How Personal Liability Arises #

The Mechanism #

Article 20 creates three management duties:

  1. Approve the cybersecurity risk management measures (Article 21)
  2. Oversee their implementation
  3. Attend training so the management body can assess risks and measures

If the entity violates requirements (for example, no tested backups, no incident response capability) and this violation traces back to a breach of these management duties, two things can happen:

  • The entity faces administrative fines: up to EUR 10 million or 2% of global turnover for essential entities, up to EUR 7 million or 1.4% for important entities, plus supervisory measures. For essential entities, authorities can in serious cases temporarily suspend individual managers from their functions
  • The executive can be held personally liable towards the company under national corporate law for the damage caused by the breach of duty. This is the claim that reaches private assets

What Does “Negligence” Mean? #

Liability requires fault. In practice, negligence is assumed when:

  • The executive knew about a security gap (for example from audit findings) and did not act
  • Budget for clearly necessary security measures was refused despite documented risk
  • No training took place even after a security incident
  • The measures were never approved or reviewed at management level

Negligence is hard to argue when:

  • The executive followed a documented, risk-based security concept aligned with recognised standards
  • An unforeseeable zero-day exploit was used despite reasonable measures
  • The executive obtained and followed qualified expert advice

The Management Training Obligation #

explicitly requires that members of the management body receive cybersecurity training. In practice:

  • At least one structured IT security training session per year for the board or executive management
  • Content should cover: duties and liability, current threats (ransomware trends, common attack vectors), backup and disaster recovery strategy, incident response and reporting deadlines (24h/72h/1 month), and cyber insurance

Documentation is critical:

  • Retain proof of participation
  • Document the training content
  • In a dispute, “we conducted and documented training” is a primary line of defence

What “Appropriate Measures” Means in Practice #

Article 21 requires measures proportionate to the risk. The wording is deliberately broad, but executives should ensure the following exists and is documented:

1. Risk Management Process #

  • Annual risk analysis, ideally with external support
  • Definition of critical systems
  • RTO/RPO per critical system
  • Documented risks and the measures taken

2. Backup and Recovery Strategy #

  • Offline or air-gapped backup copies, not only network-reachable backups
  • Recovery tests at least quarterly
  • RTO/RPO targets documented and met in tests
  • Recovery plan included in the emergency handbook

3. Patch Management #

  • Defined update cycles and a policy for critical vulnerabilities
  • Test environment before production where feasible

4. Incident Response Plan #

  • Documented in writing, with roles and responsibilities
  • Escalation chain clear, including the 24-hour early warning to the authority
  • External partners (forensics, lawyers) contracted in advance

5. Insurance #

  • D&O insurance (Directors and Officers liability)
  • Cyber insurance for the entity
  • Understand both policies before a claim arises

6. Executive Training #

  • At least one session per year, external trainers add credibility
  • Proof of participation archived

Practical Strategies for Minimising Liability #

1. Documentation, Documentation, Documentation #

Put everything in writing:

  • IT security policy, signed by the executive
  • Risk assessment results
  • IT investment decisions with rationale
  • Recovery tests with date and outcome
  • Training records
  • Audit reports, internal and external

In a dispute, “we have a concept and we document everything” is a strong position.

2. Involve External Experts #

  • Annual IT security audit by an external firm
  • Penetration test at least once per year
  • Advice from IT security specialists and, where useful, a lawyer with cyber expertise

In the event of a claim: “We engaged external experts and followed their recommendations.”

3. Document Board Decisions in Writing #

Examples:

  • Board resolution: “We are investing EUR 150,000 in backups”
  • Board resolution: “We will conduct quarterly recovery tests”
  • Board resolution: “We will train all employees annually”

These resolutions are later evidence that you did not act negligently.

4. D&O Insurance with Cyber Coverage #

A good D&O policy covers the personal liability of executives. What to check:

  • Coverage amount appropriate to the entity’s risk profile
  • Are breaches of cybersecurity duties covered? Not all policies include this
  • Deductible level
  • Whether and to what extent regulatory proceedings are covered (coverage of administrative fines themselves is legally restricted in many member states)

Read the policy carefully before signing.

5. Prepare an Advisory Memorandum #

A written memorandum from an IT consultant or lawyer along these lines: “Based on our analysis, the entity falls under . To achieve compliance, we recommend the following measures. Management has accepted these recommendations and commissioned their implementation.”

In the event of a claim: “We obtained expert advice and followed it.”

Liability Scenarios #

How the risk plays out in typical situations:

  • attack, offline backups existed, restore within hours: appropriate measures were taken; no realistic liability exposure
  • attack, no backups, two weeks of downtime, management knew the risk: clear liability exposure, plus fines for the entity
  • Backups existed but were never tested, recovery failed: negligence is arguable; untested backups are not appropriate measures
  • Outdated software exploited, management was never informed despite a functioning reporting process: weak liability exposure for the executive, since the oversight duty was discharged
  • Outdated software exploited, management was informed six months earlier and ignored it: clear liability exposure

Checklist: How to Minimise Liability #

Organisational #

  • IT security policy in writing, signed
  • Responsibilities clear (who is the IT security officer?)
  • Budget for IT security approved
  • Board resolutions on security measures in place

Technical #

  • Offline backups implemented ()
  • Recovery tests conducted at least quarterly
  • Patch management active
  • Endpoint protection active
  • Network segmentation active

Training and Awareness #

  • Executive management trained annually
  • All employees trained annually
  • Training records archived
  • Phishing simulations conducted regularly
  • D&O insurance with cyber coverage in place
  • Cyber insurance in place
  • Policies understood
  • Lawyer with cyber expertise identified
  • Advisory memorandum archived

Audit and Compliance #

  • Annual external IT security audit
  • Penetration test at least once per year
  • Gap analysis conducted
  • Findings documented, remediation plan created

Frequently Asked Questions #

Can I delegate IT security to a specialist and step back from responsibility? No. Article 20 makes oversight a non-delegable management duty. You must verify that the specialist does the job. Engaging qualified experts does, however, substantially reduce your negligence risk.

What if our IT manager deliberately sabotages security measures? That is a criminal act on their part. You are not personally liable, provided you had reasonable controls in place (for example a four-eyes principle for critical decisions and a functioning reporting line).

Do we really need D&O insurance? Legally: no. Practically: strongly advisable. A liability claim after a major incident can be existential for personal assets.

Can the insurer refuse to pay? Yes, typically in cases of intent and depending on the policy in cases of gross negligence (for example, knowingly operating without backups despite documented risk). All the more reason to document your measures.

Further Resources #

Explained: Who Is Affected and What Do You Need to Do? (/en/blog/nis2-einfach-erklaert/) → Implementation Deadlines: Timeline and Fines (/en/blog/nis2-umsetzungsfristen/) → Is a Management Issue (/en/blog/it-resilienz-chefsache/) → Audit Preparation: Checklist for IT Managers (/en/blog/audit-preparation-nis2-checklist/) → Silent Brick System: Hardware for Compliance (/en/produkte/silent-brick-system/) → Request a Demo (/en/kontakt/demo/)

Disclaimer

This article was written by our editorial team and edited using AI. It provides a general overview and does not constitute legal advice – we recommend seeking professional advice for your specific situation.