NIS2 Art. 20 makes management bodies personally liable for cybersecurity. Directors must be trained. Our NIS2 training covers scope, obligations, incident reporting, and the Croatian transposition.
Essential vs. important entities, sector classification, size thresholds, supply chain implications, and how to determine if NIS2 applies to your organization.
Art. 20 personal liability, board-level training requirements, cybersecurity governance oversight, approval of risk management measures, and consequences of non-compliance.
Art. 21 requirements: risk analysis, incident handling, business continuity, supply chain security, network security, vulnerability handling, cyber hygiene, cryptography, HR security, and access management.
Three-stage reporting: 24-hour early warning, 72-hour incident notification, and one-month final report. What triggers reporting, what to include, and CERT coordination.
Third-party risk management, vendor due diligence, contractual security requirements, supply chain attack prevention, and monitoring supplier cybersecurity posture.
Cybersecurity as a board agenda item, delegation vs. accountability, security investment decisions, risk appetite definition, and board reporting frameworks.
How Croatia is implementing NIS2: the Cybersecurity Act, CERT.hr role, national authority structure, registration requirements, and sector-specific guidance.
For board members, CISOs, IT managers, and compliance officers responsible for NIS2 compliance and cybersecurity governance.
Board members and managing directors who are personally liable under Art. 20 and must approve cybersecurity risk management measures.
Chief Information Security Officers and IT managers responsible for implementing NIS2 technical and organizational measures.
Compliance and risk management professionals overseeing NIS2 implementation, reporting, and ongoing compliance monitoring.
NIS2 training addresses the most significant EU cybersecurity regulation, replacing the original NIS Directive with substantially expanded scope and stricter requirements.
Free 30-minute consultation — assess your NIS2 scope, plan management body training, get a proposal
NIS2 applies to medium and large organizations in 18 sectors including energy, transport, banking, health, digital infrastructure, ICT services, and public administration. 'Essential entities' face the strictest requirements; 'important entities' have similar but somewhat lighter obligations. Use our NIS2 Checker tool for a quick assessment.
Yes. Art. 20(2) explicitly requires that 'members of the management bodies of essential and important entities are required to follow training.' This is not optional — it's a legal obligation with personal liability implications.
Essential entities: up to €10M or 2% of global annual turnover (whichever is higher). Important entities: up to €7M or 1.4% of global turnover. Additionally, management bodies can be held personally liable, and entities may face temporary suspension of certifications.
NIS2 was adopted in January 2023 with an October 2024 transposition deadline for member states. Croatia is implementing through the Cybersecurity Act. Organizations should already be working on compliance as enforcement is imminent.
NIS2 dramatically expands scope (from ~300 to ~10,000+ entities in Croatia alone), introduces personal liability for management, harmonizes incident reporting (24h/72h), mandates supply chain security, and increases fines. It also eliminates the distinction between operators of essential services and digital service providers.
Start with a gap assessment against Art. 21 requirements. Ensure management body training (Art. 20). Implement incident reporting procedures. Review supply chain security. Register with the competent authority. Consider ISO 27001 certification as a foundation. Our training covers all these preparation steps.
Art. 20 personal liability means directors cannot delegate cybersecurity responsibility. Our NIS2 training ensures your management body understands their obligations, your team knows the reporting procedures, and your organization is prepared.