On 15 April 2026, the Dutch House of Representatives voted the Cyberbeveiligingswet into law — the Netherlands' transposition of the EU's NIS2 Directive. The bill now moves to the Senate, with the government targeting simultaneous entry into force in Q2 2026. Dutch board members are now on the clock.
They are not alone. Twenty-one of twenty-seven EU member states have transposed NIS2 into national law. In Germany, where the implementation law was published on 5 December 2025, the BSI is actively auditing registration compliance — only around one third of covered entities registered by the March 6 deadline. In Belgium, among the first EU states to fully implement the directive, essential entities face an April 18 deadline to submit self-assessments to the Centre for Cybersecurity Belgium. In France, the ANSSI framework will bring an estimated 10,000 to 15,000 entities into scope, with full enforcement expected from late 2026.
The directive is no longer a future obligation. It is an active regulatory environment — and it names management bodies directly. The governance and digital exposure risks NIS2 targets are part of a wider picture covered in our Corporate Digital Footprint hub.
What Article 20 Requires
Article 20 of Directive (EU) 2022/2555 is the provision that places cybersecurity governance on the boardroom agenda. It requires three things of management bodies in essential and important entities:
Approve the organisation's cybersecurity risk-management measures under Article 21.
Oversee the implementation of those measures.
Be held liable for infringements of these obligations.
Article 20 also introduces a mandatory training requirement. Members of management bodies must undergo cybersecurity training sufficient to "identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity." Entities must also offer equivalent training to employees on a regular basis.
This is not a recommendation. It is a legal obligation with no precedent in NIS1.
What Personal Liability Actually Means
This is where the vendor marketing diverges from the legal text. Many cybersecurity consultancies present NIS2 as directly fining individual board members up to €10 million. That is misleading.
The administrative fines — up to €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% for important entities — apply to the entity, not to natural persons. Personal liability for board members flows through a different mechanism.
Article 32(5)(b) gives national authorities the power to request that courts or tribunals temporarily prohibit any natural person responsible for managerial functions at CEO or legal representative level from exercising those functions. This applies to essential entities only, requires judicial process, and is subject to procedural safeguards.
Beyond this suspension power, the directive delegates the specifics of personal liability to national law. The form it takes varies by jurisdiction:
In Germany, the revised BSI Act makes cybersecurity a board-level issue with explicit management body obligations. The BSI can issue binding orders, conduct on-site audits, and make compliance failures public — creating reputational exposure before any fine is levied.
In the Netherlands, the Cyberbeveiligingswet layers NIS2 obligations onto the existing framework of bestuurdersaansprakelijkheid under Book 2, Article 9 of the Dutch Civil Code — the standard for director liability in cases of mismanagement. Board members will have a maximum of two years from the Cbw's entry into force to complete mandatory cybersecurity training.
In Belgium, the CCB's CyberFundamentals framework requires organisations to submit self-assessments demonstrating active compliance. With over 4,500 organisations already registered and the April 18 deadline for essential entities, Belgium is the jurisdiction most likely to produce early enforcement actions.
In France, ANSSI will serve as the supervisory authority with audit and investigation powers across an estimated 10,000 to 15,000 entities, with full enforcement beginning in late 2026.
The pattern across jurisdictions is consistent: the entity pays the fine, but the board member carries the personal consequences — suspension, civil liability claims from the company or shareholders, reputational damage, and in cases where national criminal law applies, potential criminal liability for gross negligence.
No enforcement action against an individual board member under NIS2 has been publicly reported as of April 2026. That is expected, given that most transpositions completed in late 2025 and enforcement typically follows grace periods. It does not mean the liability framework is theoretical — it means the window to prepare is closing.
The Exposure Blind Spot
Most NIS2 compliance programmes focus on technical measures: incident response, supply chain risk management, encryption, access control. These are the requirements of Article 21, and they are necessary.
But Article 20 requires management bodies to understand cybersecurity risk — not merely to approve a budget for it. And one of the most significant and least addressed risks to any organisation is the personal digital exposure of its leadership.
Board members and senior executives are high-value targets. Their home addresses are listed on data broker sites. Their credentials circulate in breach databases. Their travel patterns, family connections, and professional affiliations are visible through social media and public records. This information is not abstract — it is the raw material for spear-phishing, social engineering, and targeted attacks against the organisation.
When a CFO's personal email and password pair from a 2023 breach is used to access a corporate system, the failure is not in the firewall. When a CEO is impersonated using publicly available photos and voice samples, the failure is not in the endpoint detection software.
Under NIS2, the board is required to understand these risks. A management body that approves cybersecurity measures without knowing what is findable about its own members has not fulfilled its Article 20 obligations. It has signed off on a perimeter defence while the gates are open.
A Corporate Audit maps the personal digital exposure of executives and board members — the attack surface that most compliance programmes miss.
Talk to an AnalystWhat Boards Should Do Now
Assess your classification. Determine whether your organisation falls under essential or important entity status. The thresholds — broadly, 250+ employees or €50 million+ turnover for large enterprises, 50–249 employees or €10–50 million for medium — determine the severity of your supervisory regime and penalty exposure.
Verify your national timeline. If your jurisdiction has already transposed NIS2, compliance obligations are active now. If you are in the Netherlands, the Eerste Kamer vote and Q2 2026 entry into force are imminent — do not wait for the Senate.
Fulfil the training mandate. Article 20 requires management body members to undergo cybersecurity training. This is not a suggestion. Boards that cannot demonstrate training will have an immediate compliance gap when enforcement begins.
Map your executive exposure. Technical cybersecurity measures protect systems. They do not address the personal digital footprint of the people who run the organisation. Data broker listings, credential leaks, and social media exposure create attack vectors that bypass every technical control. Understanding what is findable about your leadership is a governance obligation, not an optional extra.
Document your governance. NIS2 compliance is not only about having measures in place — it is about demonstrating that the management body approved and oversaw those measures. Board minutes, risk assessment records, and training documentation are the evidence that matters when a regulator asks questions.
The NIS2 Directive does not ask boards to become cybersecurity experts. It asks them to take responsibility for understanding the risks their organisations face — including the risks created by their own digital exposure. Twenty-one member states have made this law. The rest are weeks behind, not years.