NIS2 obligations: what the directive actually requires of managers

With NIS2, cybersecurity is changing sides. It is no longer solely the responsibility of the CISO or IT department. The European directive directly engages the responsibility of management bodies. But in concrete terms, what are the NIS2 obligations of managers? What is legally mandatory? What constitutes best practice? And where to start without drowning in endless checklists?

Key takeaway — The 4 NIS2 obligations of management

According to Directive (EU) 2022/2555, managers of critical and important entities must:

• ✅ Approve cyber risk management measures
• ✅ Oversee their implementation
• ✅ Training in cyber risks (explicit requirement of the text)
• ✅ Take responsibility in the event of a breach

This is not a recommendation. It is the text of Article 20 of the directive.

NIS2: a risk governance approach, not a list of tools

The first misunderstanding to clear up is this: NIS2 does not prescribe specific technical tools, but imposes categories of measures to be covered, managed at the highest level of the organization.

Cybersecurity is becoming a governance issue, just like financial risk or operational risk. The logic is simple: NIS2 does not assess whether your infrastructure is perfect. It assesses whether your management understands the risks, makes decisions, and can report on them.

The structure of the directive is clear:

• Article 20 → Management responsibility

• Article 21 → risk management measures (with explicit minimum categories)

• Article 23 → Incident reporting (with specific deadlines)

These three articles form the core of what your organization must be able to demonstrate.

What Article 20 actually says: governance and management responsibility

"Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk management measures taken by those entities, supervise their implementation, and can be held accountable for any failures."
— Directive (EU) 2022/2555, Article 20

In concrete terms, the NIS2 responsibility of management involves:

• Responsibility clearly assigned at the managerial level (CEO, member of the Executive Committee, or formal delegation)

• Explicit decisions on cyber risks — not just information

• Cyber risk training: Article 20 explicitly requires members of management to undergo appropriate training.

• Ongoing monitoring: periodic reviews, not just one-off treatment in the event of a crisis

• Integration of cyber risk into the organization's overall risk mapping

What is expected is not technical expertise from management. It is a managerial responsibility of NIS2 governance: assumed, trained, and traceable.

Evidence required in the event of an inspection:

• Committee minutes mentioning cybersecurity with associated decisions

• Records of training courses taken by members of management

• Formalized decisions on arbitration or risk acceptance

• Cyber reporting presented to management with documented validation

What Article 21 actually says: risk management measures

"Essential and important entities shall take appropriate and proportionate technical, operational, and organizational measures to manage the risks posed to the security of network and information systems."
— Directive (EU) 2022/2555, Article 21

This is where the main nuance lies: NIS2 governance by management is not limited to validating a risk analysis. Article 21 imposes categories of concrete measures, all of which must be covered in an appropriate and proportionate manner:

‍

Management
↓
Cyber governance (Art. 20)
↓
Cyber risk management
↓
Technical and organizational measures (Art. 21)
↙ ↓ ↓ ↓ ↓ ↘
Incidents Continuity Supply chain Access HR Cryptography

‍


The categories of minimum measures explicitly listed in Article 21:

• Incident management: detection, qualification, and response processes

• Business continuity:backup plans,disaster recovery,crisis management — these three terms are explicitly mentioned in the directive.

• Supply chain security: control of critical suppliers

• Security during system acquisition, development, and maintenance

• Vulnerability management: identification, handling, disclosure

• Cryptography policies and practices

• Human resources security: recruitment, departure, and training processes

• Access management and multi-factor authentication (MFA): explicitly required

The operational consequence: An organization cannot settle for a "good risk analysis" without covering these areas. Risk analysis is the starting point forcalibrating measures—not the only deliverable expected.

The rule of "appropriate and proportionate" measures

NIS2 leaves real discretion regarding the level of measures, provided that they are proportionate to:

• The size and sector of the entity

• Actual risk exposure

• Role in the ecosystem

A mid-sized company with 200 employees in the energy sector and a large critical infrastructure group will not have the same expectations. What is non-negotiable is consistency between the risks identified and the measures deployed—and the ability to demonstrate this.

What Article 23 actually says: incident notification deadlines

"Essential and important entities shall notify the competent authority or the CSIRT without undue delay of any incident having a significant impact on the provision of their services."
— Directive (EU) 2022/2555, Article 23

NIS2 incident management distinguishes between two levels: operational (detect, contain, restore) and regulatory (notify within the deadline). These are two separate obligations.

The notification process takes place in three specific stages:

‍

What this means in practical terms: Your organization must have pre-qualified its criteria for significant incidents before an incident occurs. A 24-hour notification is only possible if the decision-making chain has already been clarified: who detects, who qualifies, who notifies, who decides.

Notifying is not an admission of fault. It is a procedural obligation. What is penalized is failure to notify—not the fact of having experienced an incident.

What NIS2 does NOT impose: misconceptions to be corrected

This is a point that is often misunderstood. Many elements are presented as "required by NIS2" when in fact they are best practices that are useful and valuable, but not mandatory as such:

Important nuance regarding documentation: it must remain demonstrable, not necessarily exhaustive. The directive refers to "appropriate and proportionate" measures — which means that 10 pages that are actually used are better than 200 pages that are never read.

What varies depending on national transposition (including France)

France has not yet finalized its transposition of NIS2. This has a direct consequence: certain practical arrangements are still being finalized:

• The competent authority and its organizational structure

• Operational notification processes (platform, format, ANSSI contacts)

• Alignment with national standards (the ANSSI standard is currently being finalized)

What remains unchanged: the substantive obligations arising from the European text apply immediately. The national transposition specifies the modalities; it does not create the obligations.

The right approach: align with the European framework (Articles 20, 21, 23) and explicitly document the assumptions made regarding French procedures, clearly distinguishing them from EU obligations.

The mistake that management cannot afford to make

The most common mistake is not implementing NIS2 incorrectly. It is leaving cybersecurity solely in the hands of the CISO, without any real involvement from senior management.

A NIS2 auditor does not seek technical perfection. They seek evidence that management understands the issues, arbitrates priorities, has undergone training, and takes responsibility for its choices. In the absence of evidence of cyber management at the executive level—and documented training—this is systematically considered a negative signal in the audit.

Good NIS2 governance means: a consistent, simple, used, and traceable system. Not just another committee.

The first 5 concrete actions to take

1. Formalize a cyber governance memo approved by management: appoint a leader, assign responsibility—two pages are sufficient.

1. Document the cyber training courses taken by members of management (explicit requirement of Article 20)

1. Produce a targeted, one-page map of critical services, including associated assets.

1. Launch a simplified risk analysis covering the eight areas of Article 21 — 10 to 15 major risks identified and accepted

1. Clarify the decision-making chain in the event of an incident: roles, deadlines, notification criteria within 24/72 hours

These actions are simple. They are also very valuable in the event of an NIS2 audit.

‍

👉 Want to build your NIS2 governance? Discover our NIS 2 operational guide, including practical fact sheets, expected deliverables, and a management checklist.

‍