Yes, with important nuance. Under Article 20 of the directive, management bodies must formally approve and oversee cybersecurity risk-management measures and are required to complete cybersecurity training. Member states must ensure personal liability can be applied to individuals responsible for these duties under national law. For Essential Entities, Article 32 gives national authorities the power — as an escalation measure after other enforcement actions have proven ineffective — to seek a temporary ban on a senior executive from exercising their managerial role. For Important Entities, this specific escalation measure does not apply, though personal liability under national law still does. The practical implication is the same: cybersecurity is now a board-level governance responsibility, not something that can be fully delegated.