Personal Liability Under NIS2: What Executives Need to Know Now

The Key Change: Liability is Personal

The EU's NIS2 Directive, which was to be transposed into national law by October 2024, introduces a fundamental shift: cybersecurity is no longer purely a technical matter that can be delegated to the IT department. Instead, managing directors, board members, and supervisory boards now bear direct personal responsibility.

In concrete terms, this means: if a company violates the requirements of the NIS2 Directive, the responsible management bodies can be held personally liable – not only under civil law, but in serious cases also administratively. Fines of up to €10 million or 2% of global annual turnover are possible. Crucially, personal liability does not only apply when damage has already occurred, but already when a breach of duty is proven – for example, failure to implement appropriate security measures.

What is Specifically Required

NIS2 obligates affected companies – and the circle of those affected is significantly larger than under the predecessor directive NIS1 – to comprehensive risk management. This includes: identification and assessment of cyber risks, technical and organizational security measures, supply chain management, incident reporting obligations, and regular review and documentation of all these measures.

The supply chain aspect is particularly critical: companies must not only demonstrate their own IT security, but also ensure that their key suppliers and service providers meet adequate security standards. Those who rely on questionnaires and self-declarations risk being unable to present reliable evidence in an emergency.

Why Classic Measures Are Insufficient

Many companies have already established internal ISMS processes or acquired certifications such as ISO 27001. These are important, but not sufficient under NIS2. The directive specifically also requires monitoring of external threats – that is, what happens outside your own infrastructure. Ransomware groups buying your employees' credentials. Phishing infrastructure abusing your brand name. Suppliers whose systems are already compromised without your knowledge.

Internal security teams can barely close this blind spot, because they naturally focus on their own infrastructure – not on what happens in darknet forums, on crime servers, or in phishing kits.

How External Risk Transparency Protects Executives

Demonstrable, technically validated risk assessment is the decisive protection for management bodies. Not because it prevents every attack, but because it documents that appropriate measures were taken. In a liability case, this is the difference between personal accountability and demonstrated due diligence.

External providers specialized in monitoring external threat ecosystems deliver exactly this: technically verified risk assessments, documented findings on threats to your supply chain and company, and auditable reports you can use vis-à-vis regulators, insurers, and investors.

Note: This article is for general information purposes only and does not replace legal advice. For a specific assessment of your situation, we recommend consulting specialized lawyers and technical cybersecurity experts.