At a glance: From December 2026, executives will bear personal responsibility for ensuring their organizations’ compliance with NIS2 requirements.
With the implementation of the NIS2 Directive into German law, personal liability of executives for cybersecurity failings will become reality from December 2026. This has significant consequences for the governance of critical and important infrastructure.
The European NIS2 Directive on network and information security obliges operators of critical and important infrastructure to adhere to enhanced cybersecurity standards. With its implementation into German law, this responsibility will become concrete at the executive level from December 2026: board members and executives will be personally liable for meeting these requirements.
For executives and business leaders, this means that missing or inadequate cybersecurity measures no longer affect only the company, but can also lead to personal criminal or civil law consequences. Liability extends to areas such as incident response, risk management, employee training, and documentation of security measures.
For CEOs and executives, this requires a fundamental realignment of cybersecurity governance: the implementation of NIS2 requirements must shift from the IT department to the executive board and supervisory board. This encompasses not only technical implementation, but also regular compliance audits, the establishment of a security culture, and demonstrable control over security processes.
Source: news.google.com · Published 1 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.6.2.