The Liability Shift Nobody Expected
Most cybersecurity regulations punish the company. Fines go to the entity. Enforcement actions target the legal person. NIS2 breaks that pattern. Article 20 and Article 32 introduce direct, personal liability for members of management bodies in essential and important entities.
This means the CEO, CTO, board members, and managing directors of companies in scope can be held individually responsible for cybersecurity failures. Not the company. Them.
National transposition laws across EU member states are now active. Germany's NIS2 Implementation Act (NIS2UmsuCG), Belgium's NIS2 law, and others have codified these provisions into enforceable national law. As we covered in our overview of NIS2 enforcement timelines and first steps for compliance, this is no longer a directive on paper.
What the Legal Provisions Actually Say
Article 20(1) requires that management bodies of essential and important entities approve the cybersecurity risk-management measures taken by their organization and oversee their implementation. Management can be held liable for infringements.
Article 20(2) mandates that members of management bodies follow training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices.
Article 32(5) gives competent authorities the power to request that essential entities temporarily suspend certifications or authorizations — and to request a temporary ban on any natural person exercising managerial functions at CEO or legal representative level.
The word "temporary" is doing heavy lifting there. A temporary ban from management functions is a career-altering enforcement action.
How Liability Flows from Company to Individual
The chain is straightforward:
- The entity must implement cybersecurity risk-management measures (Article 21)
- Management bodies must approve and oversee those measures (Article 20)
- If the entity fails, competent authorities investigate
- If the failure stems from management negligence, authorities can pursue personal liability
- If gross negligence is found, temporary bans from managerial positions become available
The critical linkage is between "approval and oversight" and "failure." If management rubber-stamped a cybersecurity program without understanding it, without allocating resources, or without following up on known gaps — that is the liability trigger.
What "Gross Negligence" Means in Practice
NIS2 does not define gross negligence in detail. National laws apply their own standards. But across EU jurisdictions, gross negligence in a corporate governance context generally means:
- Ignoring known risks — You were told about a vulnerability or gap and did nothing
- Failing to allocate resources — The cybersecurity budget was cut to zero or near-zero despite identified risks
- No oversight structure — Management never reviewed, questioned, or challenged cybersecurity reports
- No training — Management bodies never underwent cybersecurity training as required by Article 20(2)
- Delegation without verification — Handing cybersecurity to a subordinate and never checking outcomes
The standard is not perfection. No regulator expects zero incidents. The standard is: did management take reasonable steps, proportionate to the risk, and did they actively oversee the result?
NIS2 vs GDPR: Personal Liability Comparison
Executives already familiar with GDPR often assume NIS2 works the same way. It does not.
| Dimension | GDPR | NIS2 |
|---|---|---|
| Primary liability target | The data controller/processor (the entity) | The entity AND management bodies personally |
| Personal liability for executives | Indirect — only via national corporate law | Direct — Article 20 and Article 32(5) explicitly name management bodies |
| Temporary management ban | Not available as an enforcement tool | Available for essential entities under Article 32(5) |
| Maximum fines (entity) | Up to EUR 20M or 4% of global turnover | Up to EUR 10M or 2% of global turnover (essential entities) |
| Training mandate for management | No specific requirement | Mandatory under Article 20(2) |
| Oversight obligation | Implied through accountability principle | Explicit — management must approve and oversee measures |
| National variation | High (interpretation varies) | High (transposition varies, but personal liability is in the directive text) |
The key difference: GDPR fines hit the company's balance sheet. NIS2 enforcement can hit the executive's career directly.
What Management Must Do to Demonstrate Due Diligence
Due diligence under NIS2 is not a one-time checkbox. It is a continuous obligation. Management bodies should:
- Complete cybersecurity training — Documented, recurring, and relevant to your sector. Generic "awareness" modules are insufficient.
- Formally approve the risk-management framework — Board minutes should record the approval of cybersecurity measures, the rationale, and any dissenting views.
- Review cybersecurity posture regularly — Quarterly at minimum. Not an annual slide deck.
- Allocate proportionate resources — Budget decisions must be documented. If a CISO requests funding and is denied, that denial is discoverable.
- Establish clear reporting lines — Who reports cybersecurity status to the board? How often? What triggers an escalation?
- Test incident response — Management should participate in or observe tabletop exercises at least annually.
- Audit third-party and supply chain risk — Article 21 includes supply chain security. Management must oversee vendor risk assessments.
What Documentation Protects Executives
If enforcement action occurs, the question is: can you demonstrate that management took its oversight obligation seriously? The following documentation creates a defensible record:
- Board minutes showing cybersecurity was a recurring agenda item with substantive discussion
- Training records for all management body members, including dates, topics, and providers
- Risk assessment reports presented to and acknowledged by management
- Budget allocation records showing cybersecurity investment proportionate to risk
- Incident response test results reviewed by management
- Audit findings and remediation tracking showing that identified gaps were addressed on a defined timeline
- Vendor risk assessment documentation covering critical supply chain partners
None of this requires management to become security engineers. It requires them to govern — to ask questions, allocate resources, and follow up.
The Practical Takeaway for C-Suite and Boards
NIS2 treats cybersecurity governance the way financial regulations treat fiduciary duty. You cannot claim ignorance. You cannot fully delegate without oversight. And if things go wrong because you failed to govern, the consequences attach to you personally.
The executives who will be protected are not the ones with the biggest security budgets. They are the ones who can demonstrate — with documentation — that they understood the risks, made informed decisions, allocated reasonable resources, and maintained active oversight. Start building that record now.
For more NIS2 resources, sovereign deployment options, and compliance guides, visit the NIS2 Compliance for On-Premise OT hub.
