Skip to content

NIS2 Directive: Personal Liability for Management from July 2024

In a nutshell: Under NIS2, company management becomes personally liable for insufficient cybersecurity measures in their organizations.

The EU’s NIS2 Directive obliges around 30,000 companies to implement stricter cybersecurity standards from July 2024 onwards. Management and board members are now personally liable for violations of the new requirements.

The NIS2 Directive (Network and Information Security Directive 2) entered into force on 17 October 2022 and requires Member States to complete national implementation by July 2024. The aim of the Directive is to raise the level of cybersecurity in European companies, particularly in critical infrastructures and among service providers.

The Directive covers around 30,000 companies in Germany that are classified as “operators of essential services” or “digital service providers”. This includes companies in the sectors of energy, transport, water, health, digital infrastructure and financial services. NIS2 prescribes mandatory measures: risk and security management systems, supply chain security, incident reporting within 72 hours and regular penetration testing. A new feature is an explicit provision on personal liability of management and board members for violations of these obligations.


Source: news.google.com · Published 4 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: