Bottom line: NIS2 holds executives personally liable for cybersecurity deficiencies, not just for organizational breaches.
The NIS2 Directive obligates executives and board members to personal liability for inadequate cybersecurity measures. This marks a paradigm shift: security is no longer a pure compliance task, but becomes personal responsibility of management.
With the implementation of the NIS2 Directive (Network and Information Security Directive 2) into German law, cybersecurity becomes personal responsibility of CEOs and board members. The Directive obligates them to accountability for security deficiencies that lead to outages of critical infrastructure or significant data losses.
For CEOs, this concretely means: Violations of NIS2 requirements can have criminal consequences up to personal liability – regardless of whether the CEO directly bears responsibility for technical implementation. The obligation to exercise due diligence in security matters thus becomes a management duty. This includes monitoring risks, appointing responsible parties for cybersecurity, and regular reporting to the board or supervisory board.
In practice, this requires: A systematic security governance model, documented decision-making on security investments, regular top management training on cybersecurity risks, and demonstrable incident-response procedures. Audit trails and documentation become mandatory – not as an IT afterthought, but as a business process.
Source: news.google.com · Published 24 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.