Article 20

Governance

Directive on the security of network and information systems · UE 2022/2555

Governance

1.   Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.

The application of this paragraph shall be without prejudice to national law as regards the liability rules applicable to public institutions, as well as the liability of public servants and elected or appointed officials.

2.   Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.

Luxembourg specificity
loi luxembourgeoise du 28 juillet 2023 relative a la cybersecurite, modifiee par la loi du 28 juillet 2025

In Luxembourg, the ILR (Institut Luxembourgeois de Regulation) designates essential and important operators, conducts inspections and may sanction governance failures. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes Article 20 and confirms management body liability, without prejudice to Luxembourg law on director liability and, for the public sector, the liability of officials and appointed or elected representatives. Administrative fines can reach up to EUR 10 million or 2% of worldwide annual turnover for essential entities.

Luxgap practice: put the approval of Article 21 measures on a board agenda at least once a year and keep the signed minutes; it is the first document the ILR requests during an inspection.