Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 20 Governance
Summary What does Article 20 of the NIS 2 directive say?
This article places accountability for cybersecurity risk management squarely at the top of the organisation.
It establishes that the management bodies of essential and important entities must approve, and oversee the implementation of, the cybersecurity risk-management measures required under Article 21 — and can be held personally liable for infringements.
Beyond accountability, the article also introduces a training obligation, requiring management body members to undergo cybersecurity training, with entities encouraged to extend similar training to employees.
Important points:
- Ensure your management body approves and oversees the cybersecurity risk-management measures required under Article 21, as they can be held liable for infringements.
- Members of the management body are required to follow cybersecurity training to develop sufficient knowledge to identify risks and assess risk-management practices.
- Member States are required to encourage essential and important entities to offer regular cybersecurity training to their employees as well.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.
The application of this paragraph shall be without prejudice to national law as regards the liability rules applicable to public institutions, as well as the liability of public servants and elected or appointed officials.
Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.
Relevant recitals
Recital 83 Responsibility regardless of outsourcing
Essential and important entities should ensure the security of the network and information systems which they use in their activities. Those systems are primarily private network and information systems managed by the essential and important entities’ internal IT staff or the security of which has been outsourced. The cybersecurity risk-management measures and reporting obligations laid down in this Directive should apply to the relevant essential and important entities regardless of whether those entities maintain their network and information systems internally or outsource the maintenance thereof.
Recital 89 Basic cyber hygiene practices
Essential and important entities should adopt a wide range of basic cyber hygiene practices, such as zero-trust principles, software updates, device configuration, network segmentation, identity and access management or user awareness, organise training for their staff and raise awareness concerning cyber threats, phishing or social engineering techniques. Furthermore, those entities should evaluate their own cybersecurity capabilities and, where appropriate, pursue the integration of cybersecurity enhancing technologies, such as artificial intelligence or machine-learning systems to enhance their capabilities and the security of network and information systems.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
security of network and information systems
Definition
incident
Definition
risk
Definition
network and information system
- an electronic communications network as defined in Article 2, point (1), of Directive (EU) 2018/1972;
- any device or group of interconnected or related devices, one or more of which, pursuant to a programme, carry out automatic processing of digital data; or
- digital data stored, processed, retrieved or transmitted by elements covered under points (a) and (b) for the purposes of their operation, use, protection and maintenance;
Definition
cyber threat
Definition
entity
Definition
cybersecurity