4 min Reading Time

NIS2 and DORA hold executives and board members personally liable if cybersecurity is grossly neglected within the company. For CIOs and CISOs, this fundamentally changes the rules of the game: implementing technical measures alone is no longer enough. Documenting one’s duty of care has become a personal shield.

TL;DR

The End of Delegated Responsibility

For decades, executives and managing directors could delegate cybersecurity responsibility to the CISO or IT department. As long as no major incidents occurred, the topic remained at the operational level. NIS2 ends that model. Paragraph 38 of the revised BSI Act (Federal Office for Information Security Act) states unequivocally: Executive management must supervise the implementation of risk management measures – and is liable for violations.

Concretely, this means: If a company falls under NIS2 and executive management can be shown to have approved inadequate measures, those individuals may be held personally liable – even if no actual damage has occurred. The duty applies from the outset, in prevention – not only after an incident.

DORA intensifies this approach for the financial sector. Article 5 mandates that the management body of a financial undertaking bears ultimate responsibility for ICT risk management. While delegation to operational units remains permissible, it does not relieve the management body of overall accountability. Germany’s Federal Financial Supervisory Authority (BaFin) has signaled it will enforce this obligation rigorously.

“We must continue building Germany’s ‘Cyber Nation’. The threat landscape has never been more severe – and cybersecurity must be top-management business.”Claudia Plattner, President of the BSI (Federal Office for Information Security), IT Security Situation Report 2025

What the Laws Specifically Require

NIS2 (Paragraph 38, BSI Act): Executive management must supervise the implementation of risk management measures outlined in Paragraph 30. It must attend cybersecurity training and be able to demonstrate adequate knowledge. Personal liability applies in cases of gross negligence – and cannot be excluded by corporate bylaws or shareholder agreements.

DORA (Article 5): The management body bears ultimate responsibility for ICT risk management. It must approve the ICT risk framework, define the cyber-resilience strategy, and supervise implementation. At least once per year, the management body must assess the appropriateness of these measures. Violations may incur sanctions imposed by national financial regulators.

EU AI Act: For high-risk AI systems, the provider or operator bears responsibility for conformity. Breaches of high-risk obligations may trigger fines of up to €35 million or 7% of global annual turnover. Although the EU AI Act does not explicitly prescribe personal liability for executives, general corporate law on organ liability may apply if executives fail to supervise compliance obligations.

Sources: NIS2 Implementation Act (NIS2UmsuCG), EU AI Act (2024/1689), DORA (2022/2554)

D&O Insurance: Not Automatic Protection

Many executives rely on their Directors-and-Officers (D&O) insurance. Yet coverage has limits. D&O policies typically exclude intentional breaches of duty. Coverage for gross negligence depends entirely on the specific policy terms. It is reasonable to expect insurers to tighten requirements for demonstrating due diligence following the entry into force of NIS2 obligations.

CIOs and CISOs – jointly with the legal department – should urgently verify: Does the existing D&O policy cover cybersecurity liability risks under NIS2 and DORA? Does it contain exclusions for regulatory violations? Is the coverage limit sufficient given the new fine ceilings? This review must be completed without delay.

Five Protective Measures for CIOs and Executives

1. Document a Governance Framework. A written cybersecurity governance framework that clearly defines responsibilities, processes, and escalation paths. The framework must be formally adopted by the board and updated regularly. It serves as the central proof that executive management fulfills its supervisory duty.

2. Conduct Regular Board Training. NIS2 explicitly requires executive management to attend cybersecurity training. Documented attendance at a minimum of two sessions per year is the baseline standard. Training should address current threat landscapes, regulatory updates, and industry-specific risks.

3. Document Risk Decisions. Every board decision concerning cybersecurity measures must be recorded in minutes. Even the conscious acceptance of residual risk must be documented and justified. In liability proceedings, documentation of the decision-making process offers the strongest protection against allegations of gross negligence.

4. Review and Adapt D&O Insurance. Audit existing policies for coverage of cybersecurity liability risks and regulatory violations. Where necessary, expand coverage – or procure dedicated cyber-D&O policies. This insurance review must be completed immediately.

5. Commission External Audits as Evidence. An independent audit conducted by a qualified auditor objectively documents the state of cybersecurity measures. ISO/IEC 27001 certification – or equivalent attestations – significantly strengthens the board’s position in liability proceedings. Audits should be repeated at least annually.

What CIOs Must Tell the Board – Now

The message to the board is uncomfortable – but essential: Since the NIS2 Act entered into force, cybersecurity has become a matter of personal liability for each individual board member. Delegation to the CISO or IT department no longer shields executives from personal accountability. The board must actively supervise, undergo regular training, and meticulously document its decisions.

CIOs who deliver this message early – and simultaneously build the required governance structures – lay the foundation for legally secure IT leadership. Ignoring the issue risks not only corporate fines but also personal careers and private assets. The time to act is now.

Frequently Asked Questions

Header Image Source: Vlada Karpovich / Pexels