norppa.io
Guides

NIS2 Guide · 7 min

NIS2 and management responsibility: what boards and leadership must know

NIS2 does something earlier cybersecurity rules mostly didn't: it puts cybersecurity on the management body's desk, by name. Leadership has to approve the risk-management measures, oversee them, and can be held personally liable when they fail. This guide sets out what the directive expects of boards and executives, the questions worth putting to your security team, what good reporting actually looks like, and the price of getting it wrong.

Key takeaways

  • Management bodies must approve and oversee the cybersecurity risk-management measures, and can be held liable when they fail (Art. 20).
  • Leadership has to take cybersecurity training; the duty can't be fully handed off to IT.
  • Penalties reach €10M or 2% of global turnover for essential entities, €7M or 1.4% for important ones (Art. 34).
  • Boards should expect short, evidence-based reporting (coverage, remediation speed and open risk) not a once-a-year reassurance.

Leadership is named, and on the hook

Under Article 20, the management body of an essential or important entity must approve the entity's cybersecurity risk-management measures and oversee how they're implemented. This isn't a formality you can delegate away: the directive makes leadership answerable for the measures actually being in place and actually working.

And members of the management body can be held liable for the entity's breaches. That accountability is written into the directive itself; exactly how it bites depends on national transposition. Cybersecurity is a governance question, then, not only an IT one. It belongs on the board agenda next to financial and legal risk, not in a quarterly slide nobody reads.

The four duties of a management body

In practice the directive's governance expectations come down to four things leadership has to do:

  • Approve the measures: sign off on the risk-management measures (the Art. 21 baseline), with enough understanding to know what you're actually approving.
  • Oversee implementation: make sure the measures are genuinely deployed and stay effective over time, with regular reporting back to the board.
  • Take training: members must follow cybersecurity training so they can recognise risk and judge whether the measures are adequate (Art. 20(2)); similar training should reach staff.
  • Be accountable: own the outcome. Liability for failures sits with the management body, and supervisory authorities can act against leadership directly.

Questions to ask your security team

You don't need to be a security engineer to exercise oversight. A board discharges much of its duty simply by asking the right questions and expecting answers backed by evidence:

Are we in scope as an essential or important entity, and which of our customers are, pulling obligations onto us through their contracts?
Do we have the Article 21 measures in place, and when did this body last review and approve them?
Could we meet the 24-hour and 72-hour reporting deadlines if an incident (including one at a supplier) hit our services?
How do we manage supplier and third-party cyber risk, and how would we prove it in a supervisory audit?
What are our top open risks right now, who owns the fix, and by when?

What good board reporting looks like

Oversight needs signal, not a sixty-page appendix. A useful NIS2 line to the board is short, comparable over time, and built on evidence:

Coverage

What share of in-scope suppliers and assets is actually monitored: the gaps are where the surprises come from.

Remediation speed

Mean time to resolve critical and high findings: the trend tells you more than any single figure.

Open risk

Current critical and high findings, plus the documented, accepted ones: NIS2 expects managed risk, not a clean sheet.

Incident readiness

Can the reporting timelines be met, and have they been rehearsed: including for an incident that starts at a supplier?

The cost of getting it wrong, and right

Penalties under Article 34 reach up to €10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities, and up to €7 million or 1.4% for important ones. Supervisory authorities can also issue binding instructions, order an incident to be made public, and (for essential entities) temporarily suspend management functions. For leadership, the reputational and personal-liability exposure can outweigh the fine itself.

Done well, it's often less about new spend than about pointing existing controls in the right direction: the Article 21 measures overlap heavily with what many organisations already run (ISO 27001, business continuity, access control. What NIS2 really forces is the shift from point-in-time assurance to continuous, evidence-based management) which is also what turns oversight reporting into something genuinely informative rather than a ritual.

Source: Directive (EU) 2022/2555 (NIS2), Articles 20 and 34 — consult your national transposition law for the exact liability and training provisions in your country.

How norppa.io helps

norppa.io turns supplier and third-party cyber risk into the kind of evidence a board can actually use: a clear risk score per supplier, findings mapped to the NIS2 articles they answer to, and a monthly report written for leadership rather than engineers.

Coverage, remediation history and open risk are visible at a glance, with the full audit trail ready to export, so management can show active oversight, and the same evidence answers a supervisory authority's questions when they come.

Give your board evidence, not assertions

See the executive supplier report (risk score, NIS2 mapping and evidence) in about two minutes.

View sample report
See the sample dashboard

Last reviewed: 19 June 2026

This guide is general information about EU law, not legal advice. NIS2 takes effect through each EU Member State's national transposition law, which can differ in detail. Verify the obligations that apply to you with your competent authority or legal counsel.

Related guides

How to comply with NIS2: a step-by-step roadmap

The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 for suppliers: you're not designated, but your customers are

Most companies are never designated under NIS2, yet many must comply anyway. How a covered customer's Article 21(2)(d) supply-chain duty flows down to you, what they'll ask for, and how to respond credibly.

NIS2 and the supply chain requirement: what it means in practice

NIS2 requires essential and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 Art. 21(2): supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance: plus how to close the gap.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both

How GDPR and NIS2 differ and overlap, when one incident triggers both (GDPR Art. 33 72h to the DPA vs NIS2 Art. 23 24h/72h/1-month to the CSIRT), the Art. 35 cooperation and no-double-fine rule, and what both mean for supplier due diligence.

The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain

What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.

The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)

What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.