Skip to content

NIS2 Compliance: Management Bears Personal Responsibility for AI Security

Bottom line: Executives and board members are personally liable under NIS2 for the cybersecurity of their companies, including AI systems.

The NIS2 Directive requires board members and executives to take responsibility for cybersecurity measures in their organizations, including AI systems. Violations can result in personal liability.

According to the interpretation of the NIS2 Directive (Network and Information Security Directive 2), overall responsibility for cybersecurity – and thus also for the security of AI systems – rests with corporate management. This means personal liability responsibility for board members and executives.

This particularly affects companies in critical sectors as well as larger organizations classified as “operators of essential entities” or “important digital entities” under NIS2. They must implement cybersecurity measures that meet the standard of “highest industry practice.”

This creates an obligation for management to establish adequate governance structures: regular risk analyses, incident response plans, compliance audits, and training. AI systems must be integrated into this security architecture – their vulnerability to cyberattacks or manipulated training data is the responsibility of executives and cannot be delegated to the IT department.

EU member states are currently implementing NIS2 into national law. Sanctions for non-compliance range from fines to criminal prosecution of management personnel for negligence or intentional failure.


Source: news.google.com · Published June 4, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.

Share on: