NIS2 Liability: Why IT Security Is Now a Top Priority for Every Executive

The NIS2 Directive (Network and Information Security Directive 2.0) is the response to the increasing professionalization of cybercrime. While the predecessor regulation, NIS1, primarily targeted large, critical infrastructures (KRITIS) such as energy suppliers or hospitals, NIS2 massively expands the scope of application.

According to the current status of implementation into German law (the NIS2UmsuCG), significantly more companies must prepare for strict controls. Sectors such as chemicals, food, waste management, digital services, and manufacturing are affected. If a company reaches the thresholds of 50 employees or an annual turnover of €10 million, it comes into the focus of the authorities.

For management, this represents a paradigm shift:

• Personal Approval: You can no longer simply "nod through" security concepts. You must understand and formally approve them.
• Duty of Supervision: It is not enough to release a budget. You must prove that the measures have actually been implemented and are effective.
• Direct Responsibility: The complexity of IT does not exempt you from responsibility. The law assumes that a diligent managing director knows the risks of their digital infrastructure.

A common misconception in German companies is the belief that liability can be completely delegated by appointing a competent IT manager or an external service provider. From a legal perspective, this is a dangerous misjudgment.

While the operational execution (the "doing") can be delegated, the organizational and supervisory responsibility remains mandatory for the governing body. NIS2 reinforces this point: management must not only fund risk management measures but also actively monitor their implementation.

The Comparison to Finance: A managing director can delegate accounting but remains liable for the accuracy of the balance sheet and the avoidance of delayed filing for insolvency. This is exactly the status IT security now holds under NIS2. Cyber risks are now strategic risks. A total IT failure caused by a hacker attack is equivalent to the entire production hall burning down. Anyone who fails to manage such risks at the board level is acting in breach of duty.

To avoid NIS2 liability, managing directors must fulfill a catalog of due diligence requirements. These can be divided into five core areas:

1. The Duty to Inform: You must establish a system that regularly informs you about the threat landscape. It is not enough to wait for the annual report. Critical vulnerabilities or attempted attacks must be escalated promptly.
2. The Duty of Approval: Strategic documents, such as the information security concept or the emergency plan, must be signed by the management. By doing so, you document that you have consciously determined your company's level of protection.
3. The Duty of Supervision: You must create control mechanisms. Who checks if the backups actually work? Who ensures that departed employees no longer have access to the network? The management must regularly have the effectiveness of these controls confirmed.
4. The Duty of Training: This is one of the most underestimated points. NIS2 explicitly obliges the management level to participate in training. The goal is to enable you to professionally assess cyber risks and their impact on business operations.
5. Provision of Resources: Security costs money. If the IT department has been complaining about outdated systems for years and the management rejects necessary investments without a factual justification, this constitutes a clear breach of duty.

The penalties under NIS2 are strict and based on the logic of the GDPR, but often go further in terms of personal consequences.

Corporate Fines:

"Essential entities" face potential fines of up to €10 million or 2% of total global annual turnover. For "important entities" (which includes many SMEs), the limit is still up to €7 million or 1.4% of turnover. These sums can directly jeopardize a company's financial stability.

Personal Internal Liability:

Far more threatening for managing directors, however, is internal liability pursuant to Section 43 of the GmbHG (Limited Liability Companies Act) or Section 93 of the AktG (Stock Corporation Act). If the company is forced to pay a multi-million euro fine because management neglected its NIS2 obligations, the shareholders' meeting can hold the managing director personally liable for recourse.

The Role of D&O Insurance:

Many managers feel a false sense of security because they have taken out D&O insurance (Directors and Officers). But beware: insurers only pay out in cases of ordinary negligence. If a clear legal requirement, such as the mandatory NIS2 training, has been ignored, insurers often argue that there has been a "knowing breach of duty" or “grossly negligent organizational fault” - and refuse to pay.

NIS2 does not require absolute security, but rather measures that are appropriate given the current state of the art. Through a structured risk analysis (identification of critical assets and threat scenarios), management makes informed decisions regarding investments or residual risks. This documentation is the most important tool for demonstrating compliance during audits.

In the event of damage, there is a risk of a reversal of the burden of proof: you must prove that you have fulfilled your due diligence requirements. Without a seamless "NIS2 file"—including management protocols, proof of budget, and training certificates - this proof is nearly impossible to provide. Digital compliance platforms serve as legally secure "life insurance" in this regard.

Responsibility doesn’t end at the company gate. You must ensure that direct suppliers also adhere to appropriate security standards. This requires active governance and a “tone from the top”: IT security must be established as part of the corporate culture, including a clear division of roles and an open culture of accountability in the event of incidents.

The NIS2 Directive is driving a long-overdue shift toward professionalization. For business owners, this means greater personal liability, but it also presents an opportunity to make their companies crisis-proof. Those who comply with NIS2 not only minimize risks but also secure a competitive edge with customers and insurers.

How often must management participate in NIS2 training?

The law does not specify a rigid interval but refers to "regular" participation. In practice, an annual update is recommended to stay informed about new threat patterns (e.g., AI-supported phishing).

Does NIS2 also apply to managing directors of subsidiaries?

Yes, if the subsidiary itself reaches the thresholds or performs an essential function for the group. Liability rests with the respective governing body of the affected legal entity.

What is the most important first step toward avoiding liability?

Conducting and documenting an initial risk analysis. This demonstrates that you have actively addressed the issue and are taking your due diligence seriously.

Can authorities simply audit my company?

Yes, NIS2 grants supervisory authorities extensive control rights, including on-site inspections and the request for evidentiary documents - even without specific cause.

What happens if the implementation deadline has expired?

Once the national law comes into effect, the sanction provisions apply. Companies that cannot provide evidence of basic measures at that point risk immediate fine proceedings.