NIS2 and Executive Liability: What Board Members Risk Personally

NIS2 makes cybersecurity a top priority – literally. Executives and board members can be held personally liable if security measures are inadequate. Delegating to the IT department is no longer sufficient. Those who don’t understand security can’t ignore it either.

TL;DR

NIS2 Art. 20: Management bodies must approve risk management measures and monitor their implementation
Personal liability: Executives can be personally sanctioned for breaches of duty
Mandatory training: Management bodies must regularly participate in cybersecurity training
Fines: up to 10 million EUR or 2 percent of global annual revenue

What NIS2 Demands from Management

Article 20 of NIS2 is clear: Management bodies (executives, board members, supervisory boards) must approve cybersecurity risk management measures, monitor their implementation, and can be held liable for violations. Cybersecurity is no longer just an IT task – it is a governance responsibility at the highest level.

Concretely, this means: The executive must know the security strategy, understand the risks, and actively make decisions. “The IT department handled it” is no longer a valid defense.

Personal Liability: What This Means in Practice

The NIS2 directive allows member states to sanction natural persons – i.e., executives personally – for breaches of duty. In Germany, this will be specified by the NIS2 implementation law. Possible consequences: fines against the individual, temporary prohibition of executive functions, and civil liability towards the company.

Liability does not apply to every security incident but to proven breaches of duty: lack of risk analysis, ignored audit recommendations, neglected training, or failure to comply with reporting obligations.

Mandatory Training: Security Competence at the C-Level

NIS2 explicitly requires that members of management bodies participate in regular cybersecurity training. This is not an optional recommendation but a verifiable obligation. The training must be documented – date, content, attendance.

The content does not need to be a deep technical dive: understanding the threat landscape, knowledge of the most important risks for the company, understanding protective measures, and the ability to make informed decisions about security investments.

Compliance Roadmap for Executives

Five steps: First, impact analysis – does the company fall under NIS2 (sectors, thresholds)? Second, gap analysis – which of the 10 minimum measures (Art. 21) are already implemented? Third, formalize risk management and have it approved by the management body. Fourth, establish reporting processes (24-hour initial report, 72-hour follow-up report). Fifth, set up and document a training program for the management.

The most important advice: documentation. Every decision, every measure, every training must be verifiable. In the event of liability, it is not what was done that counts – but what can be proven.

Key Facts

Fines: Up to 10 million EUR or 2 percent of global annual revenue

Affected: Approximately 30,000+ companies in Germany

Personal Sanctions: Fines against individuals and temporary management bans possible

Frequently Asked Questions

Can I delegate NIS2 responsibility to the CISO?

The operational implementation yes, the governance responsibility no. Management must approve the measures and monitor their implementation. The CISO is the executing body – the responsibility remains at the C-level.

When does NIS2 come into effect?

The EU directive had to be implemented into national law by October 2024. Germany is behind schedule, with the NIS2 implementation law expected in 2025. Companies should not delay implementation – the requirements are known and the time pressure is real.

Does a D&O insurance cover NIS2 liability?

Typically yes, as long as there is no intent. However, check the exclusion clauses: Some D&O policies exclude regulatory fines. An explicit extension for cyber-governance liability may be useful.

About the author: Tobias Massow

Read article

Compliance

NIS2