OpenChainGraph Suite · ART-146 · wave 26

NIS2 Governance Readiness Checker (Art. 20 — Management Body Accountability)

Assess NIS2 Article 20 management body accountability readiness. Article 20 makes board members personally liable for approving cybersecurity risk-management measures and completing mandatory training. This checker scores 6 governance controls and surfaces a personal liability risk flag where board exposure exists.

NIS2 Art.20Board AccountabilityPersonal Liability Risk§16 ProofW3C VC §13.11PDF ExportZero PII

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Scope

Terminal node of the nis2-incident-response chain (art-144→145→146). Assesses NIS2 Article 20 board-level governance: formal approval of Art.21 measures, quarterly cybersecurity status reporting, CISO/equivalent designation, completed NIS2 cybersecurity training, training covering threat landscape and incident-response clocks, and board review recency (stale if >365 days). Grade A≥6 controls, B≥5, C≥3, D<3. Personal liability risk triggers where Art.21 measures not formally approved or board review is stale.

Presets

Board Governance Controls

Board has formally approved all Art. 21 cybersecurity risk-management measures

Required by Art. 20(1) — absence creates personal liability for management body members

Board receives quarterly cybersecurity status updates

Regular board-level reporting cadence on cybersecurity posture, incidents, and risk status

CISO or equivalent cybersecurity officer designated with board-level accountability

Named individual responsible for cybersecurity reporting to the management body

NIS2-mandated cybersecurity training completed by all management body members

Art. 20(2) mandates that management body members participate in cybersecurity training

Training curriculum covers sector-specific threat landscape and risk context

Training must be sufficiently specific to the entity's sector to satisfy Art. 20(2)

Training covers Art. 23 incident-reporting clocks (24h / 72h / 30d)

Management body must understand their personal obligations under Art. 23 reporting timelines

Board Review Recency

Days since last board cybersecurity review — leave blank if never conducted

Result

Execution Hash & §4 Artifact

SHA-256 execution hash (JCS canonical — RFC 8785):