In a nutshell: Under the NIS2 Directive, executives bear personal responsibility for IT security gaps in critical infrastructure systems.
The NIS2 Directive obligates executives to assume personal liability for security deficiencies in critical IT systems such as SAP. This regulation significantly increases the personal risk exposure of corporate leaders.
The EU’s new NIS2 Directive substantially expands responsibilities in the cybersecurity domain. While its predecessor (NIS1) primarily addressed IT departments, NIS2 now explicitly targets executive management and holds them personally liable for security deficiencies in critical systems.
For CEOs and executives, this represents a qualitatively new risk situation: failures in implementing cybersecurity standards can no longer be delegated to the technical level. Instead, executive management is held directly responsible for compliance with the requirements. This applies particularly to enterprise systems such as SAP, which often map critical business processes and thus fall under this regulation.
For the affected companies, this necessitates institutionalizing IT security as a board-level issue. Executives should regularly review the security architecture of their systems, allocate appropriate budgets, and establish a governance structure that comprehensively documents compliance with the NIS2 Directive.
Source: news.google.com · Published 6 July 2026
Lumi AI News — AI-assisted curation according to Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.3.