Why Article 20 is the real turning point

I believe Article 20 is the most misunderstood part of NIS2. Not because it's complicated, but because it's uncomfortable. It does something many organisations have tried to avoid for years: it moves cybersecurity from "someone else's table" to the leadership's table.

NIS2 essentially makes three demands of leadership:

• Firstly: leadership must approve risk management measures.

• Secondly: leadership must monitor their effectiveness.

• Thirdly: leadership can be held personally accountable if these duties are neglected. (European Union, 2022).

This may sound obvious, but in practice many organisations have built a culture where cybersecurity is "a function" and leadership merely "agrees" from a distance. Article 20 says: the captain must be on the bridge when it counts.

"Engagement" isn't just a feeling – it's visible governance

Here, I think we need to be brutally practical. Engagement is a nice word, but in oversight and audits it means something very concrete: traceability.

You know leadership is engaged when you can trace a clear line:

• from risk to decision,

• from decision to implementation,

• from implementation to evidence.

That is why NIS2 links Article 20 so closely to Article 21. Article 21 outlines the risk management and security measures required. Article 20 says leadership must ensure it happens and keep a firm hand on the wheel. (European Union, 2022).

Article 21 reflected in leadership's mirror

Article 21 lists ten areas (a to j) that must be covered by risk management measures. I won't reproduce them as a checklist here, as that would be exactly what NIS2 tries to stop. But I want to be clear: Article 20 is pointless if leadership doesn't make Article 21 manageable.

Put simply, Article 21 means leadership must be able to answer three questions without anyone in the room nervously coughing:

What is our risk profile?

This is Article 21.2 a: policies for risk analysis and information system security. In other words: do we know where we could run aground and why? (European Union, 2022).

What capabilities do we have when incidents occur?

This covers incident management, continuity, backup and recovery, crisis management and communication. It's also what turns "proportionate" and "appropriate" from poetry into reality. (European Union, 2022).

How do we know it works?

Perhaps the most important question. NIS2 explicitly highlights the need for measures to be effective and for consideration of the "state of the art", meaning the current technical and methodological standards. For certain actors, there are also EU requirements specifying technical and methodological aspects in Commission Implementing Regulation (EU) 2024/2690. (European Union, 2022; European Commission, 2024).

Here I often pause to say something easy to grasp even without legal training:

If it's not tested, it doesn't exist.

On a ship, lifeboats don't count just because they're on deck. They count when they can be launched.

The most common misunderstanding I encounter in boardrooms

"Isn't this all technical?"

No. The technical side is part of the measures. But Article 20 is a demand for governance. Governance means making decisions about priorities, resources, and acceptable risks.

That's also why NIS2 requires leadership to undergo training. Training here doesn't mean becoming technicians, but understanding the risks and being able to assess risk management measures and how they affect the service the organisation provides. (European Union, 2022). I often describe it as leadership not needing to know how to fix the engine, but they must understand the difference between "a warning light flashing" and "we're taking on water".

Swedish implementation: more than just an EU idea

With the Cybersecurity Act and Cybersecurity Ordinance, Sweden has established how supervision, reporting, and accountability should work nationally, including roles for coordination and forwarding incident reports between member states. (Swedish Parliament, 2025b).

This is where many organisations will notice the difference between "we think we're quite good" and "we can prove we're good". Supervision doesn't look at ambition; it looks at traceability and effectiveness.

My vision, without losing touch with reality

I believe Article 20 could be one of the best things to happen to European cybersecurity. Not because it creates more demands, but because it shifts the focus from paperwork to reality.

But we must understand this: Article 20 is not a moral clause. It's a construct designed to change incentives. It makes passivity more costly and building real capability more rewarding.

And this is where I see the "wow factor", if you dare to see it:

When leadership truly takes the bridge seriously, cybersecurity stops being a brake. It becomes a stabiliser. It enables the organisation to make faster decisions because it knows its limits and how to recover if it slips.

Final word

Article 20 doesn't say you must be perfect. It says you must be responsible. And in a world where digital services are critical to society, it's hard to argue against that. I want us to stop talking about cybersecurity as a department. I want us to start treating it as what it is: part of leadership's core mission to keep the organisation afloat, even when the weather turns rough.

The captain doesn't have to be everywhere. But they must not leave the bridge.

References

European Commission. (2024). Commission Implementing Regulation (EU) 2024/2690. EUR-Lex.

European Union. (2022). Directive (EU) 2022/2555 (NIS2). Official Journal of the European Union, L 333.

Government. (2026). New law strengthens cybersecurity / Stricter requirements for Swedish cybersecurity (pages on entry into force 15 January 2026).

Swedish Parliament. (2025a). Cybersecurity Act (2025:1506). Swedish Code of Statutes.

Swedish Parliament. (2025b). Cybersecurity Ordinance (2025:1507). Swedish Code of Statutes.