For years, cybersecurity was treated as a delegated technical problem — a domain owned exclusively by the IT department. The NIS2 Directive fundamentally changes this. Under the new framework, cybersecurity is classified as a core enterprise risk, and the legal burden of operational resilience is placed directly on the management body.
The reality of Article 20
Under Article 20 of NIS2, the management bodies of both essential and important entities are explicitly required to approve their organisation's cybersecurity risk-management measures, actively oversee their implementation, and undergo regular cybersecurity training. Executives can be held personally liable for infringements if they fail to exercise this oversight.
This is not a theoretical warning. For essential entities that repeatedly fail to remedy significant deficiencies, national authorities hold the power to temporarily prohibit senior executives from exercising their managerial functions. The regulatory intent is clear: ignorance of cyber risk is no longer a legally defensible position for a director.
What this means for SME directors
For an SME director, this does not mean you must become a technical expert capable of configuring firewalls. It means you must actively exercise and document your governance.
If your organisation suffers a significant incident, regulators and enterprise clients will not only ask what technical controls failed. They will ask three specific questions: what risk-management measures did the board approve? How did you verify they were actually operating? What evidence do you have that the response met the regulatory standard?
You must convert top-level accountability into a readable, auditable stream of operational evidence.
Three steps to demonstrate oversight
To build a defensible posture against Article 20 liability, SME directors should take these three immediate steps.
1. Formally approve your risk measures
Do not leave security policies as informal IT documents. Ensure your core documentation — your Information Security Policy and Incident Response Plan — is formally reviewed, minuted, and signed off by the management body at least annually.
2. Complete and log executive training
Article 20 specifically mandates that management bodies undergo training to gain the skills necessary to identify risks and assess cybersecurity risk-management practices. Complete a recognised executive cyber awareness course and document attendance and completion records as concrete proof of compliance.
3. Establish a metric-driven reporting cadence
Move away from receiving IT updates only when something breaks. Require your IT lead or managed service provider to present a standardised security performance report at regular management meetings. Focus the board's attention on objective operational metrics — mean time to respond to incidents, patch compliance rates, recent backup restore test results — to demonstrate continuous, active oversight.
Regulatory note: this is a plain-language overview, not legal advice. NIS2 obligations vary by sector, member state, and entity classification. Consult your legal adviser for definitive guidance.