Article 20 versus Article 21: the two NIS2 training duties, explained simply

Article 20 versus Article 21: the two NIS2 training duties, explained simply. One duty sits on management personally, the other on the organisation for its staff. Why blurring them leaves a gap on the shop floor.

A group of people in a conference room around a table, with one person speaking and others listening.

NIS2 talks about training in two different places, and they are not interchangeable. Article 20 places an explicit, personal duty on the management body: approve the risk-management measures, oversee their implementation and follow training. Article 21 makes cyber hygiene practices and cybersecurity training one of the risk-management measures the organisation must take for its staff. One duty sits on named individuals; the other sits on the organisation.

What does Article 20 require of management?

Three things in plain terms: management must approve the cybersecurity risk-management measures, must oversee their implementation and must themselves follow training to gain sufficient knowledge to assess those measures. Member-state implementations attach real accountability to this, which is why board-level NIS2 sessions stopped being optional in 2025.

What does Article 21 require for staff?

Article 21 lists the minimum risk-management measures every in-scope entity must take, and the list includes basic cyber hygiene practices and cybersecurity training. The wording is organisational: it is a measure you must have, sized to your risk. For an office that may mean annual awareness modules; for a factory floor with a large flexible shell it means something that actually reaches that population, in their languages, with evidence.

Why does the distinction matter in practice?

Because the two duties fail differently. An Article 20 failure is a governance finding: management cannot show it was trained or that it oversees the measures. An Article 21 failure is an operational finding: the organisation cannot show its people, including temporary workers, were trained as part of its measures. Many organisations fixed the first in a single boardroom afternoon and still have the second wide open on the shop floor. Our readiness checker tests both sides.

A copy-ready summary

Management: explicit, personal, Article 20. Staff: required measure, organisational, Article 21. If a vendor or adviser blurs the two, ask which article they mean.

Last reviewed: June 2026. This article is general information and is not legal advice.