NIS2 Personal Liability: What Management Needs to Know

There is a sentence in NIS2 that most board members have not read. It is in Article 20(1):

"Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article."

Three obligations in one sentence. You must approve the cybersecurity measures. You must oversee their implementation. And you can be held personally liable if they are inadequate.

This is not a theoretical risk buried in a legal annex. It is the central governance provision of the most significant cybersecurity regulation Europe has produced. And the enforcement apparatus is now operational.

What "personally liable" means in practice

The directive sets a floor. Member states set the ceiling. And some have set it high.

Administrative liability exists everywhere. Regulators can impose fines on the organisation — up to EUR 10 million or 2% of global annual turnover for essential entities, EUR 7 million or 1.4% for important entities. But those fines hit the company, not you personally.

What hits you personally is Article 32(5). For essential entities, when other enforcement measures have failed, authorities can request that a court temporarily prohibit any natural person responsible for discharging managerial responsibilities at chief executive officer or legal representative level from exercising managerial functions. The prohibition lasts until the entity remedies its deficiencies. There is no fixed term.

Read that again. If your organisation fails to comply and does not fix it after being told to, you can be barred from your role — indefinitely — until compliance is achieved.

Italy goes further. The Italian transposition (Decreto Legislativo 138/2024) extends the management ban to both essential and important entities — beyond what the directive requires. And under Italian law, directors hold a "guarantee position" (posizione di garanzia) under criminal law. If a cyber incident causes criminally relevant consequences, directors can face criminal prosecution for failure to oversee NIS2 compliance. Delegation of operational tasks does not eliminate this criminal responsibility.

Germany codified civil liability. Section 38(2) of the new BSI Act (BSIG) makes management body members personally liable for damages incurred from breach of their cybersecurity oversight duty. The company can bring internal claims against its own directors. An earlier draft prohibited the company from waiving these claims — that prohibition was deleted from the final version, but the underlying personal liability remains.

The Netherlands is still finalising its transposition (the Cyberbeveiligingswet). The draft introduces explicit personal board liability, with boards required to demonstrate approval of cybersecurity measures. Board members must acquire sufficient cybersecurity knowledge within two years of the law entering force.

The training requirement you cannot delegate

Article 20(2) mandates that management body members undergo cybersecurity training. This is not a suggestion. It is a legal requirement.

The purpose is specific: management must gain "sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity."

Germany requires this training at least every three years, with documentation of participants, content, trainers, and duration — available for potential audits. The explanatory memorandum states that "a simple certificate of attendance will not suffice."

The training obligation is directly tied to the liability clause. A management body cannot credibly claim it approved adequate cybersecurity measures if its members were never trained to understand cybersecurity risks. If you signed off on a cybersecurity programme you did not understand, the training requirement makes that a documented governance failure.

The ten measures you must have approved

Article 21(2) lists ten minimum cybersecurity risk-management measures. All ten are mandatory. They are not a menu to choose from:

1. Policies on risk analysis and information system security
2. Incident handling
3. Business continuity, backup management, disaster recovery, and crisis management
4. Supply chain security — including security-related aspects of relationships with direct suppliers and service providers
5. Security in network and information systems acquisition, development, and maintenance
6. Policies and procedures to assess the effectiveness of cybersecurity measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies and procedures regarding cryptography and encryption
9. Human resources security, access control, and asset management
10. Multi-factor authentication, secured communications

Article 20(1) says management can be held liable for infringements of Article 21. Article 21 makes all ten measures mandatory. If your organisation's cybersecurity programme is missing any of them — supply chain security, incident handling, business continuity — you have approved measures that do not comply with the directive. And you are personally exposed.

The supply chain provision (number 4) is particularly relevant after the axios npm compromise of March 2026, which demonstrated that a three-hour window on a compromised package can affect organisations globally. If your board approved cybersecurity measures that did not address software supply chain risk, that is now a documented gap against an explicit regulatory requirement.

What a NIS2 incident actually costs you

When a significant incident occurs, NIS2 requires three reports:

• 24 hours: Early warning to the national authority. Must include whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact.
• 72 hours: Full incident notification with initial severity assessment, indicators of compromise, and affected services.
• 30 days: Final report with root cause analysis, mitigation measures, and cross-border impact assessment.

Missing these deadlines is independently sanctionable — the same penalty framework applies. Under NIS1, the Dutch authorities fined a telecommunications provider EUR 525,000 for failing to report a significant incident in a timely manner. NIS2 penalties are an order of magnitude higher.

The practical cost of an incident without adequate preparation: 48+ hours of senior engineering time in a war room, legal counsel engaged on reporting obligations, potential customer notification, regulatory communication — and the clock starts the moment you detect the incident. If your organisation cannot answer "which of our services is affected and who owns them" within hours, you are already behind on the 24-hour reporting deadline.

Authorities have signalled tolerance for early, honest imperfection — incomplete reports filed on time are treated more favourably than late or absent reports. But systematic failure to meet reporting obligations constitutes evidence of inadequate risk management, which compounds the personal liability exposure under Article 20.

Your D&O insurance may not cover this

Directors and Officers insurance policies were not designed for cyber governance failures. The gap is significant.

D&O policies typically exclude claims arising from data breaches, regulatory fines, and third-party liabilities from cyber incidents. Cyber insurance policies cover the entity's losses from cyber events but do not cover personal director liability. NIS2 creates a scenario where neither policy clearly covers the personal claim.

The additional problem: D&O policies rarely cover gross negligence or wilful neglect. If a director knew about cybersecurity deficiencies and failed to act, the insurer may deny the claim. NIS2's explicit governance requirements — approve, oversee, train — make it very difficult to argue ignorance. If you were trained, if you approved the measures, and if those measures were inadequate, the insurer's position is straightforward.

Allianz's 2026 D&O Insurance Insights report identifies that claims against directors are increasingly triggered by data breaches, ransomware attacks, and technical failures. Ransomware accounted for approximately 60% of the value of large cyber insurance claims (greater than EUR 1 million) in the first half of 2025.

The practical step: review your D&O policy with your broker. Ask whether it affirmatively covers NIS2 regulatory proceedings and personal liability arising from cyber governance failures. If cyber exclusions exist, they need to be addressed before the first audit.

The GDPR precedent

If you think personal liability under EU regulation is theoretical, consider the Clearview AI case.

In September 2024, the Dutch Data Protection Authority fined Clearview AI EUR 30.5 million for illegal facial image scraping. The DPA then announced it was investigating whether to hold Clearview AI's directors personally liable — a first in GDPR enforcement history.

The DPA's chairman stated: "This liability already exists if directors know that the GDPR is being violated, have the authority to stop that, but omit to do so, and in this way consciously accept those violations."

GDPR does not contain explicit personal liability language comparable to NIS2 Article 20. If regulators are already pursuing individual directors under GDPR's implicit framework, NIS2's explicit personal liability provisions will be enforced with greater force and clearer legal basis.

What to do about it

This is not a checklist for compliance consultants. It is a governance question for anyone whose name is on the management body.

Verify your cybersecurity programme covers all ten Article 21 measures. If you cannot confirm that supply chain security, incident handling, and business continuity are explicitly addressed, you have an immediate gap. Each missing measure is a potential infringement for which you are personally liable.

Confirm you have formally approved the measures. The directive requires management body approval — not delegation to a CISO. If the cybersecurity programme was never formally presented to and approved by the management body, the approval requirement of Article 20 has not been met.

Complete cybersecurity training. If you have not undergone training that enables you to "identify risks and assess cybersecurity risk-management practices," you are in violation of Article 20(2). Germany requires this every three years with substantive documentation.

Test your incident response capability. Can your organisation answer "which services are affected and who owns them" within hours of a supply chain advisory? Can you produce the early warning report within 24 hours? If not, the incident reporting obligations of Article 23 are at risk, and the failure compounds your Article 20 exposure.

Review your D&O policy. Confirm it covers NIS2 regulatory proceedings and personal liability for cyber governance failures. If it does not, address this with your broker before the first audit.

Document everything. The difference between personal liability and a defensible governance position is documentation. Board minutes showing approval, training records with substantive content, incident response test results, supply chain risk assessments — these are the artefacts that demonstrate you took your oversight obligation seriously.

The first NIS2 compliance audits are underway. The question is not whether the personal liability provisions will be tested — it is which organisation and which management body will be first.

---

This article is published on Clouds of Europe, a practitioner community building European cloud independence. We assess regulatory impact based on directive text and national transposition law — no vendor sponsorship, no product agenda.