Skip to content

NIS2 Implementation: Personal Liability for Management up to €500,000

In brief: NIS2 introduces personal liability for executives, with fines up to €500,000 for violations of cybersecurity governance requirements.

With the implementation of the NIS2 Directive into German law, the personal liability of executives for violations of cybersecurity requirements is expanding. Companies and their board members must prepare for significant compliance requirements and fines.

The NIS2 implementation act introduces personal liability for executives who fail to meet their due diligence obligations in cybersecurity governance. According to the new regulations, fines for management personnel can be imposed up to €500,000 if they willfully or negligently neglect their responsibility for IT security measures.

For CEOs, this means direct personal liability exposure. Not only is the company itself obligated to comply – executives are assigned active responsibility for establishing, monitoring and maintaining information security management systems. This includes documentation of cybersecurity governance, regular risk assessments and the implementation of protective measures.

Personal liability does not exclude criminal consequences if violations result in significant damage or are knowingly omitted. Companies should therefore establish governance structures in which cybersecurity responsibility is clearly assigned to the board, regular board-level reporting takes place and evidence of the performance of these duties is documented.


Source: news.google.com · Published June 7, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.

Share on: