All resources
Governance·20 April 2026·6 min read

NIS2 for the board: management accountability under Article 20

NIS2 makes cybersecurity a boardroom responsibility. Here's what Article 20 actually asks of directors, and what 'evidence' means at that level.

What Article 20 requires

NIS2 Article 20 puts cyber-risk governance squarely on the management body. Leadership must approve the organisation's cybersecurity risk-management measures, oversee their implementation, and can be held accountable for failures. It explicitly pulls cybersecurity out of the IT basement and into the boardroom.

Three duties for directors

  • Approve: sign off on the risk-management approach and the measures under Article 21.
  • Oversee: monitor that the measures are actually implemented and effective, not just documented.
  • Learn: members of management bodies must follow cybersecurity training, and are encouraged to extend similar training to staff.

Personal liability is real

NIS2 allows Member States to hold management personally accountable for breaches of their duties. For essential entities, regulators can even temporarily suspend individuals from management functions for persistent non-compliance. This is what's driving boards to ask for defensible, current evidence.

What good board evidence looks like

A slide that says 'we are compliant' isn't evidence. What stands up is a current, audit-grade artefact: which measures are in place, how effective they are, what incidents occurred and how they were handled, refreshed regularly, not once a year.

Alexus produces exactly that: an Executive Accountability Pack a board can hand a regulator or D&O insurer to demonstrate Article 20 due diligence. This article is general guidance, not legal advice.

Make NIS2 evidence a query, not a project

Alexus turns the IT operations you already run into continuous Article 21 readiness, ready-to-file Article 23 reports and a hash-chained audit trail.