NIS2 CEO Liability: What You Need to Know Now

NIS2 brings new obligations and responsibilities

The NIS2 directive of the EU has also been in force in Germany since December 6, 2025. The EU regulation obliges more companies and sectors than before to take security precautions to reduce the impact of cyberattacks on business operations and better protect information and data in companies. Around 29,500 companies in Germany are affected – an increase from approximately 4,500 regulated organizations previously.

For this purpose, the directive prescribes various measures such as cyber hygiene procedures, emergency plans, and regular security audits and risk assessments. Executives are, according to Article 20 of the new NIS2 directive obliged to personally oversee compliance with the requirements. At least every 3 years, executives must complete training on cyber risks and security measures.

The legislator expects management, among other things, to act proactively and to establish robust security management within the company. A new requirement is that management is obliged to participate in security training themselves.

As the NIS2 directive applies to more companies than its predecessor, more management levels will have to address IT security in the future. However, even today, managing directors would be well advised to take information security seriously.

How to avoid personal liability as a managing director?

NIS2 makes cybersecurity a top management priority and tightens the liability of managing directors. Check for free whether your company is affected and which measures you need to take now.

Start free NIS2 check

Executive Liability: Legal Foundations and Current Regulations

The NIS2 Implementation Act has been in force since December 6, 2025. In the course of its implementation, the BSI Act (BSIG) was also amended. However, managing directors have always been subject to a duty of care, legality, and supervision. This duty arises from Section 43 of the GmbH Act (GmbHG) and Section 93 of the Stock Corporation Act (AktG). Accordingly:

• IT and information security is part of the executive responsibility.

• Even without specific laws such as the BSIG or the GDPR, managing directors must implement appropriate risk management.

• Anyone who negligently or intentionally violates their duties can be held civilly liable , particularly towards their own company.

Example: If a loss occurs due to insufficient cybersecurity, for example, through a ransomware attack, and the loss could have been avoided with due diligence, the management can be held liable with their personal assets .

How does NIS2 change director liability?

The NIS2 Directive does not introduce fundamental changes to management liability, but it clarifies and tightens existing obligations.

The NIS2 Implementation Act, effective December 6, 2025, specifically regulates the following:

• Explicit Management Responsibility for Cybersecurity: Management bodies must approve and oversee security measures and are responsible for their compliance (Art. 20 para. 1 NIS2; § 38 BSIG-E).

• Mandatory Training for Directors: At least every 3 years, executives must complete training on cyber risks and security measures (§ 38 para. 3 BSIG-E).

• Stricter Liability through Legal Clarification: Liability continues to arise from the GmbHG or AktG as before. However, § 38 BSIG-E now explicitly formulates this for the area of cybersecurity. For business forms without clear corporate law liability, such as foundations or registered associations, § 38 BSIG-E contains a catch-all provision for direct liability.

• Indispensability of Liability: A waiver of liability through contracts such as the shareholders' agreement is intended to be impermissible be (§ 38 Abs. 2 S. 3 BSIG-E).

NIS2 Liability: What Consequences Do Managing Directors Face?

If companies fail to comply with the NIS2 Directive's requirements, they could, in the worst case, face significant fines. The amount varies depending on the type of entity:

Fines:

• Essential Entities: Up to 10 million Euros or 2% of global annual turnover (whichever is higher)
• Important Entities: Up to 7 million Euros or 1.4% of global annual turnover (whichever is higher)

However, the consequences of violating the NIS2 Directive are not only financial but also jeopardize the reputation of a company and can furthermore impact the management.

If a cyberattack occurs against the company because insufficient security measures were implemented, the executive board can be held personally liable . This also applies if a violation is attributable to carelessness or negligence on the part of the IT department.  

The following scenarios illustrate how inadequate protective measures can have an impact:

• Within the IT infrastructure, there are vulnerabilitiesthat remained unaddressed for an extended period and served as an entry point for attackers.

• The company has not conducted appropriate employee training on cybersecurity, which allowed attackers to succeed with a phishing attack .

• No appropriate risk assessment or security audit of the systems in use was conducted, resulting in data breaches and information falling into the wrong hands.

Such errors can become particularly critical for those responsible if they can be proven to have acted with gross negligence or even intent .

What does Information Security specifically, and how does it differ from IT security? Read on to find out!

How can companies and managing directors protect themselves?

Managing directors are obliged to inform themselves about the requirements of NIS2 and to ensure that all necessary measures are taken. Furthermore, they must ensure that cybersecurity training takes place within their company and participate in it themselves.

Proactive action is crucial if executives want to protect their company and themselves from legal consequences. To minimize liability, managing directors and IT managers should therefore take a series of measures:‍

• ‍Fulfill comprehensive NIS2 requirements: The specific requirements of the NIS2 directive include registration with the BSI, risk management, reporting processes, business continuity management, and technical security measures. A detailed overview of all obligations and implementation steps can be found in our article on NIS2 requirements for companies.‍
• Establish security solutions: Companies should invest in appropriate network security and data protection software that can handle current threats.
• ‍Attend mandatory executive training: At least every 3 years, executives must attend training on cyber risks and security measures. This training obligation cannot be delegated and is the personal responsibility of the management. Also, all employees must be regularly trained on cybersecurity topics .
• ‍Assess applicability and register: Use the NIS2-Check von Proliance for an initial assessment of your NIS2 compliance. Regular security audits ensure that vulnerabilities can be identified early and effectively remedied. Registration with the BSI must take place immediately – particularly critical entities have until March 6, 2026, while essential entities must register immediately.
• ‍Engage external expertise: To ensure that the company has sufficient expertise to ward off cyberattacks, it is advisable, in addition to training, to rely on collaboration with external data protection officers and ISB . This way, companies ensure that, in addition to NIS2, they also correctly implement other guidelines such as the GDPR .

Tip: An Information Security Management System (ISMS) helps you to effectively and strategically secure your company against threats from cyberspace and gives you the chance to secure a coveted ISO 27001 certification .

Conclusion on NIS2 Liability: Strengthen Information Security Sooner Rather Than Later

CEOs are required, to ensure adequate information security – NIS2 only makes this obligation more visible, verifiable, and with clearer liability. The NIS2 Implementation Act came into force in Germany on December 6, 2025 – without a transition period. Affected companies and their CEOs must act immediately. Those who have postponed information security so far not only risk fines but, in the worst case, are even personally liable.