for each subsidiary. And you know which regulator is the point of contact for which entity, because in an incident you do not call a general number.

What Article 20 asks of the management body in concrete terms

The directive names four duties for the management body. They sound bureaucratic, but they lead to very concrete questions that a regulator, or a lawyer acting for an injured party, can ask later.

Approval of the cybersecurity measures. The management body formally approves the coherent package of risk management measures. Not the CISO, not the CIO. The management body. An approval without reasoning is not an approval; it is a signature under a document the management body cannot recount.

Oversight of implementation. The management body follows the delivery on a fixed cadence and keeps a record that demonstrates the oversight takes place. Board minutes that name a cybersecurity agenda item every quarter without a decision attached do not carry that oversight.

Liability for compliance. The directive states that members of the management body can be held liable for breaches arising from a failure to comply with Article 21. This is not a translation of a general company-law principle into cyber; it is a distinct route to liability that the directive creates in its own right.

Training on cybersecurity. Members of the management body undergo regular training so they can assess risks themselves and weigh the quality of the CISO's advice. A member who receives a SOC report and has no idea what question to put to it does not meet this point. The directive asks for training proportionate to the complexity of the entity, not an hour of briefing a year.

These four duties run through every meeting in which cybersecurity is discussed. A regulator conducting a review looks at the minutes, at the papers the management body received, at the questions that were asked and at what the management body decided afterwards. An approval without any trace of deliberation is weaker than a rejection with reasoning.

What can happen to a director personally

Article 32 gives regulators a list of enforcement powers. Most of these are aimed at the entity: instructions, audits, binding directions, administrative fines. For essential entities the directive goes further. In cases of serious and repeated failings, a regulator can temporarily bar a specific manager from continuing to hold a managerial position in that entity. That is not a fine; it is a temporary restriction on practising a profession, with the name of an individual on it. The directive does not make this measure automatically available for important entities, but an important entity that suffers a serious incident can still be held personally to account under the general director liability in Dutch company law. The NIS2 route is an addition to the existing civil-law route, not a replacement.

At entity level, the directive sets maximum fines. For essential entities that is an amount of at least EUR 10 million or 2% of worldwide annual turnover, whichever is higher. For important entities, at least EUR 7 million or 1.5%. The directive prescribes a minimum ceiling to the member states; the Dutch implementation can set those ceilings higher, and in enforcement practice will weigh the nature, duration, repetition and cooperation shown. For you as a director, the exact amount matters less than the mechanism: the amount lands with the entity, and the reputational damage lands with the names in the governance.

A third dimension is fiduciary. NIS2 touches the duty of care of a director under Book 2 of the Dutch Civil Code. If a management body fails to fulfil the duties in Article 20 and an incident with material damage follows, a shareholder or liquidator can hold the individual director to account for mismanagement. In such proceedings the NIS2 directive supplies the test: did the management body approve the risk management measures, was there oversight, was there training. A management body that can point to nothing here is in a weak position.

The reframe: liability as an incentive for real governance

In advisory practice you now hear two reactions to NIS2. The first is a compliance reflex: let us translate the articles into a checklist, a tab in the GRC system and an annual tick-box moment. The second is a defensive reflex: let us model the liability away through D&O insurance and disclaimers in management statements. Both reactions miss the incentive the legislator built in.

Article 20 is not a checklist. It is an invitation to put cybersecurity where, in a well-governed organisation, every material risk already belongs: with the management body that holds the mandate to act on it. The liability route in Article 32 is not a punishment for the unlucky; it is an incentive for those who have not yet put their governance in order to do so. Approach it this way and NIS2 becomes a lever to push through decisions that would be self-evident in sound boards: the CISO's report becomes an agenda item with a decision, director training gets its own budget, and the oversight cadence is given its own rhythm.

A management body that does this loses no time on a paper compliance layer. It builds on the same side of the table as its CISO and gains the position to demonstrate, in an incident, that the organisation knew what it was doing. That is cheaper than the fine and faster than the proceedings.

What you as a director should put on record in the next three months

The Dutch implementation has been in force since December 2025. Enforcement will tighten gradually through 2026. Three actions can be put on record now, without standing up a large programme.

One, record which category each entity in the group falls under and which regulator is the point of contact. Anyone who cannot answer that quickly has a priority here. Two, put the package of cybersecurity measures on a fixed place on the board agenda with a decision attached, not just an explanation. An approval without a decision cannot be found in the minutes, and what is not in the minutes formally did not happen. Three, schedule a training session for the management body that goes beyond a general update. A session with your CISO on the three scenarios that would hit your organisation hardest, with the questions you put to them as a board, meets Article 20(2) more concretely than a generic webinar.

Together, these three actions build the file you will need later when a regulator or a shareholder asks what the management body did. The file is the protection, not the insurance.

Advisory & Programmes

Dit vraagstuk vertalen naar jouw organisatie.