--- title: "Personal Liability Under NIS2: What Executives Need to Know" date: 2026-01-21T08:35:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/personal-liability-under-nis2" section: "Entries: Articles" --- ### How Personal Liability Arises [\#](#how-personal-liability-arises "How Personal Liability Arises") #### The Mechanism [\#](#the-mechanism "The Mechanism") Article 20 NIS2 creates three management duties: 1. **Approve** the cybersecurity risk management measures (Article 21) 2. **Oversee** their implementation 3. **Attend training** so the management body can assess risks and measures If the entity violates NIS2 requirements (for example, no tested backups, no incident response capability) and this violation traces back to a breach of these management duties, two things can happen: - **The entity** faces administrative fines: up to EUR 10 million or 2% of global turnover for essential entities, up to EUR 7 million or 1.4% for important entities, plus supervisory measures. For essential entities, authorities can in serious cases temporarily suspend individual managers from their functions - **The executive** can be held personally liable towards the company under national corporate law for the damage caused by the breach of duty. This is the claim that reaches private assets #### What Does “Negligence” Mean? [\#](#what-does-negligence-mean "What Does ") Liability requires fault. In practice, negligence is assumed when: - The executive knew about a security gap (for example from audit findings) and did not act - Budget for clearly necessary security measures was refused despite documented risk - No training took place even after a security incident - The measures were never approved or reviewed at management level Negligence is hard to argue when: - The executive followed a documented, risk-based security concept aligned with recognised standards - An unforeseeable zero-day exploit was used despite reasonable measures - The executive obtained and followed qualified expert advice --- ### The Management Training Obligation [\#](#the-management-training-obligation "The Management Training Obligation") NIS2 explicitly requires that members of the management body receive cybersecurity training. In practice: - At least one structured IT security training session per year for the board or executive management - Content should cover: NIS2 duties and liability, current threats (ransomware trends, common attack vectors), backup and disaster recovery strategy, incident response and reporting deadlines (24h/72h/1 month), and cyber insurance **Documentation is critical:** - Retain proof of participation - Document the training content - In a dispute, “we conducted and documented training” is a primary line of defence --- ### What “Appropriate Measures” Means in Practice [\#](#what-appropriate-measures-means-in-practice "What ") Article 21 requires measures proportionate to the risk. The wording is deliberately broad, but executives should ensure the following exists and is documented: #### 1. Risk Management Process [\#](#1-risk-management-process "1. Risk Management Process") - Annual risk analysis, ideally with external support - Definition of critical systems - RTO/RPO per critical system - Documented risks and the measures taken #### 2. Backup and Recovery Strategy [\#](#2-backup-and-recovery-strategy "2. Backup and Recovery Strategy") - Offline or air-gapped backup copies, not only network-reachable backups - Recovery tests at least quarterly - RTO/RPO targets documented and met in tests - Recovery plan included in the emergency handbook #### 3. Patch Management [\#](#3-patch-management "3. Patch Management") - Defined update cycles and a policy for critical vulnerabilities - Test environment before production where feasible #### 4. Incident Response Plan [\#](#4-incident-response-plan "4. Incident Response Plan") - Documented in writing, with roles and responsibilities - Escalation chain clear, including the 24-hour early warning to the authority - External partners (forensics, lawyers) contracted in advance #### 5. Insurance [\#](#5-insurance "5. Insurance") - D&O insurance (Directors and Officers liability) - Cyber insurance for the entity - Understand both policies before a claim arises #### 6. Executive Training [\#](#6-executive-training "6. Executive Training") - At least one session per year, external trainers add credibility - Proof of participation archived --- ### Practical Strategies for Minimising Liability [\#](#practical-strategies-for-minimising-liability "Practical Strategies for Minimising Liability") #### 1. Documentation, Documentation, Documentation [\#](#1-documentation-documentation-documentation "1. Documentation, Documentation, Documentation") Put everything in writing: - IT security policy, signed by the executive - Risk assessment results - IT investment decisions with rationale - Recovery tests with date and outcome - Training records - Audit reports, internal and external In a dispute, “we have a concept and we document everything” is a strong position. #### 2. Involve External Experts [\#](#2-involve-external-experts "2. Involve External Experts") - Annual IT security audit by an external firm - Penetration test at least once per year - Advice from IT security specialists and, where useful, a lawyer with cyber expertise In the event of a claim: “We engaged external experts and followed their recommendations.” #### 3. Document Board Decisions in Writing [\#](#3-document-board-decisions-in-writing "3. Document Board Decisions in Writing") Examples: - Board resolution: “We are investing EUR 150,000 in hardware air gap backups” - Board resolution: “We will conduct quarterly recovery tests” - Board resolution: “We will train all employees annually” These resolutions are later evidence that you did not act negligently. #### 4. D&O Insurance with Cyber Coverage [\#](#4-d-o-insurance-with-cyber-coverage "4. D&O Insurance with Cyber Coverage") A good D&O policy covers the personal liability of executives. What to check: - Coverage amount appropriate to the entity’s risk profile - Are breaches of cybersecurity duties covered? Not all policies include this - Deductible level - Whether and to what extent regulatory proceedings are covered (coverage of administrative fines themselves is legally restricted in many member states) Read the policy carefully before signing. #### 5. Prepare an Advisory Memorandum [\#](#5-prepare-an-advisory-memorandum "5. Prepare an Advisory Memorandum") A written memorandum from an IT consultant or lawyer along these lines: “Based on our analysis, the entity falls under NIS2. To achieve compliance, we recommend the following measures. Management has accepted these recommendations and commissioned their implementation.” In the event of a claim: “We obtained expert advice and followed it.” --- ### Liability Scenarios [\#](#liability-scenarios "Liability Scenarios") How the risk plays out in typical situations: - **Ransomware attack, offline backups existed, restore within hours:** appropriate measures were taken; no realistic liability exposure - **Ransomware attack, no backups, two weeks of downtime, management knew the risk:** clear liability exposure, plus fines for the entity - **Backups existed but were never tested, recovery failed:** negligence is arguable; untested backups are not appropriate measures - **Outdated software exploited, management was never informed despite a functioning reporting process:** weak liability exposure for the executive, since the oversight duty was discharged - **Outdated software exploited, management was informed six months earlier and ignored it:** clear liability exposure --- ### Checklist: How to Minimise Liability [\#](#checklist-how-to-minimise-liability "Checklist: How to Minimise Liability") #### Organisational [\#](#organisational "Organisational") - IT security policy in writing, signed - Responsibilities clear (who is the IT security officer?) - Budget for IT security approved - Board resolutions on security measures in place #### Technical [\#](#technical "Technical") - Offline backups implemented (hardware air gap) - Recovery tests conducted at least quarterly - Patch management active - Endpoint protection active - Network segmentation active #### Training and Awareness [\#](#training-and-awareness "Training and Awareness") - Executive management trained annually - All employees trained annually - Training records archived - Phishing simulations conducted regularly #### Insurance and Legal [\#](#insurance-and-legal "Insurance and Legal") - D&O insurance with cyber coverage in place - Cyber insurance in place - Policies understood - Lawyer with cyber expertise identified - Advisory memorandum archived #### Audit and Compliance [\#](#audit-and-compliance "Audit and Compliance") - Annual external IT security audit - Penetration test at least once per year - Gap analysis conducted - Findings documented, remediation plan created --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Can I delegate IT security to a specialist and step back from responsibility?**No. Article 20 makes oversight a non-delegable management duty. You must verify that the specialist does the job. Engaging qualified experts does, however, substantially reduce your negligence risk. **What if our IT manager deliberately sabotages security measures?**That is a criminal act on their part. You are not personally liable, provided you had reasonable controls in place (for example a four-eyes principle for critical decisions and a functioning reporting line). **Do we really need D&O insurance?**Legally: no. Practically: strongly advisable. A liability claim after a major incident can be existential for personal assets. **Can the insurer refuse to pay?**Yes, typically in cases of intent and depending on the policy in cases of gross negligence (for example, knowingly operating without backups despite documented risk). All the more reason to document your measures. --- ### Further Resources [\#](#further-resources "Further Resources") → NIS2 Explained: Who Is Affected and What Do You Need to Do? (/en/blog/nis2-einfach-erklaert/) → NIS2 Implementation Deadlines: Timeline and Fines (/en/blog/nis2-umsetzungsfristen/) → IT Resilience Is a Management Issue (/en/blog/it-resilienz-chefsache/) → NIS2 Audit Preparation: Checklist for IT Managers (/en/blog/audit-preparation-nis2-checklist/) → Silent Brick System: Hardware Air Gap for NIS2 Compliance (/en/produkte/silent-brick-system/) → Request a Demo (/en/kontakt/demo/) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### IT Resilience IT resilience is the ability of an IT infrastructure to remain functional under adverse conditions — from cyber attacks through hardware failures to natural disasters — or to restore functionality within a defined timeframe so that critical business processes are maintained. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/it-resilience) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### NIS2 The NIS2 Directive (EU 2022/2555) is an EU regulation that obliges essential and important entities to implement specific cybersecurity measures — including demonstrable backup management, crisis management and reporting obligations — with personal liability for management bodies in case of non-compliance. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/nis2) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)