---
title: "NIS2 Article 23: Governance Obligations"
description: "NIS2 Article 23 explained: governance obligations for management bodies. Board accountability, training requirements, and penalties under Italian law."
canonical: https://www.aegister.com/en/cms/insights/nis2-article-23-governance-obligations/
url: /en/cms/insights/nis2-article-23-governance-obligations/
lang: en
---

![](/static/images/header-contact.webp)

# NIS2 Article 23 in Practice: Obligations for Management and Governing Bodies

---

![NIS2 Article 23 in Practice: Obligations for Management and Governing Bodies](/static/images/cms/nis2-requisiti-di-base.webp)

## NIS2 Article 23 in Practice: Obligations for Management and Governing Bodies

January 27, 2026

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
[compliance](/en/cms/keyword/compliance/)
[cybersecurity](/en/cms/keyword/cybersecurity/)
+6

Article 23 of Legislative Decree 138/2024 sets governance-level obligations for NIS entities. In practice, organizations need a formal governance model where management and governing bodies approve cybersecurity direction, oversee implementation, and can demonstrate evidence of decisions, reviews, and accountability.

Sources: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Key takeaways

- Article 23 focuses on governance and directional accountability, not only technical execution.
- Governing bodies must ensure cybersecurity governance is formalized, reviewed, and documented.
- Approval workflows, role assignments, and periodic oversight should be traceable through auditable evidence.
- Governance obligations connect directly with the baseline measures defined by ACN for first-phase implementation.

Sources: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Governance obligations under Article 23

At operational level, Article 23 should be implemented through a governance framework that links legal duties to decision rights, ownership, and evidence.

### 1. Formal governance ownership

The organization should identify which governing body and executives hold formal cybersecurity governance ownership and ensure responsibilities are explicitly assigned.

### 2. Policy and direction approval

Core cybersecurity policies, risk governance principles, and strategic security directions should be approved at the proper governance level and reviewed periodically.

### 3. Oversight of implementation status

Governing bodies should receive recurring reporting on implementation progress, material risks, and corrective actions, with decisions and follow-ups recorded.

### 4. Accountability and evidence readiness

Governance decisions should be supported by documentary evidence such as approval records, review outcomes, role matrices, and governance meeting outputs.

Sources: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG), [ACN baseline determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

## Minimum operating model for compliance teams

| Governance element | Practical expectation | Typical evidence |
| --- | --- | --- |
| Role and responsibility model | Defined and approved governance roles for cybersecurity | Role-responsibility matrix, formal appointment records |
| Policy governance | Approved policies and review cycle | Policy approval minutes, revision log |
| Management oversight | Periodic governance-level reporting and escalation | Governance dashboards, decision registers |
| Training governance | Governance involvement in awareness and training direction | Approved training plan, attendance and completion records |

Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

## Execution checklist for the next 90 days

1. Confirm who, at governing-body and executive level, owns cybersecurity governance obligations.
2. Approve or update the formal role-responsibility model for cyber governance.
3. Validate that key policies include ownership, review cadence, and escalation criteria.
4. Set recurring governance reporting with risk and remediation tracking.
5. Prepare a compact evidence pack for potential supervisory checks.

## FAQ

### Does Article 23 apply only to technical security teams?

No. Article 23 is governance-centered and concerns governing bodies and executive accountability, with operational execution delegated but oversight retained at governance level. Source: [Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)

### Are policy approvals and review records optional?

No. Practical implementation requires documentary evidence of approvals and periodic reviews. Details are defined in the official call documentation and ACN implementation material. Sources: [ACN baseline determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed), [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

### Which documents should governance teams prioritize first?

Priority usually includes governance role matrix, cybersecurity policy set, periodic oversight records, and training governance evidence aligned to ACN baseline expectations. Sources: [ACN baseline reading guide](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base), [ACN baseline determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)

Need expert governance advisory? Aegister's [Virtual CISO service](/en/solutions/virtual-ciso/) provides dedicated support for NIS2 governance obligations.

### Related guides in this series

- [governance policies, roles, and accountability structures](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/)

## Related reading

- [NIS2 baseline obligations in practice: master overview for governance, controls, and incident operations](/en/cms/insights/nis2-baseline-obligations-master-overview/)
- [NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/)
- [NIS2 Legal Architecture and Role Model in Italy: Who Is Accountable for What](/en/cms/insights/nis2-legal-architecture-role-model-italy/)
- [Aegister NIS2 Compliance Service](/en/solutions/compliance/nis2/)
- [Aegister Virtual CISO Service](/en/solutions/virtual-ciso/)

## Official sources

- [Gazzetta Ufficiale - Legislative Decree 138/2024](https://www.gazzettaufficiale.it/eli/id/2024/10/01/24G00155/SG)
- [ACN - Baseline obligations determination](https://www.acn.gov.it/portale/documents/d/guest/detacn_obblighi_2511-v3_signed)
- [ACN - Guide to reading baseline specifications](https://www.acn.gov.it/portale/documents/d/guest/guida-alla-lettura-specifiche-di-base)

Share this post

## Related News

[![NIS2 Legal Architecture and Role Model in Italy: Who Is Accountable for What](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-legal-architecture-role-model-italy/)

[NIS2 Legal Architecture and Role Model in Italy: Who Is Accountable for What](/en/cms/insights/nis2-legal-architecture-role-model-italy/)

[Italy's NIS2 legal architecture explained: Legislative Decree 138/2024, ACN baseline acts, and the three-layer accountability model for governance, cyber operations, and incident notification.](/en/cms/insights/nis2-legal-architecture-role-model-italy/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+8

[![NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/)

[NIS2 Governance Controls (GV): Policies, Roles, and Accountability Model](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/)

[The NIS2 Governance (GV) domain defines cybersecurity direction, accountability, and oversight. Practical guide to implementing GV controls: context, risk strategy, roles, policy lifecycle, and supply-chain governance.](/en/cms/insights/nis2-governance-gv-policies-roles-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+9

[![NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/static/images/cms/nis2-requisiti-di-base.webp)](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 Point of Contact and CSIRT Contact Role: Accountability and Operating Duties](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2 implementation guidance distinguishes the legal Point of Contact from the operational CSIRT contact role. Practical guide to role formalization, substitute model, competence mapping, and audit-ready evidence.](/en/cms/insights/nis2-point-of-contact-csirt-role-accountability/)

[NIS2](/en/cms/keyword/nis2/)
[ACN](/en/cms/keyword/acn/)
+10

### NIS 2 Compliance with Aegister

Complete solutions for NIS 2 Directive compliance: expert consulting, implementation and ongoing support.

[Discover](/en/solutions/compliance/nis2/)