On 15 April 2026, the Dutch House of Representatives voted the Cyberbeveiligingswet into law — the Netherlands’ transposition of the EU’s NIS2 Directive. The bill now moves to the Senate, with the government targeting simultaneous entry into force in Q2 2026. Dutch board members are now on the clock.
They are not alone. Twenty-one of twenty-seven EU member states have transposed NIS2 into national law. In Germany, where the implementation law was published on 5 December 2025, the BSI is actively auditing registration compliance — only around one third of covered entities registered by the March 6 deadline. In Belgium, among the first EU states to fully implement the directive, essential entities face an April 18 deadline to submit self-assessments to the Centre for Cybersecurity Belgium. In France, the ANSSI framework will bring an estimated 10,000 to 15,000 entities into scope, with full enforcement expected from late 2026.
The directive is no longer a future obligation. It is an active regulatory environment — and it names management bodies directly. The governance and digital exposure risks NIS2 targets are part of a wider picture covered in our Corporate Digital Footprint hub.
What Article 20 Requires
Article 20 of Directive (EU) 2022/2555 is the provision that places cybersecurity governance on the boardroom agenda. It requires three things of management bodies in essential and important entities:
Approve the organisation’s cybersecurity risk-management measures under Article 21.
Oversee the implementation of those measures.
Be held liable for infringements of these obligations.
Article 20 also introduces a mandatory training requirement. Members of management bodies must undergo cybersecurity training sufficient to “identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” Entities must also offer equivalent training to employees on a regular basis.
Board members looking for a structured starting point on their own exposure surface can work through our Executive Exposure Checklist — ten reconnaissance categories with per-row weighting.
This is not a recommendation. It is a legal obligation with no precedent in NIS1.
What Personal Liability Actually Means
This is where the vendor marketing diverges from the legal text. Many cybersecurity consultancies present NIS2 as directly fining individual board members up to €10 million. That is misleading.
The administrative fines — up to €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% for important entities — apply to the entity, not to natural persons. Personal liability for board members flows through a different mechanism.
Article 32(5)(b) gives national authorities the power to request that courts or tribunals temporarily prohibit any natural person responsible for managerial functions at CEO or legal representative level from exercising those functions. This applies to essential entities only, requires judicial process, and is subject to procedural safeguards.
Beyond this suspension power, the directive delegates the specifics of personal liability to national law. The form it takes varies by jurisdiction:
In Germany, the revised BSI Act makes cybersecurity a board-level issue with explicit management body obligations. The BSI can issue binding orders, conduct on-site audits, and make compliance failures public — creating reputational exposure before any fine is levied.
In the Netherlands, the Cyberbeveiligingswet layers NIS2 obligations onto the existing framework of bestuurdersaansprakelijkheid under Book 2, Article 9 of the Dutch Civil Code — the standard for director liability in cases of mismanagement. Board members will have a maximum of two years from the Cbw’s entry into force to complete mandatory cybersecurity training.
In Belgium, the CCB’s CyberFundamentals framework requires organisations to submit self-assessments demonstrating active compliance. With over 4,500 organisations already registered and the April 18 deadline for essential entities, Belgium is the jurisdiction most likely to produce early enforcement actions.
In France, ANSSI will serve as the supervisory authority with audit and investigation powers across an estimated 10,000 to 15,000 entities, with full enforcement beginning in late 2026.
In Italy, the transposition arrived early. Decreto Legislativo 138/2024, published in the Gazzetta Ufficiale on 1 October 2024 and in force from 16 October 2024, designates the Agenzia per la Cybersicurezza Nazionale (ACN) as the national competent authority. In-scope entities had until 28 February 2025 to register through the ACN platform. The decree leaves audit cadence open, empowering the ACN to impose audits on essential and important entities at its discretion rather than to a fixed cycle. For management bodies, the Italian framework folds into the country’s existing corporate-liability regime under D.Lgs 231/2001, where failure to oversee risk-management measures can compound entity-level administrative liability with civil-law claims against directors.
In Spain, the position is the contrasting case. The Draft Law on Cybersecurity Coordination and Governance — Spain’s NIS2 transposition vehicle — was approved by the Council of Ministers on 14 January 2025 and is still in parliamentary processing as of late 2025. The European Commission issued Spain a reasoned opinion on 7 May 2025 for failure to notify full transposition, the procedural step that precedes formal infringement proceedings. Pending enactment, supervisory responsibility sits across multiple ministries by sector, with the National Cryptologic Centre (CCN) and the Instituto Nacional de Ciberseguridad (INCIBE) operating as the principal technical bodies and INCIBE-CERT acting as reference CSIRT for private-sector entities. For Spanish directors, the position until the law completes its passage is that the Article 20 obligations apply through the directive’s direct effect on member states, while the specific personal-liability mechanism will firm up only when the implementing statute clears the Cortes.
The pattern across jurisdictions is consistent: the entity pays the fine, but the board member carries the personal consequences — suspension, civil liability claims from the company or shareholders, reputational damage, and in cases where national criminal law applies, potential criminal liability for gross negligence.
No enforcement action against an individual board member under NIS2 has been publicly reported as of May 2026. That is expected, given that most transpositions completed in late 2025 and enforcement typically follows grace periods. It does not mean the liability framework is theoretical — it means the window to prepare is closing.
The Exposure Blind Spot
Most NIS2 compliance programmes focus on technical measures: incident response, supply chain risk management, encryption, access control. These are the requirements of Article 21, and they are necessary.
But Article 20 requires management bodies to understand cybersecurity risk — not merely to approve a budget for it. And one of the most significant and least addressed risks to any organisation is the personal digital exposure of its leadership.
Board members and senior executives are high-value targets. Their home addresses are listed on data broker sites. Their credentials circulate in breach databases. Their travel patterns, family connections, and professional affiliations are visible through social media and public records. This information is not abstract — it is the raw material for spear-phishing, social engineering, and targeted attacks against the organisation.
When a CFO’s personal email and password pair from a 2023 breach is used to access a corporate system, the failure is not in the firewall. When a CEO is impersonated using publicly available photos and voice samples, the failure is not in the endpoint detection software.
Under NIS2, the board is required to understand these risks. A management body that approves cybersecurity measures without knowing what is findable about its own members has not fulfilled its Article 20 obligations. It has signed off on a perimeter defence while the gates are open.
A Corporate Audit maps the personal digital exposure of executives and board members — the attack surface that most compliance programmes miss.
Talk to an AnalystWhat Boards Should Do Now
Assess your classification. Determine whether your organisation falls under essential or important entity status. The thresholds — broadly, 250+ employees or €50 million+ turnover for large enterprises, 50–249 employees or €10–50 million for medium — determine the severity of your supervisory regime and penalty exposure.
Verify your national timeline. If your jurisdiction has already transposed NIS2, compliance obligations are active now. If you are in the Netherlands, the Eerste Kamer vote and Q2 2026 entry into force are imminent — do not wait for the Senate.
Fulfil the training mandate. Article 20 requires management body members to undergo cybersecurity training. This is not a suggestion. Boards that cannot demonstrate training will have an immediate compliance gap when enforcement begins.
Map your executive exposure. Technical cybersecurity measures protect systems. They do not address the personal digital footprint of the people who run the organisation. People-search profiles and data broker records, credential leaks, and social media exposure create attack vectors that bypass every technical control. Understanding what is findable about your leadership is a governance obligation, not an optional extra. PI Solutions runs that mapping as the OSINT layer of a NIS2 readiness programme — see our NIS2 compliance mapping page for what a scoped exposure assessment covers.
Document your governance. NIS2 compliance is not only about having measures in place — it is about demonstrating that the management body approved and oversaw those measures. Board minutes, risk assessment records, and training documentation are the evidence that matters when a regulator asks questions. The operational shape of that documentation — what a defensible quarterly board pack looks like, how reporting cadence shifts in incident mode under Article 23 — is in our sister piece on cybersecurity board reporting under NIS2.
The NIS2 Directive does not ask boards to become cybersecurity experts. It asks them to take responsibility for understanding the risks their organisations face — including the risks created by their own digital exposure. Twenty-one member states have made this law. The rest are weeks behind, not years.