Skip to content

NIS2: Executives Face Personal Liability for IT Security Deficiencies

At a glance: Under NIS2, executives are personally liable for security deficiencies and must therefore anchor IT security as a core responsibility of management.

The EU NIS2 Directive tightens requirements for information security and makes executives personally responsible for violations of IT security standards. This places cybersecurity compliance directly within management accountability.

The NIS2 Directive of the European Union extends responsibility for information security directly to senior management. Executives can henceforth be held personally liable if companies have IT security gaps or fail to meet incident reporting obligations.

For executives, this means that cybersecurity can no longer be delegated as a purely IT department matter. NIS2 compliance requires active governance measures at board level, regular monitoring of security measures, and documented decision-making processes. Failures can result in personal financial penalties or, in extreme cases, criminal prosecution.

Companies subject to the NIS2 Directive—particularly operators of critical infrastructure and large enterprises—must review their IT security organization and ensure executives and supervisory boards are appropriately instructed. A risk management framework, regular security audits, and a documented incident response procedure are central requirements to minimize personal liability.


Source: news.google.com · Published 4 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.3.

Share on: