Article 20: Governance

The Article 20: governance requirement means your management body must formally approve the cybersecurity risk-management measures your organization uses to meet Article 21, actively oversee their implementation, and be prepared to be held liable for failures. Operationalize this by putting board-level approval, oversight cadence, and decision evidence around your NIS 2 cybersecurity controls. (Directive (EU) 2022/2555, Article 20)

Key takeaways:

• Get management body approval of the Article 21 control set, not just “a security policy.” (Directive (EU) 2022/2555, Article 20)
• Evidence wins exams: minutes, resolutions, dashboards, risk acceptance records, and remediation tracking tied to owners. (Directive (EU) 2022/2555, Article 20)
• Treat governance as a control: defined roles, recurring oversight, and documented accountability for third-party and incident readiness. (Directive (EU) 2022/2555, Article 20)

Article 20 is short, but it changes how you run cybersecurity under NIS 2. It requires management bodies of essential and important entities to approve the cybersecurity risk-management measures taken to comply with Article 21, oversee implementation, and face liability exposure if the entity infringes Article 21. (Directive (EU) 2022/2555, Article 20)

For a Compliance Officer, CCO, or GRC lead, this is a governance engineering problem. You need to connect (1) a concrete “Article 21 measures” package, (2) a management body approval mechanism that is formal and repeatable, and (3) an oversight system that produces defensible evidence without turning every meeting into a security deep-dive.

This page is written to help you move fast: identify who counts as the “management body” in your structure, define what they must approve, set a review cadence that stands up to supervisory scrutiny, and produce an audit-ready evidence trail. You will also see common hangups: delegating everything to the CISO without board proof, approving policies without implementation metrics, and losing traceability across jurisdictions and critical third parties.

Regulatory text

Excerpt (verbatim): “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.” (Directive (EU) 2022/2555, Article 20)

Operator interpretation (what you must do):

1. Define the “cybersecurity risk-management measures” that satisfy Article 21 for your environment (your control set, governance processes, and operational capabilities).
2. Put those measures in front of the management body for approval in a form they can reasonably understand and decide on (scope, key risks, costs/constraints, residual risk).
3. Run ongoing oversight: management body receives reporting, challenges gaps, and records decisions (including risk acceptance and prioritization).
4. Plan for accountability: governance cannot be symbolic. Your evidence needs to show management body involvement that is capable of supporting liability expectations. (Directive (EU) 2022/2555, Article 20)

Plain-English requirement interpretation

Article 20 requires you to make cybersecurity a management body responsibility with proof. You are not being asked to prove that the board writes firewall rules. You are being asked to prove that the management body:

• Approved the organization’s Article 21-aligned cybersecurity risk-management measures.
• Oversees implementation with enough regularity and specificity to catch major gaps.
• Owns accountability for failures to meet Article 21 obligations. (Directive (EU) 2022/2555, Article 20)

A practical test: if a supervisor asks “Show me where management approved your NIS 2 cybersecurity measures and how they monitored execution,” can you answer in one meeting with minutes, a pack, and a dashboard?

Who it applies to (entity + operational context)

In scope entities: “essential and important entities” under NIS 2, as applicable in the Member States where you operate. (Directive (EU) 2022/2555, Article 20)

In scope governance actors: the “management body” as defined by your corporate governance model. For most organizations this is the board, a supervisory board, executive management committee, or equivalent body that can approve enterprise risk measures and direct resourcing.

Operational contexts where this becomes real:

• Multi-country operations where NIS 2 transposition differs by jurisdiction and you still need one coherent governance mechanism.
• Complex third-party dependence (cloud, MSSPs, critical software, OT suppliers) that creates cybersecurity risk outside your direct technical control.
• Incident reporting readiness, where supervisors will look for decision trails and oversight after a major event. (Directive (EU) 2022/2555, Article 20)

What you actually need to do (step-by-step)

Step 1: Map Article 20 to a concrete “approval object”

Create a Board/Management Cybersecurity Measures Pack that contains:

• Your Article 21-aligned control catalog or framework mapping (high-level is fine, but it must be complete enough to approve).
• Top enterprise cyber risks and current risk posture (with clear “red/yellow/green” definitions).
• Current-year security roadmap with major initiatives, owners, and dependencies.
• A clear list of material risk acceptances and exceptions that require management decision.
• Coverage of critical third parties and supply-chain exposure. (Directive (EU) 2022/2555, Article 20)

Practical shortcut: maintain a NIS 2 obligation register with jurisdictional applicability notes, control owners, and milestones, then generate the management pack directly from that register.

Step 2: Identify the approving authority and formalize approval mechanics

Decide and document:

• Which body approves (board, exec committee, equivalent).
• What constitutes approval (resolution, recorded vote, signed minutes).
• What must be approved: the full measures package, plus any material changes. (Directive (EU) 2022/2555, Article 20)

Operational tip: include explicit language in the resolution that the body approves the cybersecurity risk-management measures to comply with Article 21 and tasks named executives with implementation and reporting.

Step 3: Build an oversight operating rhythm (not ad hoc updates)

Create a standing agenda item for the management body that covers:

• Risk posture and trend (and what changed since last update).
• Implementation status vs milestones (planned vs actual, blockers, decisions needed).
• Incident readiness: triage and reporting workflow status, drills, and key lessons learned.
• Third-party concentration and assurance status for critical suppliers. (Directive (EU) 2022/2555, Article 20)

Make the oversight useful by setting “decision triggers,” for example:

• If a critical control milestone slips, management decides whether to add resources, adjust scope, or accept risk.
• If a critical third party fails assurance, management decides whether to proceed, add compensating controls, or exit.

Step 4: Prove accountability through decision records

Supervisors will not infer oversight from org charts. Build evidence:

• Minutes showing questions asked, challenges raised, and decisions made.
• Risk acceptance memos signed by accountable leaders, with management body visibility where appropriate.
• Remediation plans with owners and tracked closure.
• Evidence that incident and third-party dependencies are included in governance reporting. (Directive (EU) 2022/2555, Article 20)

Step 5: Make it exam-ready across jurisdictions

NIS 2 is implemented through Member State transposition. Your governance should therefore:

• Track jurisdictional applicability in your obligation register.
• Maintain a single enterprise baseline plus jurisdiction-specific deltas.
• Ensure the management body sees the enterprise view and approves material deltas (for example, if a jurisdiction requires faster internal escalation). (Directive (EU) 2022/2555, Article 20)

Where Daydream fits naturally: use Daydream to maintain the NIS 2 obligation register with jurisdiction notes, assign owners, track milestones, and generate board-ready evidence bundles (pack, minutes attachments, control status exports) without rebuilding the narrative each cycle.

Required evidence and artifacts to retain

Use this as your “Article 20 evidence checklist”:

Artifact	What it proves	Minimum content
Management body resolution or minutes approving measures	Approval occurred	Date, scope, explicit reference to approving cybersecurity risk-management measures for Article 21 compliance, any conditions (Directive (EU) 2022/2555, Article 20)
Cybersecurity Measures Pack (board deck)	What was approved	Control scope, risks, roadmap, exceptions, third-party and incident readiness coverage
Oversight dashboard and reporting cadence	Ongoing oversight	KPIs/KRIs, milestone status, risk register extracts, action log
Risk register + risk acceptance decisions	Accountability	Named risk owner, rationale, compensating controls, review date
Remediation tracker	Implementation oversight	Findings, actions, owners, due dates, closure evidence
Incident triage/escalation workflow documentation	Operational readiness under governance	Triggers, roles, internal notification steps, evidence retention points
Critical third-party inventory and assurance records	Supply-chain oversight	Which third parties are critical, what assurance you obtained, remediation actions

Common exam/audit questions and hangups

Expect questions like:

• “Show the management body approval of your cybersecurity risk-management measures.” Produce the minutes/resolution plus the exact pack that was approved. (Directive (EU) 2022/2555, Article 20)
• “How does the management body oversee implementation?” Provide the recurring agenda, dashboards, and decision log.
• “What decisions has the management body made?” Provide risk acceptances, resource approvals, and prioritization calls tied to evidence.
• “How do you ensure third-party dependencies are governed?” Provide critical third-party reporting to management body and follow-up actions.
• “What changes after an incident?” Provide post-incident review outputs and management body updates, showing governance learns and funds fixes.

Hangups that stall teams:

• Unclear definition of “management body” in group structures.
• Approval happens, but the pack is missing scope clarity and traceability to controls.
• Oversight reporting exists, but it is operational noise without decisions, owners, or remediation accountability. (Directive (EU) 2022/2555, Article 20)

Frequent implementation mistakes (and how to avoid them)

1. Approving a policy binder instead of measures. Fix: approve a measures package that includes control scope, roadmap, exceptions, and metrics, then reference policies as supporting documents. (Directive (EU) 2022/2555, Article 20)
2. No explicit linkage to Article 21. Fix: label the pack and resolution as “Cybersecurity risk-management measures to comply with Article 21.”
3. Delegation without oversight. Fix: delegation is fine; evidence of oversight is required. Keep a management action log and record challenge questions in minutes.
4. Third-party risk lives outside governance. Fix: include critical third parties in the same reporting line as internal controls, with remediation tracking.
5. Jurisdiction drift. Fix: a NIS 2 obligation register with jurisdiction applicability notes and owners, reviewed on a scheduled basis.

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for Article 20, so treat this page as requirement-driven implementation guidance rather than an enforcement case digest. (Directive (EU) 2022/2555, Article 20)

Risk implication you should plan for: Article 20 is an accountability hook. If a supervisor believes Article 21 controls were inadequate, they will ask whether management approved and oversaw those measures in a meaningful way. Weak governance evidence tends to amplify the impact of any underlying control gaps because it suggests the entity could not effectively direct remediation. (Directive (EU) 2022/2555, Article 20)

Practical execution plan (30/60/90)

First 30 days (establish the governance mechanism)

• Confirm whether you are an essential or important entity and identify the management body that will approve measures. (Directive (EU) 2022/2555, Article 20)
• Stand up a NIS 2 obligation register with jurisdiction notes, owners, and milestones.
• Draft the “Cybersecurity Measures Pack” outline and populate it with what you already have (risk register extracts, key initiatives, critical third-party list, incident workflow).
• Schedule the approval meeting and pre-brief the chair/secretariat on required minutes language.

Days 31–60 (get formal approval + start oversight)

• Present the measures pack to the management body for approval; capture resolution/minutes and store the signed record. (Directive (EU) 2022/2555, Article 20)
• Launch the oversight dashboard and define what requires management decisions vs what is informational.
• Align incident triage/escalation and evidence retention workflows so you can prove readiness in an exam.
• Add third-party assurance status and top concentration risks to the management reporting.

Days 61–90 (make it repeatable and exam-ready)

• Run a full oversight cycle: report status, record questions/decisions, update the remediation tracker, and close actions.
• Validate traceability: each dashboard line item maps to an obligation/control owner and produces artifacts.
• Run a table-top exercise for incident governance: confirm who escalates to the management body, how decisions are recorded, and where evidence is stored.
• Build a “supervisory response binder” (digital folder) that contains the last approval pack, minutes, dashboards, risk acceptances, and remediation status exports.

Frequently Asked Questions

Does Article 20 require the board to approve every cybersecurity policy?

No. It requires the management body to approve the cybersecurity risk-management measures taken to comply with Article 21 and oversee their implementation. Package policies as supporting documents under an approved measures set. (Directive (EU) 2022/2555, Article 20)

Who counts as the “management body” for a group with subsidiaries?

Article 20 points to the management bodies of the essential or important entity. In practice you should document which governing body has authority for the in-scope entity and how group-level oversight satisfies local accountability. (Directive (EU) 2022/2555, Article 20)

What is the minimum evidence an examiner will accept for “approval”?

A board/management resolution or meeting minutes that clearly state approval of the cybersecurity risk-management measures, plus the exact pack that was approved. Keep both together under records management. (Directive (EU) 2022/2555, Article 20)

How do we show “oversight” without overwhelming executives with operational detail?

Use a dashboard with decision triggers: a small set of KRIs, milestone status, major exceptions, third-party issues, and incidents. Record decisions and follow-up actions in a management action log. (Directive (EU) 2022/2555, Article 20)

Do third-party risks have to be part of Article 20 governance?

Article 20 is governance over the measures used to meet Article 21. Since third-party dependency is a common driver of cybersecurity risk, include critical third-party inventory, assurance status, and remediation actions in the measures pack and oversight reporting. (Directive (EU) 2022/2555, Article 20)

We already report cyber metrics quarterly. What changes for Article 20?

Make the reporting explicitly about the approved Article 21 measures and add decision evidence: approvals, risk acceptances, remediation ownership, and documented follow-up. Metrics without accountable decisions are weaker proof of oversight. (Directive (EU) 2022/2555, Article 20)