Skip to content

NIS2 Directive: Board Members Face Personal Liability for Cybersecurity

At a glance: Under NIS2, board members are personally liable for inadequate cybersecurity measures and their oversight.

The EU directive NIS2 makes board members personally responsible for their companies’ cybersecurity governance. This marks a fundamental shift in the liability landscape for executives of critical infrastructures and large enterprises.

The EU’s National Implementation Protection Directive (NIS2) creates a new level of accountability for boards and chief executives. Going forward, board members can no longer delegate cybersecurity matters to lower levels without being personally liable for compliance with security standards.

Specifically, NIS2 requires boards to actively oversee the implementation and monitoring of appropriate cybersecurity measures. Failure to fulfil this supervisory duty can result in personal liability claims, fines, or criminal consequences. The directive applies to operators of critical infrastructure (such as energy, water, transport) as well as to large enterprises with more than 250 employees or annual revenue exceeding 50 million euros.

For CEOs, this means cybersecurity is no longer purely an IT matter, but an integral part of corporate governance. Board members must be regularly informed about cybersecurity risks, assess the adequacy of measures, and document that these are being monitored. This requires close collaboration between the board, CISOs, and risk management functions, as well as adequate resourcing of cybersecurity departments.


Source: news.google.com · Published June 4, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.2.

Share on: