Skip to content

NIS2 Directive: Board Members Face Personal Liability for Cybersecurity

The bottom line: Board members become personally liable under NIS2 for cybersecurity governance and must demonstrably establish control mechanisms.

The EU’s NIS2 Directive will require board members in future to take personal responsibility for the cybersecurity strategy of their companies. This liability rule applies to critical infrastructures and large enterprises and significantly changes governance requirements.

The revised version of the European Union’s Network and Information Security Directive (NIS2) brings about a fundamental shift in responsibilities. Board members and executives will henceforth be held personally liable for the cybersecurity governance of their organisations – no longer just the companies themselves.

This regulation directly affects operators of critical infrastructures as well as large enterprises with more than 250 employees or annual revenue exceeding €50 million. Personal board liability creates a direct incentive to no longer treat cybersecurity as a secondary IT matter, but to anchor it as a strategic management task. Board members must document that they have conducted risk assessments, monitored security measures and overseen emergency plans.

For CEOs, this concretely means: cybersecurity measures become part of executive compensation, insurance and liability aspects gain in importance, and communication with supervisory boards or boards of directors must be demonstrably documented. Companies should review their governance structures and ensure that cybersecurity decisions are made at board level and recorded in minutes.


Source: news.google.com · Published 4 June 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.2.

Share on: