Skip to content

NIS2 Directive: Executives Face Personal Liability for IT Security

The bottom line: The NIS2 Directive makes executives personally responsible for IT security in their organisations.

The EU’s NIS2 Directive tightens requirements for IT security in critical infrastructures and extended sectors. Executives now bear personal liability for compliance with cybersecurity standards.

The European Union’s new IT Security Directive NIS2 significantly broadens its scope. It no longer applies only to critical infrastructures such as energy, water or transport, but extends to other sectors including digital infrastructure, public administration and increasingly to mid-sized companies—the so-called “essential entities” and “important entities”.

The Directive establishes concrete requirements that organisations must meet. These include risk management systems, incident response procedures, security measures for the supply chain and reporting of security incidents to national authorities. Companies must therefore organise their IT security systematically and be able to demonstrate compliance.

New and central is the personal responsibility of executives and boards. They are directly liable for the implementation of appropriate IT security measures. This goes beyond mere documentation obligations: executives must actively shape the cybersecurity strategy, provide adequate resources and monitor compliance. Not only violations themselves, but also negligent failure to implement security measures can result in personal liability.

For CEOs, this means an increase in governance requirements: IT security is not delegable but a leadership responsibility. Supervisory bodies must report regularly, budgets must be made transparent, and compliance becomes a strategic priority. Penalties for non-compliance can be substantial.


Source: news.google.com · Published 3 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: