NIS2 directive explained: Part 2 – Management bodies rules

Introduction

The NIS2 Directive marks a significant evolution in the European Union’s approach to cybersecurity, expanding both the scope of regulated entities and the depth of compliance obligations. These rules are essential for organizations operating in the EU and their liability and navigating them is essential for compliance and ensuring cybersecurity of their operations.

This insight, second of the three-part NIS2 series by DLA Piper, focuses on one of the most consequential changes in the NIS2 Directive – the explicit elevation of the “management body” as a central actor in cybersecurity governance, including the new obligations and potential liability of senior management for non-compliance.

What is a management body under NIS2?

One of the key objectives of the NIS2 Directive is the advancement of responsibility for cybersecurity risk management to the senior levels of an organization. The EU's message is quite clear: cybersecurity is such a significant threat to the continuity of critical services across the Union that we expect this to be taken seriously at the top of every in-scope organization. And the main way in which draftsmen have sought to achieve this is through the introduction of a “management body” concept.

NIS2 is notably vague about what constitutes a “management body”. There is no unified definition regarding its composition, seniority, remit, or position within an organization. The expectation is that the management body should be sufficiently senior and experienced to approve and oversee cybersecurity measures, but the specifics are left to national implementation. Other EU legislation, such as DORA, provides some guidance, describing the management body as the group that empowers an organization’s strategy and oversees decision-making. In practice, the location of the management body often aligns with the Member State determined by the “main establishment” rule (as discussed in Insight 1), which itself can be complex to apply –  especially for multinational groups with distributed operations or decision-making outside the EU.

Responsibilities of management bodies

Although the Directive references management bodies only a few times, these mentions are essential and impose material obligations. Recital 137 of the Directive underscores the need for a high level of responsibility for cybersecurity risk management measures and reporting obligations, requiring that such measures be approved and their use supervised by the management body. Accordingly, Article 20(1) mandates that management bodies of essential and important entities must not only approve but also oversee the implementation of cybersecurity risk management measures. Furthermore, Article 20(2) introduces a training requirement: management bodies must ensure they possess sufficient knowledge and skills to identify and assess cybersecurity risks, and they are encouraged to extend such training to wider staff.

Consequences for Non-Compliance

NIS2 introduces personal accountability for members of the management bodies. It allows for the temporary suspension of performing management functions at the level of CEO or legal representative if their entity fails to comply with enforcement measures. While this power of temporary suspension applies to essential, rather than important entities, the Directive goes further, requiring Member States to ensure that senior management (understood as any natural person responsible for an essential or important entity or acting as its legal representative on the basis of a power of representation, decision-making on its behalf or control over it) of entities  can be held personally liable for breaches of its duties under the Directive.

How is the management body concept playing out in the local implementation of NIS2?

While at the time of writing, only around half of EU Member States have implemented NIS2 into national law, the trend which has been almost universally adopted so far is to align the allocation of the management body with the existing board of directors (or equivalent) of the relevant in-scope entity registering in that jurisdiction. This means that if a group company has a number of separate legal entities registering in a single Member State, they will be required to allocate a separate management body to each of those national entities. Moreover, for a group company, it looks to be the case that the group will need to allocate a management body to each of its in-scope entities. The result for groups with countless entities in scope of NIS2 could be the allocation of multiple management bodies across the enterprise.

This is causing a particular headache for group companies whose existing cybersecurity management is centralized at the level of a global headquarters, rather than delegating cybersecurity decisions to be made at a local entity level. If, following the direction of NIS2, management bodies in each of the local entities are required to be both approving and supervising the implementation of cybersecurity risk management measures, there is a risk that cybersecurity decisions could become fragmented across the group, leading to an inconsistent approach to cybersecurity resilience across the global enterprise.

Solutions will differ across the group, and one solution may be a hybrid model which allows local management bodies to delegate a certain amount of responsibility for cybersecurity decision making to a central body while retaining ultimate accountability for NIS2 compliance in their national entity. How that model might play out will nevertheless differ from one group company to another.

Practical Implications for Multinational Organizations

The aforementioned ambiguity regarding the scope of management bodies and local differences in implementation create practical challenges. For multinational organizations, NIS2’s requirements may not align neatly with existing governance structures. While the Directive expects entity-level management bodies to be responsible for cybersecurity, many organizations manage these functions globally. If a Member State disagrees with the allocation of a Management Body this may be seen as breach of NIS2 since the local management body is unlikely to be sufficiently upskilled/ taking responsibility for cybersecurity risk management decisions. Creating “shadow” management bodies in each Member State would be operationally and commercially burdensome, and may not be viable. Thus, organizations must strike a balance between legal obligations, strategic preferences, and operational realities.

Conclusion

In summary, the Directive places management bodies at the heart of cybersecurity governance, demanding both oversight and personal accountability. Keeping in mind that only some of the Members States have finalized the local implementation of NIS2 and the regulatory practice is just taking shape, it is hard to predict how strict Member State competent authorities will be in their interpretation of Management Bodies. However, the lack of precise definition and the interplay with complex organizational structures means that each entity must carefully interpret and implement these requirements, guided by both the letter of the law and the realities of their business.