NIS2 and Personal Liability: What 'Management Body' Accountability Actually Means for Security Leaders

For most of the past two decades, cybersecurity regulation in Europe targeted the organisation. A breach meant a corporate fine, a remediation order, and a reputational bruise. The people who governed the organisation rarely faced direct legal consequences. The NIS2 Directive changed that premise. For the first time at EU level, the directive attaches accountability for cybersecurity governance to the individuals who sit on the management body, and it does so in a way that several member states have transposed into genuine personal exposure: administrative fines against individuals, and in some jurisdictions, temporary bans from holding management positions.

By mid-2026 this is no longer theoretical. The October 2024 transposition deadline has passed, the large majority of member states have national laws in force, and enforcement has begun in markets including Germany, France, and the Netherlands. If you lead security, privacy, or compliance for an entity in scope, the question is no longer whether NIS2 creates personal liability, but who carries it, how far it reaches, and what you can document to manage it. This article is part of our broader look at The State of Security Leadership in 2026, and it sits alongside our existing analysis of CISO Under Fire: Navigating Personal Liability.

Why personal liability changed

NIS2 was deliberately designed to pull cybersecurity out of the IT department and into the boardroom. The drafters concluded that the older approach, where security was treated as a technical cost centre delegated downward, produced under-investment and weak oversight. Their remedy was to make the governing body legally responsible for the decisions that matter: approving the risk-management approach, funding it, and verifying that it is actually implemented.

The shift is structural, not cosmetic. Under NIS2, approving a policy and then delegating everything to the CISO is not a defence. The management body must demonstrate active, documented oversight. That reframing is what creates personal exposure, because the obligations now sit with named individuals who can be assessed against a standard of conduct.

What NIS2 actually says

The core provisions for leaders to understand are Articles 20, 21, and 32.

Article 20 is the accountability anchor. Article 20(1) requires that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken to comply with Article 21, oversee their implementation, and it provides that those bodies can be held liable for infringements of the article. Article 20(2) adds a distinct duty: members of the management body must follow training to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices, and entities are encouraged to offer similar training to staff. The training duty is a standalone obligation. A board member who cannot demonstrate adequate cybersecurity training is in breach of Article 20(2) regardless of whether an incident has occurred.

Article 21 defines the substance that must be approved and overseen. It requires entities to take appropriate and proportionate technical, operational, and organisational measures, built on an all-hazards, risk-based approach, and it lists a minimum set: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, vulnerability handling and disclosure, security in acquisition and development, policies to assess effectiveness, basic cyber hygiene and training, cryptography, human resources and access control, and multi-factor authentication. Without structured, traceable documentation, an entity cannot show that these measures are appropriate and proportionate, which is precisely the evidentiary standard against which the management body’s oversight will be judged.

Article 32 governs enforcement for essential entities and is where the sharper personal consequences live. Among the supervisory and enforcement powers, Article 32(5) allows a competent authority, where other measures have proven ineffective, to request that a court or relevant body temporarily prohibit a natural person discharging managerial responsibilities at chief executive officer or legal representative level from exercising managerial functions in that entity. The directive pairs this with the ability to temporarily suspend a certification or authorisation. These powers are reserved for serious, persistent failure rather than a single lapse, but they exist.

Who is liable, and where the CISO sits

The term that matters is management body. NIS2 uses it to mean the body responsible for the entity’s strategic direction and oversight, which in practice maps to the board of directors, the supervisory or management board, the executive committee, and the company’s senior governing officers depending on national corporate structure. These are the individuals on whom Article 20 places the approval, oversight, and training duties.

Here the nuance that security leaders most often get wrong: the CISO is generally not, by virtue of the title, a member of the management body. The directive’s obligations and its liability provisions fall on the governing body, not on the security function that operates beneath it. A CISO who does not sit on the board or executive committee is not the named addressee of Article 20.

That does not make the CISO safe, and treating it as such is the mistake. First, where a CISO is also a statutory director, executive committee member, or legal representative, they are squarely inside the management body and inside Article 20, including the Article 32 ban exposure. Second, even where the CISO sits outside the management body, national corporate, employment, and tort law continues to apply. A security leader whose conduct amounts to gross negligence, misrepresentation to the board, or failure to escalate a known material risk can face liability under those regimes, claims that can fall outside the protection of directors and officers insurance. Third, the practical reality is that the board will look to the CISO to supply the evidence, the assurance, and the sign-off material that protect them under Article 20. If that material is absent or misleading, the CISO owns the consequences in a different but real sense.

The honest summary: NIS2’s explicit personal liability targets the management body, but the CISO is the person who either equips that body to discharge its duty or exposes it. Both positions carry risk worth managing deliberately, a point we develop in negotiating your CISO liability package.

Gross negligence, bans, and the real consequences

The consequences fall into three tiers.

Corporate fines. For essential entities, NIS2 sets a maximum administrative fine of at least EUR 10 million or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher. For important entities the ceiling is at least EUR 7 million or 1.4% of global turnover, whichever is higher. These are EU-level floors for the maximum; member states can and do set figures at or above them.

Personal administrative consequences. Beyond the corporate fine, member states must ensure the management body can be held liable for breaches. National transposition determines what this means in practice, and it varies. Several jurisdictions provide for personal fines against individual managers, and the standard that typically triggers the most serious exposure is gross negligence rather than an honest, documented judgement call that turned out wrong.

Management bans. Article 32(5) lets authorities seek a temporary prohibition on a senior manager exercising managerial functions in an essential entity. Some member states have transposed this directly. Where it applies, a persistent governance failure can cost a senior leader the ability to hold their role, which is a career consequence with no corporate-fine equivalent.

A further point that security leaders should flag to their boards: a finding of gross negligence can void directors and officers insurance coverage and open the door to personal liability suits under national corporate law. The protection that executives assume they have is conditional, and the condition is conduct.

How transposition varies

NIS2 is a directive, not a regulation, so it takes effect through national law and the detail differs by country. As of mid-2026 the majority of member states have transposed, though a handful remain behind schedule, and enforcement maturity is uneven.

A few illustrative contrasts. Germany’s implementing law provides for personal accountability of managing directors and board members, including personal fines and the prospect of temporary bans from management functions, with individual exposure for governance failures reported in the range of hundreds of thousands of euros. Italy’s transposition explicitly allows the national authority to impose, as an accessory sanction, a temporary incapacity to perform managerial functions on board members of repeat-offender essential entities. The Netherlands’ Cyberbeveiligingswet escalates from corrective orders through fines to disqualification of responsible directors for serious non-compliance. Ireland’s national cyber security legislation has worked through its parliamentary process with comparable management-body duties.

The practical lesson for any leader operating across borders: do not assume the regime you understand in one member state is the regime you face in another. Penalty ceilings, the definition of the management body, the precise gross-negligence standard, and the availability of management bans all turn on national law. Cross-border entities should map their obligations jurisdiction by jurisdiction rather than to a single EU baseline.

What a security leader should do

The defensible position under NIS2 is built on evidence, governance, and contract. Concrete steps:

Establish documented board sign-off. Article 20(1) requires the management body to approve the Article 21 measures. Make that approval real and minuted. Bring a clear risk-management proposal to the board, record the decision, and record the residual risk the board is accepting. The minute is the evidence that oversight happened.

Report to the board on a fixed cadence, in their language. Replace ad hoc updates with structured, recurring reporting that ties security posture to business risk, tracks the Article 21 measures, and surfaces material changes and incidents. The aim is to put the board in a position where it can credibly say it exercised oversight, not merely received a deck.

Keep training records for the management body. Article 20(2) is a standalone obligation that bites whether or not an incident occurs. Ensure board members actually undertake cybersecurity training and that completion is documented with dates and content. Missing training records are an easy, avoidable finding.

Document the basis for every material judgement. Appropriate and proportionate is an evidentiary standard. When you accept, defer, or de-prioritise a risk, write down the rationale and who decided. A contemporaneous record of a reasoned decision is the difference between a defensible judgement call and an allegation of gross negligence.

Secure your own position contractually. If you are a CISO, clarify in writing whether you are inside or outside the management body, confirm your reporting line, and confirm directors and officers coverage, indemnification, and the boundaries of both. Push for a direct or unfiltered reporting line to the board so that escalations are demonstrable and cannot be diluted on the way up. Our guide to negotiating your CISO liability package covers the specific clauses worth pursuing.

Map jurisdictions. For multi-country operations, build a register of which entities are essential or important, under which national law, with which penalty ceilings and which personal-liability mechanisms. This is the input that lets you brief each board accurately.

Conclusion

NIS2 did something European cybersecurity law had avoided for years: it named the people responsible and gave regulators tools to reach them. The explicit personal-liability provisions sit on the management body, not on the CISO title by default, but the distinction is thinner than it looks. Where a security leader sits on the board, they are directly in scope. Where they do not, they are the person who equips the board to meet its duty, and gross negligence or failure to escalate carries its own exposure under national law, potentially without insurance behind it.

The leaders who will navigate this well are not the ones who panic about EUR 10 million ceilings or management bans. They are the ones who treat documented sign-off, structured board reporting, training records, and clear contractual protection as routine governance. Those records are what convert NIS2 from a personal threat into a defensible, well-evidenced way of running a security programme.

This article is provided for informational purposes only and does not constitute legal advice. NIS2 transposition, definitions, and penalties vary by EU member state; consult qualified counsel in your jurisdiction.