Governance, Management Accountability, and Sanctions

1. From NIS to NIS2: Why Governance and Sanctions Became Central

NIS2 (Directive (EU) 2022/2555), which entered into force in January 2023 and must be transposed by Member States by 18 October 2024 (now about a year ago relative to today), radically strengthens governance and accountability compared with the original NIS Directive (2016).

Under the original NIS, many organisations treated cybersecurity as a purely technical or IT issue. Enforcement was often weak and inconsistent across Member States. NIS2 responds to this by:

• Explicitly assigning board-level responsibility for cybersecurity risk management.
• Making management training a legal requirement.
• Introducing stronger, harmonised sanctions, including high administrative fines and personal consequences for managers.

Key high-level shifts:

1. From IT problem → governance problem

Cybersecurity is now framed as part of corporate governance and risk oversight, similar to financial reporting or anti‑money‑laundering.

1. From vague duties → concrete management obligations

NIS2 Articles 20–21 specify that the management body must approve risk-management measures, oversee implementation, and undergo training.

1. From patchy enforcement → EU‑wide minimum sanctions

NIS2 Article 34 requires Member States to adopt effective, proportionate and dissuasive penalties, including turnover‑based fines for essential and important entities.

In this module, you will zoom in on:

• What exactly NIS2 expects from top management and boards.
• How training and oversight must be organised.
• The sanctions toolbox: fines, orders, suspensions, and public naming.
• When and how personal liability can arise for managers.

Keep in mind: NIS2 is a minimum harmonisation directive. Member States can go further (e.g., higher fines, broader personal liability). Always check the national transposition law for precise obligations in a given country.

2. Who Is the "Management Body" Under NIS2?

NIS2 uses the term “management body” rather than simply “board.” This is important for understanding who is accountable.

Legal concept (Article 6(7) NIS2)

The management body is:

> "a body or bodies of an entity, appointed in accordance with national law, which is empowered to set the entity’s strategy, objectives and overall direction, and which oversees and monitors management decision-making."

In practice, depending on the legal form and national company law, this may include:

• Board of directors (one‑tier system).
• Supervisory board and management board (two‑tier system).
• Managing partners in partnerships.
• Senior executive committee that effectively sets strategy.

Why this matters

1. Allocation of responsibility

NIS2 places obligations on the entity, but explicitly says that members of the management body can be held liable for breaches of their duties (Article 20(5)).

1. Scope across sectors

The management body concept applies to all essential and important entities under NIS2 (e.g., energy, health, digital infrastructure, cloud providers, managed service providers, public administration, and more), regardless of whether they are public or private.

1. No hiding behind outsourcing

Using a managed security service provider or cloud provider does not transfer the legal responsibility of the management body to ensure adequate risk management and compliance.

When analysing a real organisation, always ask: Who, under national law, is the body that sets strategy and oversees management? Those individuals are the ones NIS2 is targeting with its governance and accountability provisions.

3. Core Management Duties: Approval, Oversight, and Culture

NIS2 Articles 20 and 21 translate the general idea of “management accountability” into concrete duties. For an exam or professional practice, it helps to structure them into three clusters:

---

1. Approval duties

The management body must approve:

• The organisation’s cybersecurity risk-management measures (Article 20(1)), which operationalise Article 21 (e.g., policies on incident handling, supply-chain security, encryption, multi‑factor authentication, backup, etc.).
• The information security strategy or comparable documents that show how NIS2 measures are implemented.

Implication: Board minutes and governance documents should evidence formal approval of security strategies and budgets.

---

2. Oversight and monitoring duties

Management must oversee implementation of risk-management measures (Article 20(1)). In practice, this includes:

• Requiring regular reporting from the CISO/IT/security function (e.g., quarterly risk dashboards, incident statistics, audit findings).
• Challenging management on risk acceptance decisions (e.g., not patching legacy systems) and documenting the rationale.
• Ensuring internal control functions (audit, risk, compliance) cover NIS2‑related controls.
• Monitoring incident reporting performance (timely notifications to CSIRTs/competent authorities under NIS2 reporting rules).

---

3. Culture and resources

Although not worded as “culture,” NIS2 implies that management must:

• Allocate adequate resources (budget, staff, tooling) to implement Article 21 measures.
• Integrate cybersecurity into enterprise risk management and business continuity.
• Support training and awareness at all levels, not just at the top.

Exam‑style insight: A management body that formally approves a security policy but:

• never receives reports,
• never questions security decisions,
• and systematically underfunds cybersecurity

is at high risk of being seen as failing its NIS2 oversight duties, even if some technical measures exist.

4. Case Study: Board Oversight in a Ransomware Scenario

Consider MediCloud EU, an important entity under NIS2 that provides cloud‑based patient record services to hospitals in several Member States.

Scenario

In 2026, MediCloud suffers a major ransomware attack:

• Several hospital clients lose access to patient records for 48 hours.
• Incident notification to the national CSIRT is late and incomplete.
• Forensic analysis shows that:
• Multi‑factor authentication was not enforced for remote admin access.
• Backups existed, but no restore test had been done for over a year.
• A critical vulnerability remained unpatched for months.

Governance findings

The supervisory authority investigates and discovers:

1. The board approved a high‑level security policy three years earlier, but:

• It was never updated.
• No periodic reporting on security posture was requested.

1. The CISO had repeatedly requested:

• Budget for MFA licensing.
• Time for backup restore testing.
• Additional staff for patch management.

These requests were deferred for cost reasons without documented risk analysis.

1. The board had no regular cybersecurity agenda item, and most board members had no cybersecurity training.

NIS2 assessment

Regulators may conclude that:

• Article 21 risk-management obligations were not effectively implemented (e.g., access control, incident handling, backup, and recovery).
• Article 20(1) oversight obligations were breached: the management body did not adequately supervise implementation or ensure resources.
• Article 20(2) on management training was not complied with.

Consequences could include:

• Administrative fines (turnover‑based, see later steps) on MediCloud.
• Binding instructions to implement MFA, test backups, and strengthen governance.
• Potential temporary ban for certain managers from exercising managerial functions (depending on national law transposition of Article 32(5)).

Use this case to map technical failings (no MFA, no backup tests) to governance failings (no oversight, no training, no resources). Under NIS2, regulators will focus heavily on what the management body knew, asked, and decided.

5. Mandatory Management Training Under NIS2

NIS2 explicitly requires cybersecurity training for the management body.

Legal basis

• Article 20(2): Members of the management body must follow training to gain sufficient knowledge and skills to identify cybersecurity risks and assess risk-management practices.
• Article 20(3): Entities must offer similar training to employees on a regular basis.

What does “sufficient knowledge and skills” mean in practice?

NIS2 does not prescribe a specific curriculum, but regulators and guidance (e.g., from ENISA and national authorities) typically expect management training to cover at least:

1. NIS2 obligations relevant to the entity (risk management, incident reporting, supply‑chain security, business continuity, encryption, etc.).
2. Sector‑specific threat landscape (e.g., ransomware in healthcare, DDoS against telecoms, supply‑chain attacks on MSPs).
3. Risk‑based decision‑making: understanding risk appetite, impact vs. likelihood, and how to evaluate security investment proposals.
4. Incident response governance: roles, escalation paths, communication with authorities and stakeholders.
5. Accountability and liability: how management decisions and omissions can trigger sanctions.

Governance best practices

To demonstrate compliance:

• Maintain a training policy for the management body (frequency, content, providers).
• Keep training records (attendance, agendas, materials) for each board member.
• Integrate cybersecurity into onboarding for new directors.
• Periodically evaluate training effectiveness, e.g., via short assessments or tabletop exercises.

Edge case: A highly technical CISO sits on the board, but other board members skip training. This does not satisfy Article 20(2). The requirement applies to all members of the management body, not just one expert.

6. Design a Board Cybersecurity Training Plan (Thought Exercise)

Imagine you are the Chief Risk Officer of an essential entity (e.g., an electricity transmission operator) in an EU country that has fully transposed NIS2.

Your task: Outline a 12‑month cybersecurity training plan for the management body that would plausibly satisfy Article 20(2).

Write down answers to these prompts (or discuss them in class):

1. Learning objectives

• What measurable competencies should board members have after 12 months?

(e.g., “can interpret a risk heat map,” “can challenge management on patching delays,” “can explain when an incident must be notified under NIS2”).

1. Training components

Propose at least four distinct elements, for example:

• Annual half‑day workshop on NIS2 obligations and sector threats.
• Quarterly 30‑minute board briefing on key cyber risks and incidents.
• Tabletop exercise simulating a large cyber incident and regulatory investigation.
• Access to self‑paced e‑learning or curated reading list.

1. Assessment and evidence

• How will you test whether board members actually understand the material (e.g., short quizzes, debrief interviews)?
• How will you document participation and outcomes for regulators (e.g., minutes, attendance lists, certificates)?

1. Integration with governance

• How will training outcomes feed into board decision‑making (e.g., revising risk appetite, approving new investments)?
• How will you handle non‑participation (e.g., a director who repeatedly skips training)?

After you draft your plan, stress‑test it:

• Would this look convincing to a supervisory authority after a major incident?
• Where are the weak spots that might still suggest a “paper compliance” culture?

7. The NIS2 Enforcement Toolbox: Beyond Fines

NIS2 significantly expands the enforcement powers of competent authorities. While fines get the headlines, non‑monetary measures can be just as disruptive.

Core enforcement powers (Articles 31–32)

Authorities must have powers to:

1. Supervise and investigate (Article 31):

• Conduct on‑site inspections and off‑site supervision.
• Request information and documentation (policies, risk assessments, incident logs, audit reports).
• Perform or order security audits and vulnerability assessments.

1. Issue binding instructions (Article 32(4)):

• Order the entity to remedy deficiencies within a set deadline.
• Require adoption of specific technical and organisational measures (e.g., enabling MFA, segmenting networks, improving backup strategy).
• Demand implementation of recommendations from audits or incident investigations.

1. Restrict or suspend activities (Article 32(5)):

• Temporarily prohibit the use of insecure ICT products or services.
• Order the suspension of a service that creates an immediate security risk.

1. Personal measures against managers (Article 32(5)(e)):

• Request that the entity publicly disclose information about the violation.
• In serious cases, impose a temporary ban on individuals exercising managerial functions (subject to national law).

Proportionality and risk‑based approach

Authorities must apply measures that are:

• Effective: actually improve security and compliance.
• Proportionate: calibrated to the severity, duration, and impact of the infringement.
• Dissuasive: strong enough to deter future non‑compliance.

They will consider, among other factors:

• The nature and gravity of the breach (e.g., critical infrastructure vs. small digital provider).
• Whether it was intentional or negligent.
• Any mitigating actions taken (e.g., prompt incident reporting, cooperation, remediation).

Key point: Under NIS2, a serious and persistent failure of the management body to implement and oversee security measures can lead not only to fines but also to direct interference with the entity’s operations and, potentially, the careers of individual managers.

8. Administrative Fines: Levels, Criteria, and Edge Cases

NIS2 introduces harmonised maximum levels for administrative fines, while leaving room for Member States to set detailed rules.

Maximum fine levels (Article 34)

For essential entities:

• Up to €10 million or
• Up to 2% of total worldwide annual turnover (whichever is higher).

For important entities:

• Up to €7 million or
• Up to 1.4% of total worldwide annual turnover (whichever is higher).

Member States may adopt higher maximum levels in national law.

Key criteria for calculating fines

Authorities will typically consider:

• Nature, gravity, and duration of the infringement (e.g., single incident vs. systemic failure over years).
• Intentional or negligent character of the infringement.
• Mitigating actions, such as:
• Early detection and rapid containment.
• Timely and complete incident reporting.
• Cooperation with the authority and CSIRTs.
• Voluntary remediation beyond minimum requirements.
• Previous infringements (recidivism).
• Degree of responsibility of the management body.

Edge cases and complex scenarios

1. Group structures

For a multinational group, turnover is usually assessed at the level of the legal entity subject to NIS2. But some Member States may take a broader view (e.g., group turnover) depending on competition and data‑protection law analogies. Always check national guidance.

1. Parallel regimes (NIS2 + GDPR)

A security incident that affects personal data can trigger both NIS2 and GDPR obligations. Entities might face two separate investigations and fines (one from the data‑protection authority, one from the NIS2 competent authority) unless national law coordinates them.

1. Small but critical providers

A small company that runs a highly critical service (e.g., a niche industrial control system for power plants) may face significant fines relative to its size because of the high systemic risk.

Remember: the threat of high fines is meant to change behaviour at the governance level, not just to punish after the fact. Demonstrable good‑faith efforts and documented decision‑making by the management body can significantly influence the outcome.

9. Quick Check: Fines and Enforcement

Test your understanding of NIS2’s sanctions regime.

10. Personal Liability and Remediation Obligations

NIS2 does not create a uniform EU‑wide personal fine schedule for managers, but it links organisational breaches to potential personal consequences under national law.

Personal responsibility (Article 20(5))

Article 20(5) states that members of the management body can be held liable for breaches of their duties to ensure compliance with NIS2. How this is enforced depends on national company, civil, and administrative law, but may include:

• Civil liability: shareholders or the entity itself suing directors for breach of duty of care (e.g., approving obviously inadequate security budgets despite known risks).
• Administrative measures: temporary bans from exercising managerial functions (see Article 32(5)(e)) where national law allows.
• Reputational sanctions: publication of decisions that explicitly name responsible managers.

Remediation obligations

Beyond paying fines, entities must typically:

• Implement corrective action plans mandated by the authority.
• Update risk assessments, policies, and technical measures.
• Strengthen incident response and reporting processes.
• Provide additional training to staff and management.

Failure to remediate can lead to:

• Escalating sanctions, including higher fines or suspension of services.
• A finding of aggravating circumstances in future incidents.

Practical board‑level implications

To reduce personal and organisational risk, management bodies should:

1. Ensure that NIS2 compliance is integrated into corporate governance (board committees, risk reports, audit plans).
2. Maintain detailed records of:

• Risk assessments and security investment decisions.
• Discussions and decisions regarding known vulnerabilities and incidents.
• Training and awareness activities.

1. Periodically commission independent reviews (internal or external audit) of NIS2 compliance.

In a post‑incident investigation, regulators and courts will ask: What did management know, when did they know it, and what did they do about it? Clear, contemporaneous documentation can be decisive.

11. Board Minutes Under the Microscope (Thought Exercise)

Assume you are a regulator reviewing an entity’s board minutes after a serious NIS2‑relevant incident.

You have two sets of minutes from the year before the incident:

---

Version A (weak governance)

• "The board noted the IT security update. No questions were raised. Budget as proposed was approved."

Version B (stronger governance)

• "The CISO presented the quarterly cyber risk report, highlighting:
• Increasing ransomware attempts.
• Critical vulnerabilities in legacy systems.
• Delayed MFA rollout due to budget constraints.

Board discussion:

• Director X questioned the risk of delaying MFA and requested a quantified risk assessment.
• Director Y asked whether backup restore tests covered the most critical systems.
• The board decided to prioritise MFA funding and instructed management to present a remediation roadmap within one month.
• The risk committee will monitor execution and report at the next meeting."

---

Your tasks:

1. Compare the two versions from the perspective of NIS2 Articles 20–21.

• Which version better evidences approval and oversight? Why?

1. Identify at least three elements in Version B that would be helpful evidence for management if regulators were assessing potential liability.

1. Improve Version B further by adding one or two additional points that would strengthen the demonstration of:

• Management training and understanding.
• A culture of continuous improvement in cybersecurity.

Reflect on how seemingly mundane corporate documentation can become critical evidence in NIS2 enforcement.

12. Key Terms Review: Governance, Accountability, and Sanctions

Flip the cards to review core NIS2 governance and sanctions concepts.