NIS 2 Article 20: Governance, Cybersecurity Compliance & ISO 27001
Jessica Doering

March 11, 2025

~

3

 minutes reading time

NIS 2 Article 20 - Governance

First of all, a mysterious fun fact: Of the entire NIS 2 directive (45 articles), only three articles are actually relevant for companies aiming to comply with the regulations.

One of these is Article 20 (Governance), which deals with strengthening cybersecurity oversight.

The Network and Information Systems Directive 2 (NIS 2) was and still is an important step in the European Union's (EU) efforts to improve cybersecurity in its Member States. Among the 45 articles of the Directive, Article 20 (Governance) stands out as the cornerstone for establishing effective oversight of cybersecurity in organizations. 

What is Article 20 (Governance) in NIS 2?

Article 20 of NIS 2 focuses on governance and requires organizations to establish clear and effective governance structures to oversee their cybersecurity practices. 

It emphasizes the importance of top management involvement in cybersecurity and requires organizations to ensure that decision-makers are fully aware of their responsibilities for managing cybersecurity risks.

Key Requirements of Article 20 in NIS 2

Top Management Accountability

Article 20 emphasizes that cybersecurity is not just an IT issue but a strategic concern that must be addressed at the highest levels of the organization. Senior management must take an active role in overseeing cybersecurity efforts, ensuring that adequate resources are allocated and that cybersecurity is integrated into the overall business strategy.

Defined Roles and Responsibilities

Organizations must establish clear roles and responsibilities for cybersecurity governance. This includes appointing individuals or teams responsible for implementing and maintaining cybersecurity measures, as well as ensuring that these individuals have the authority and resources necessary to fulfill their duties.

Risk Management Integration

Article 20 requires that cybersecurity risk management be fully integrated into the organization’s overall risk management processes. This means that cybersecurity risks should be identified, assessed, and managed in the same way as other business risks, with regular reporting to top management.

Continuous Improvement

Governance structures must support continuous improvement in cybersecurity. This includes regularly reviewing and updating policies, procedures, and controls to address emerging threats and vulnerabilities.

Impact for Businesses with NIS 2

Increased Accountability

Article 20 places significant responsibility on top management and makes them accountable for the company's cybersecurity posture. This shift in responsibility means that managers can no longer delegate cybersecurity entirely to the IT department; they must be actively involved in strategic decision-making and risk management.

Stronger Oversight

By requiring clear governance structures, Article 20 ensures that there is strong oversight of cybersecurity practices. This helps organizations identify gaps and weaknesses in their cybersecurity posture, enabling them to take proactive measures to mitigate risks.

Enhanced Risk Management

Integrating cybersecurity into overall risk management processes ensures that organizations take a holistic approach to managing risks. This not only strengthens cybersecurity but also aligns it with broader business objectives, making it an integral part of the organization’s strategic planning.

Implementation of Governance Structures for NIS 2

To comply with Article 20 and establish effective cybersecurity governance, organizations should consider the following steps:

Engage Senior Leadership

Ensure that managers understand the importance of cybersecurity and are committed to taking an active role in governance. This can be achieved through regular briefings, training and involvement in cyber security decision making.

Define Roles and Responsibilities

Clearly define who is responsible for cyber security within the organization. This should include a Chief Information Security Officer (CISO) or equivalent role, supported by a cross-functional team that includes representatives from IT, risk management, legal and other relevant departments.

Integrate Cybersecurity into your Risk Management

Embedding cyber security into the wider risk management of the company. This includes conducting regular risk assessments, monitoring emerging threats and ensuring that cyber security risks are discussed at Board level.

Establish Continuous Improvement Processes

Implement procedures to continuously review and improve cybersecurity measures. This could include regular audits, sharing threat intelligence and introducing new technologies and practices to stay ahead of evolving threats.

Allocate Sufficient Resources

Ensure that adequate resources, including budget, personnel and technology, are allocated to cybersecurity. This demonstrates a commitment to maintaining strong governance and supports the effective implementation of cyber security measures.

Overall, Article 20 (Governance) in the NIS 2 is a critical component of the EU's efforts to improve cybersecurity in all Member States. By emphasizing accountability at the highest level and incorporating cybersecurity into overall risk management, Article 20 ensures that organizations take a proactive and strategic approach to cybersecurity governance. 

Aligning ISO 27001 with NIS 2 governance mandates

ISO 27001 plays a central role here, as it provides a comprehensive framework that organizations can use to meet the governance requirements of NIS 2. By implementing ISO 27001, organizations not only meet these governance mandates, but also strengthen their overall cybersecurity posture.

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

Book demo

non-binding and free of charge

Other Articles

NIS Directive Explained: From NIS 1 to NIS 2 Compliance

NIS 1 and NIS 2 - What You need to know

NIS 1 vs. NIS 2: Key Differences and Compliance Requirements

NIS 2

Data Protection

Streamline NIS 2 with Secfix

Who needs NIS 2 compliance?

Who is impacted by european NIS 2 Directive?

Data Protection

NIS 2

Secfix Trust Center: Showcese ISO 27001 certification and SOC 2 reports, win more deals. Read more.

Introducing Secfix Trust Center: Build Trust and Streamline Security Reviews

Introducing new feature: Secfix Trust Center. Showcase your security and close deals faster.

Product updates

Charlie integration with Secfix for automated HR compliance

Charlie Integration with Secfix

New Charlie integration with Secfix! Get your employees compliant.

Product updates

ISO 27001 Pentest Services are used to evaluate security

Why should You do a Pentest

Understand the role of Penetration Testing as part of ISO 27001 compliance

Pentests

ISO 27001:2022

ISO 27001

Personio integration with Secfix for automated HR compliance

Personio Integration with Secfix

Explore Secfix and Personio Integration: Automate compliance, streamline onboarding and secure your business growth.

Product updates

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

ISO 27001

NIS 2

ISO 27001
ISO 27001
NIS 2
NIS 2