CWS
CyberWerkSuite
← Back to Blog
NIS2BSIGPersonal LiabilityManagement BodyJoe SullivanUberReporting ObligationDACH

A CISO Almost Went to Prison for Hiding a Breach

The Joe Sullivan Uber case shows what the NIS2 Directive and § 38 BSIG actually mean for the personal liability of management bodies — and why this American story has become Europe's template.

DS
Dr. Sait Yalazay, PhD / LLM / MBA
CISO — DPO — Author | CISM — CIPP — AAISM — LA 27001, 27701, 22301, 42001
Architect of Automated Compliance Systems for NIS2, GDPR, ISMS, BCM, DORA, Tisax, AI Act & NATO Cyber Security Framework

Published on May 11, 2026

A CISO Almost Went to Prison for Hiding a Breach.

Under NIS2, His Case Is Now Europe’s Template.

Most European executives still call this an American story.

On 5 October 2022, a federal jury in San Francisco convicted the former Chief Security Officer of Uber Technologies, on two felony counts.1 He was the first CISO in history convicted of crimes connected to a cybersecurity breach. The breach itself was not the crime. The cover-up was.

Under NIS2, that comfort is no longer available. The directive — and the German BSIG that transposes it — now contains every component that turned a contained Uber breach into a criminal conviction: a personal duty on the management body, a hard reporting obligation, and the explicit statutory authority to hold individuals liable when those duties are breached.2 The conditions differ. The legal architecture is functionally comparable.

This article walks through both: what the convicted CSO actually did, and what an EU executive doing the same thing today could face under Article 20, Article 23, Article 32, and §38 BSIG.

What happened in San Francisco

On 14 November 2016 — ten days after he had testified under oath to the Federal Trade Commission about Uber’s cybersecurity programme — he received an email from hackers who had breached the company’s systems for the second time.3 The breach was massive: 57 million user records and 600,000 driver licence numbers, exploiting the same category of vulnerability he had described to the FTC days earlier.

He did not disclose. He arranged for Uber to pay the attackers USD 100,000 in Bitcoin, routed through the company’s bug bounty programme, and required them to sign non-disclosure agreements that falsely characterised what they had done as authorised security research.4 He told a subordinate the incident “can’t let this get out.” He continued working on the FTC response — now based on materially incomplete information — and Uber negotiated a preliminary FTC settlement while the regulator was relying on a false picture of the company’s security posture.

After a four-week trial in 2022, the jury returned guilty verdicts on obstruction of FTC proceedings and misprision of a felony.5 In May 2023, the CSO was sentenced to three years’ probation, 200 hours of community service, and a USD 50,000 fine.6

The sentence stopped short of imprisonment. The warning attached to it did not. In delivering the sentence, the federal judge stated that future defendants in similar cases should expect custodial sentences regardless of mitigating factors — a remark every European executive responsible for security should commit to memory.7 On 13 March 2025, a unanimous Ninth Circuit panel upheld the conviction. The court was explicit: illegal conduct cannot be laundered through a non-disclosure agreement.8

The CSO was not convicted for the breach. His security team had detected it. He was convicted for the decision made at senior management level about what to do with the detection.

An EU CISO who detects a significant incident and decides — in concert with the management body — not to report it to the competent authority may no longer be making a risk management decision.9 Under the German NIS2UmsuCG and the parallel transpositions in Belgium, the Netherlands, France, and elsewhere, they are likely to be committing an administrative offence at minimum. Depending on the manner of the concealment, they may also be committing a criminal one.

The three acts and their European equivalents

The CSO was convicted not for one act but for three. Each maps onto a distinct part of the European framework, and the mapping is what makes the case more than an American curiosity.

Act 1 — The failure to report. He had testified to the Federal Trade Commission ten days before the breach. The breach itself triggered a regulatory disclosure obligation. He concealed it from the regulator. Under NIS2, this is the violation of Article 23(4)(a), the 24-hour early warning obligation, transposed into German law by §32 BSIG. The exposure here is primarily administrative: §65 BSIG translates the breach into an administrative offence carrying fines of up to €10 million or 2% of worldwide annual turnover for essential entities, whichever is higher.

Act 2 — The failure of governance. The breach was managed at senior management level without disclosure to Uber’s incoming CEO, the company’s lawyers, or the FTC. The decision to conceal was made and executed within the management function itself. Under NIS2, this is the violation of Article 20(1) — the management body’s obligation to approve cybersecurity measures, oversee implementation, and be held liable for breaches — transposed into German law by §38(1) BSIG. The exposure here may be twofold: civil damages liability under §38(2) BSIG, where the entity itself can sue the management body member for losses caused by the duty breach; and the administrative authority under Article 32(5)(b) for the supervisor to temporarily prohibit the individual from exercising managerial functions in essential entities.

Act 3 — The active concealment. The CSO paid the attackers USD 100,000 in Bitcoin through Uber’s bug bounty programme, required them to sign NDAs that falsely characterised what they had done as authorised security research, and continued to work on the FTC response while knowingly omitting the new breach. This is where the directive itself reaches its limit: NIS2 does not create criminal offences. National criminal law fills the gap. In Germany, the same factual pattern could activate §263 StGB (fraud, where pecuniary damage results), §269 StGB (falsification of legally relevant electronic data, particularly where falsified evidentiary records are created), and, in document destruction scenarios, §274 StGB (suppression of documents). These statutes carry custodial sentences, with aggravated fraud under §263(3) StGB reaching ten years.10 The management body that detects an incident and decides to conceal it is not in the same legal posture as the management body that simply failed to register on time.

The three acts are independently severe. The CSO committed all three. An EU executive in his position could face all three categories of consequence — civil damages, administrative sanction, criminal investigation — potentially on parallel exposure tracks, not sequential ones.

The other CISO: SolarWinds and a different shape of liability

The Uber CSO was not the last senior executive whose conduct produced personal exposure under cybersecurity law. On 30 October 2023, the U.S. Securities and Exchange Commission charged SolarWinds Corporation and its CISO with securities fraud and internal control failures connected to the SUNBURST attack — a Russian supply chain compromise. The threat actor first accessed SolarWinds in September 2019; the malicious update reached customers from March 2020 onwards, breaching approximately 18,000 organisations including multiple US federal agencies.11

The SolarWinds theory was different from the Uber theory. The SEC alleged that the CISO had made internal presentations describing the company’s security programme as “in a very vulnerable state” while public disclosures to investors during the same period described a mature security posture. The mismatch between internal knowledge and public representation, the SEC argued, made the CISO personally liable.12

The case did not end in conviction. On 18 July 2024, the trial court at the Southern District of New York dismissed most of the SEC’s claims; the remaining claims were dismissed by stipulation with prejudice on 20 November 2025.13 The case did not result in personal sanctions against the CISO. But the case matters precisely because it was brought. It was the first time a CISO was personally charged with civil fraud over a security incident. The theory — that knowing internal security deficiencies while public statements describe a sound programme creates personal liability — has now been articulated, tested, and is likely to shape how the next case is constructed.

Although the SEC theory arose under securities law rather than cybersecurity regulation, the underlying governance logic resembles Article 20’s oversight model. The NIS2 parallel runs through Article 20 itself. A management body that approves a security programme based on information the CISO knows to be incomplete is unlikely to be able to fulfil its oversight obligation under Article 20(1).14 §38(1) BSIG goes further than Article 20(1): the final law text obliges management bodies not merely to approve but to implement the prescribed risk management measures and to oversee that implementation. Where they fail to do so, §38(2) creates a direct cause of action for damages — under company-law rules where those exist, and under the BSIG itself where they do not.

Three layers of personal liability under NIS2

The European framework that crystallised through 2025 and 2026 carries personal liability in three distinct layers, each tied to a different category of conduct.

Layer 1 — Civil damages liability

§38(2) BSIG creates a direct cause of action: management body members are personally liable to the entity for losses caused by their culpable breach of the duties in §38(1). Earlier drafts of the implementation law went further still, prohibiting the entity from waiving these damages claims by contract — but that prohibition was removed during the parliamentary process and the final law preserves the standard corporate-law framework. The personal liability itself remains statutory and direct.15 The threshold here is culpable conduct, which under German civil law begins with negligence. A management body that approved no risk management framework, that received no quarterly cybersecurity report, or that signed off on a programme it knew to be incomplete may, in many fact patterns, already have crossed the threshold.

Layer 2 — Administrative liability

Article 32(5)(b) of the directive permits competent authorities, in the most severe cases involving essential entities, to temporarily prohibit any natural person at chief executive officer or legal representative level from exercising managerial functions in that entity.16 This is the upper bound of administrative sanction and applies, by design, only to essential entities. For important entities, the parallel regime under Article 33 stops short of this measure.

Article 32(6) supplements this by requiring Member States to ensure that any natural person responsible for, or acting as the legal representative of, an essential entity has the power to ensure compliance and may be held liable for breach of those duties.17 In Germany, §65 BSIG translates failures of these obligations into administrative offences with associated fines — up to €10 million or 2% of worldwide annual turnover for essential entities, €7 million or 1.4% for important entities.

Layer 3 — Criminal liability

The directive itself does not impose criminal penalties. National law fills the gap. Knowing concealment of a reportable incident, falsification of a report submitted to the competent authority, obstruction of a supervisory process, or destruction of evidence connected to a significant incident are all conduct categories that can trigger criminal provisions under existing penal codes.18 In Germany, §263 StGB (fraud, where pecuniary damage results), §269 StGB (falsification of legally relevant electronic data), and §274 StGB (suppression of documents) all cover conduct types that intersect with NIS2 reporting obligations. In the cover-up factual pattern — paid concealment, falsified characterisation, deliberate non-disclosure to a regulator — the conduct may enter §263 territory wherever the misrepresentation produces pecuniary damage to the entity, its shareholders, or counterparties; and §269 territory wherever a falsified electronic report or record is involved.

The intent calibration: what differentiates each layer

The categorical distinction between these three layers is not arbitrary. It maps onto the subjective element of culpability — what Continental jurisprudence calls the innere Tatseite, the mental state of the actor — and that mental state determines which path liability follows.

A management body that fails to approve a Statement of Applicability, fails to schedule mandatory training under Article 20(2), or fails to register the entity with the BSI by 6 March 2026, has committed an objective breach. In most fact patterns this triggers civil damages liability under §38(2) and administrative fines under §65 BSIG. It is unlikely, on its own, to support criminal charges. The mental state is typically negligence; the response is civil and administrative.

A management body that approves a security programme it knows to be inadequate — or that receives a CISO presentation describing the programme as “in a very vulnerable state” and signs off on a public statement claiming a mature posture — may have crossed into the SolarWinds theory. The conduct may not in the end be prosecuted; the SEC’s case against the SolarWinds CISO was dismissed. But the position may no longer be defensible under Article 20(1)‘s oversight requirement. The civil damages exposure tends to widen. Where the inadequate programme is signed off in connection with a regulatory filing or supervisory process, the criminal exposure can begin.

A management body that detects a significant incident and decides, knowingly, not to report it within the 24-hour window — or that pays an attacker through a corporate channel and characterises the payment as something it is not — may be in the cover-up pattern. The civil exposure forms the floor. The administrative ban under Article 32(5)(b) is foreseeable. The criminal exposure under national law is a genuine possibility. The CSO received probation. The judge who sentenced him said the next defendant should not.

The Düsseldorf precedent: when a vulnerability becomes a governance question

On 10 September 2020, ransomware operators encrypted approximately 30 servers at the University Hospital Düsseldorf (Universitätsklinikum Düsseldorf), an essential entity in the German healthcare system affiliated with Heinrich-Heine-Universität. The hospital’s emergency department was closed. Operations were postponed. A female patient in a life-threatening condition could not be admitted and was diverted to a hospital in Wuppertal, 32 kilometres away. Treatment began roughly one hour later than it would have at Düsseldorf. She died.19

The attackers had exploited Citrix CVE-2019-19781 — a directory traversal vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP products. The vulnerability had been publicly disclosed in December 2019. Patches had been available since January 2020. The Federal Office for Information Security (BSI) had issued a formal advisory in January 2020, warning of the vulnerability and the consequences of exploitation. By September, that warning was eight months old. The patch had not been applied to the relevant Düsseldorf systems. Speaking after the attack, the then-BSI President said publicly: “We warned of the vulnerability back in January and pointed out the consequences of its exploitation. Attackers gain access to internal networks and systems and can paralyse them months later. I can only urge you not to ignore or postpone such warnings.”20

The case acquired a separate legal trajectory. Prosecutors in Cologne opened a preliminary investigation against the unidentified attackers on suspicion of fahrlässige Tötung — negligent manslaughter under § 222 StGB. The investigation was eventually closed without prosecution: the prosecutor could not establish direct causation between the ransomware and the patient’s death, given her underlying critical condition. The legal point survived the prosecutorial outcome. For the first documented time in Europe, a ransomware attack on a hospital had triggered a homicide-track investigation.21

In 2020, Düsseldorf was regulated under the KRITIS framework — the predecessor regime. KRITIS imposed obligations at the operator level, but neither as strict as those that followed nor capable of reaching the individuals who ran the institution. Above all, there was no statutory path to personal liability of the management body. The legal toolbox available in 2026 — directed at the individuals in the boardroom rather than the entity itself — did not exist in 2020.

The same factual pattern, transposed to 2026, would meet a different framework. A known critical-rated vulnerability with a patch available since January, an explicit BSI advisory in the same month, and a ransomware compromise nine months later — the gap between knowledge of risk and remediation of risk — is precisely the conduct § 38(1) BSIG addresses. Where the management body received the BSI advisory and did not commission timely remediation, the threshold for § 38(2) culpable breach may be met without further evidence. Where the patient outcome carries documentary linkage to the unpatched system, civil exposure tends to widen further. Where evidence emerges of internal acknowledgement of the risk followed by a decision not to act, the conduct may enter the SolarWinds theory. And where the decision was contemporaneously documented as a cost trade-off, the conduct may approach gross governance failure territory.

The question Düsseldorf did not have to answer in 2020 — why did the management body let a January warning sit until September? — is the question NIS2 may now make mandatory in 2026. The answer, recorded in the minutes, could become the basis of personal liability.

The view from Bonn

The BSI President, addressing the German press ahead of the law’s entry into force, stated: “NIS2 has been implemented comparatively quickly despite the change of government, and we are ready. We’re good to go.”22 The signal in the sentence is not the readiness — it is the directness. The agency that will operate the supervisory regime has positioned itself as primed to act. That is unusual rhetoric for a German regulator. It is also consistent with the trajectory of the past eighteen months: the BSI’s October 2025 position paper on the implementation law explicitly requested expanded technical powers for resilience scans, command-and-control tracking, and direct warnings to entities.

In the same interview, she went further. Asked about the practical effect of the new regime, she pointed not at the BSI’s own enforcement powers but at something else entirely:

“The big lever is not us. The big lever is the liability of managing directors, executive boards, and supervisory boards. If they cannot prove to their insurers that they have at least taken care of the basics, then, depending on the circumstances, personal liability issues may even arise that are not covered.”23

Read that carefully. The head of the German federal cybersecurity authority is publicly stating that the most important consequence of NIS2 is not BSI fines but the personal exposure of management bodies — and that D&O insurance may not cover the gap. This is not commentary from a critic of executive culture. It is the sitting regulator explaining where the actual weight of the new regime falls. Every board in Germany should read that sentence twice.

The number that matters: around 30,000 entities now fall within the German NIS2 framework — up from approximately 4,500 under the old KRITIS regime.24 By the 6 March 2026 registration deadline, BSI portal data gives the agency, for the first time, an authoritative population register against which to operate. The next eighteen months are likely to produce the first wave of administrative actions, the first §65 BSIG fines, the first §38(2) damages claims — and, in fact patterns that resemble the Uber cover-up, the first criminal investigations.

What this means for management bodies

There is a single discipline that defends against every layer of liability described in this article, and it is not a technical control. It is the integrity of the information flowing from the security function to the governance structure, and the integrity of the governance structure’s response to that information.25

A board that documents its quarterly cybersecurity briefings, asks the CISO direct questions about residual risk, signs off on specific exceptions and accepts them in writing, schedules its training, and reports significant incidents within the 24-hour window has not eliminated risk.26 It is likely to make the prosecutorial case against any individual member structurally harder to assemble. The CSO conviction did not turn on the breach. It turned on the documentary trail of concealment.

The mirror image is also true. A board that does not document its briefings, does not ask direct questions, signs off in silence, and authorises ambiguous responses to detected incidents is likely to assemble the prosecutorial case for any future investigator without the assistance of an attacker.

The closing

The CISO’s job in 2026 is harder than it was in 2016. The management body’s job has been fundamentally transformed.27 Article 20 is not new paperwork. It is the legal architecture under which European executives are now personally accountable for what their organisation does, and does not do, when an incident is detected.

Most regulations make companies more careful about their conduct.

NIS2 makes individuals more careful.

The CSO got probation. The judge who sentenced him said the next defendant should not.28

Dr. Sait Yalazay PhD / LLM / MBA

CISO — DPO — Author

CISM — CIPP — AAISM — LA 27001, 27701, 22301, 42001

Architect of Automated Compliance Systems for NIS2, GDPR, ISMS, BCM, DORA, Tisax & AI Act, NATO Cyber Security Framework

His book From Directive to Done: The 10-Step NIS2 Implementation Playbook is in print. Follow for updates.

NIS2Suite — operational compliance software built for real audits — cyberwerksuite.com

Notes

  1. United States v. Sullivan, US District Court for the Northern District of California, jury verdict 5 October 2022. Two federal felony counts: 18 U.S.C. § 1505 (obstruction of proceedings before departments, agencies, and committees) and 18 U.S.C. § 4 (misprision of a felony). § 1505 verbatim: “Whoever corruptly, or by threats or force, or by any threatening letter or communication influences, obstructs, or impedes or endeavors to influence, obstruct, or impede the due and proper administration of the law under which any pending proceeding is being had before any department or agency of the United States… shall be fined under this title, imprisoned not more than 5 years or, if the offense involves international or domestic terrorism (as defined in section 2331), imprisoned not more than 8 years, or both.” § 4 verbatim: “Whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years, or both.” Sources: FindLaw, codes.findlaw.com; Cornell Legal Information Institute, law.cornell.edu. Online: 18 USC § 1505 — Cornell LII | 18 USC § 4 — Cornell LII | FindLaw § 1505

  2. Directive (EU) 2022/2555 (NIS2). Article 20(1) verbatim: “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article. The application of this paragraph shall be without prejudice to national law as regards the liability rules applicable to public institutions, as well as the liability of public servants and elected or appointed officials.” Article 32(6) verbatim: “Member States shall ensure that any natural person responsible for or acting as a legal representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the power to ensure its compliance with this Directive. Member States shall ensure that it is possible to hold such natural persons liable for breach of their duties to ensure compliance with this Directive.” Online: EUR-Lex NIS2

  3. Criminal complaint filed 20 August 2020; grand jury indictment 3 September 2020 (Joseph Sullivan, US District Court ND California, Case No. 20-cr-00337). A superseding indictment in 2021 added wire fraud counts that were later resolved before trial. The 14 November 2016 contact with the attackers occurred ten days after Sullivan’s FTC testimony of 4 November 2016. Online: DOJ press release | CourtListener docket 3:20-cr-00337

  4. DOJ press release, Office of the United States Attorney for the Northern District of California, 5 October 2022, on the conviction of Joseph Sullivan. Bitcoin payment of USD 100,000 routed through Uber’s bug bounty programme; NDAs signed by attackers Brandon Glover and Vasile Mereacre, both later convicted. Online: DOJ press release (charges)

  5. Jury verdict, United States v. Sullivan, 5 October 2022. Counts of conviction as in Note 1. Online: DOJ press release (conviction)

  6. Sullivan sentencing, United States v. Sullivan, ND California, 4 May 2023, before Judge William H. Orrick III: three years’ probation, 200 hours of community service, USD 50,000 fine. Federal prosecutors had requested a fifteen-month custodial sentence; the court declined to impose imprisonment, citing 186 letters of support filed on Sullivan’s behalf and his prior contributions to the cybersecurity field. Reported by Bank Info Security, “Ex-Uber CSO Joe Sullivan Avoids Federal Prison,” 4 May 2023; Axios, 4 May 2023; QZ, 6 May 2023; CSO Online, 24 May 2023. Online: Bank Info Security | Axios | QZ | CSO Online

  7. Sentencing remarks, Judge William H. Orrick III, United States v. Sullivan, ND California, 4 May 2023. The court’s warning was directed at future defendants in similar cases. Verbatim, as reported in the courtroom: “If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison. When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off.” Quote reported in: Axios, “Ex-Uber exec Joe Sullivan sentenced to probation for data breach coverup,” 4 May 2023; QZ (Quartz), “Uber’s former CSO Joe Sullivan avoids jail in hack coverup case,” 6 May 2023; CSO Online (Deb Radcliff), 24 May 2023; Dark Reading, “Judge Spares Former Uber CISO Jail Time,” 4 May 2023; Bank Info Security, 4 May 2023. Online: Axios | QZ | CSO Online | Dark Reading | Bank Info Security

  8. United States v. Sullivan, 131 F.4th 776 (9th Cir. 2025), No. 23-927; on appeal from the District Court for the Northern District of California, D.C. No. 3:20-cr-00337-WHO-1. Panel: Circuit Judges M. Margaret McKeown, Anthony D. Johnstone, and Ana de Alba. Decision filed 13 March 2025. The panel rejected Sullivan’s challenges to the jury instructions (including arguments under United States v. Aguilar, 515 U.S. 593 (1995) and Arthur Andersen LLP v. United States, 544 U.S. 696 (2005)), held that Ninth Circuit precedent in United States v. Bhagat, 436 F.3d 1140 (9th Cir. 2006) foreclosed the “nexus” instruction argument, and affirmed the conviction in all respects. From the panel opinion: “The jury’s verdict in this case underscores the importance of transparency even in failure situations — especially when such failures are the subject of federal investigation. The verdict is not tainted by any of the claimed instructional or evidentiary errors, nor can it be overturned for insufficiency of the evidence. We affirm the district court in all relevant respects.” Reported in FindLaw caselaw archive (case-law.vlex.com), Casemine, and CourtListener (3:20-cr-00337). Online: FindLaw caselaw | Casemine | CourtListener docket

  9. NIS2 Article 23(1) and (4)(a) (notification obligations). Article 23(1) verbatim: “Each Member State shall ensure that essential and important entities notify, without undue delay, its CSIRT or, where applicable, its competent authority in accordance with paragraph 4, of any incident that has a significant impact on the provision of their services as referred to in paragraph 3 (significant incident).” Article 23(4)(a) verbatim: “without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.” Transposed into German law by § 32 BSIG (n.F.) under the NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), in force from 6 December 2025. Online: EUR-Lex NIS2 | § 32 BSIG

  10. Verbatim text of supplementary German provisions: § 263(3) StGB (besonders schwere Fälle): “In besonders schweren Fällen ist die Strafe Freiheitsstrafe von sechs Monaten bis zu zehn Jahren.” [Unofficial English translation: “In especially severe cases, the penalty is imprisonment from six months to ten years.”] § 32(1) BSIG (n.F.) — Meldepflichten: “Besonders wichtige Einrichtungen und wichtige Einrichtungen sind verpflichtet, folgende Meldungen über jeden bei ihnen eintretenden erheblichen Sicherheitsvorfall an die Meldestelle nach § 40 Absatz 1 zu übermitteln: 1. unverzüglich, spätestens jedoch innerhalb von 24 Stunden nach Kenntniserlangung von einem erheblichen Sicherheitsvorfall, eine frühe Erstmeldung…; 2. unverzüglich, spätestens jedoch innerhalb von 72 Stunden, eine Meldung über diesen Sicherheitsvorfall…; 3. auf Ersuchen des Bundesamtes eine Zwischenmeldung; 4. spätestens einen Monat nach Übermittlung der Meldung des Sicherheitsvorfalls gemäß Nummer 2… eine Abschlussmeldung.” [Unofficial English translation: “Essential and important entities are obliged to transmit the following notifications regarding any significant security incident occurring within their organisation to the reporting office under § 40(1): 1. without undue delay, but in any event within 24 hours of becoming aware of a significant security incident, an early initial notification…; 2. without undue delay, but in any event within 72 hours, a notification of the security incident…; 3. upon request by the Federal Office, an intermediate notification; 4. no later than one month after submission of the incident notification pursuant to point 2… a final notification.”] § 65 BSIG (n.F.) — administrative offence regime, fines: for besonders wichtige Einrichtungen (essential entities under § 28(1) BSIG) up to € 10 million; for wichtige Einrichtungen (important entities under § 28(2) BSIG) up to € 7 million. For undertakings with worldwide annual turnover above € 500 million, § 65(6) and (7) BSIG permit fines of up to 2% (essential) or 1.4% (important) of total worldwide annual turnover for specific categories of breach. Sources: gesetze-im-internet.de/bsig_2025/__32.html and __65.html; dejure.org for § 263 StGB. Online: § 263 StGB | § 32 BSIG | § 65 BSIG

  11. SEC v. SolarWinds Corp. and Timothy G. Brown, US District Court for the Southern District of New York, complaint filed 30 October 2023. Online: SEC press release 2023-227 | CourtListener SDNY 1:23-cv-09518

  12. SEC complaint paragraphs alleging Brown’s internal characterisation of the security programme as “in a very vulnerable state” while public disclosures described a mature posture; SUNBURST compromise affecting approximately 18,000 organisations. Online: SEC complaint PDF

  13. SEC v. SolarWinds Corp. and Timothy G. Brown, No. 1:23-cv-09518 (S.D.N.Y.). Engelmayer, J., opinion dismissing the majority of SEC claims dated 18 July 2024. Stipulated dismissal of remaining claims with prejudice, 20 November 2025. The case ended without personal sanctions against Brown. Online: Perkins Coie analysis | Harvard Corp Gov | CourtListener docket

  14. NIS2 Directive, Article 20(1): “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.” Online: EUR-Lex NIS2

  15. § 38 BSIG (n.F.) — Umsetzungs-, Überwachungs- und Schulungspflicht für Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen. Verbatim text, Bundesgesetzblatt 5 December 2025, in force 6 December 2025: “(1) Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen sind verpflichtet, die von diesen Einrichtungen nach § 30 zu ergreifenden Risikomanagementmaßnahmen umzusetzen und ihre Umsetzung zu überwachen. (2) Geschäftsleitungen, die ihre Pflichten nach Absatz 1 verletzen, haften ihrer Einrichtung für einen schuldhaft verursachten Schaden nach den auf die Rechtsform der Einrichtung anwendbaren Regeln des Gesellschaftsrechts. Nach diesem Gesetz haften sie nur, wenn die für die Einrichtung maßgeblichen gesellschaftsrechtlichen Bestimmungen keine Haftungsregelung nach Satz 1 enthalten. (3) Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen sind verpflichtet, regelmäßig an Schulungen teilzunehmen, um ausreichende Kenntnisse und Fähigkeiten zur Erkennung und Bewertung von Risiken sowie Risikomanagementpraktiken im Bereich der Cybersicherheit zu erlangen.” [Unofficial English translation: “(1) Management bodies of essential and important entities are obliged to implement the risk management measures to be taken by these entities pursuant to § 30 and to oversee their implementation. (2) Management bodies that breach their duties under paragraph 1 are liable to their entity for damage culpably caused, in accordance with the rules of company law applicable to the legal form of the entity. Under this Act, they are only liable where the company-law provisions applicable to the entity do not contain a liability rule pursuant to sentence 1. (3) Management bodies of essential and important entities are obliged to attend training regularly in order to acquire sufficient knowledge and skills to identify and assess risks as well as risk-management practices in the area of cybersecurity.”] Note: the final law uses umsetzen (implement), not billigen (approve) — Morrison Foerster (December 2025) flags this as likely going beyond what the explanatory memorandum (Begründung) intended, but the statutory text is binding. Earlier drafts (BSIG-E, 2024) contained an explicit prohibition on the entity waiving these damages claims; that provision was removed during the parliamentary process and is not part of the final enacted law (DQS, December 2025: a mitigation compared to earlier drafts). Source: gesetze-im-internet.de/bsig_2025/__38.html. Online: § 38 BSIG official text | Morrison Foerster analysis | DQS

  16. NIS2 Directive, Article 32(5)(b): “Member States shall ensure that the competent authorities have the power […] to temporarily prohibit any natural person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity.” Online: EUR-Lex NIS2

  17. NIS2 Directive, Article 32(6): “Member States shall ensure that any natural person responsible for or acting as a legal representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the power to ensure its compliance with this Directive. Member States shall ensure that it is possible to hold such natural persons liable for breach of their duties to ensure compliance with this Directive.” Online: EUR-Lex NIS2

  18. Strafgesetzbuch (StGB) — verbatim text of relevant provisions: § 263(1) Betrug (fraud): “Wer in der Absicht, sich oder einem Dritten einen rechtswidrigen Vermögensvorteil zu verschaffen, das Vermögen eines anderen dadurch beschädigt, daß er durch Vorspiegelung falscher oder durch Entstellung oder Unterdrückung wahrer Tatsachen einen Irrtum erregt oder unterhält, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.” [Unofficial English translation: “Whoever, with the intent of obtaining for themselves or a third party an unlawful pecuniary advantage, damages the property of another by causing or maintaining an error through the misrepresentation of false facts or the distortion or suppression of true facts, shall be punished by imprisonment of up to five years or by a fine.”] § 263(3) (especially severe cases): “In besonders schweren Fällen ist die Strafe Freiheitsstrafe von sechs Monaten bis zu zehn Jahren.” [Unofficial English translation: “In especially severe cases, the penalty is imprisonment from six months to ten years.”] § 269(1) Fälschung beweiserheblicher Daten: “Wer zur Täuschung im Rechtsverkehr beweiserhebliche Daten so speichert oder verändert, daß bei ihrer Wahrnehmung eine unechte oder verfälschte Urkunde vorliegen würde, oder derart gespeicherte oder veränderte Daten gebraucht, wird mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe bestraft.” [Unofficial English translation: “Whoever, for the purpose of deception in legal transactions, stores or alters legally relevant data in such a way that, upon their perception, a counterfeit or falsified document would appear to exist, or uses such stored or altered data, shall be punished by imprisonment of up to five years or by a fine.”] § 274(1) Urkundenunterdrückung: “Mit Freiheitsstrafe bis zu fünf Jahren oder mit Geldstrafe wird bestraft, wer eine Urkunde oder eine technische Aufzeichnung, welche ihm entweder überhaupt nicht oder nicht ausschließlich gehört, in der Absicht, einem anderen Nachteil zuzufügen, vernichtet, beschädigt oder unterdrückt.” [Unofficial English translation: “Whoever destroys, damages, or suppresses a document or technical record that either does not belong to them at all or does not belong to them exclusively, with the intent of causing disadvantage to another, shall be punished by imprisonment of up to five years or by a fine.”] The intersections with NIS2 reporting obligations arise where falsification or concealment occurs in mandatory disclosures to a competent authority. § 348 StGB (Falschbeurkundung im Amt) does not apply to corporate executives — it is a public-official offence (Amtsträger). Sources: dejure.org; gesetze-im-internet.de. Online: § 263 StGB | § 269 StGB | § 274 StGB

  19. Ransomware attack on University Hospital Düsseldorf (UKD), 10 September 2020. Approximately 30 servers were encrypted using the DoppelPaymer ransomware variant. Emergency department was deregistered; a female patient in life-threatening condition was diverted to a hospital in Wuppertal, approximately 32 km away; treatment began approximately one hour later than would have occurred at UKD. The patient died. Widely reported as the first ransomware attack on a hospital known to be followed by a patient death. Online: Healthcare IT News | Computer Weekly | BleepingComputer | PMC / NIH archive

  20. Vulnerability used: Citrix CVE-2019-19781 — a directory traversal vulnerability affecting Citrix ADC, Gateway, and SD-WAN WANOP products. Publicly disclosed December 2019; patches available January 2020. The German Federal Office for Information Security (BSI) issued a formal cybersecurity advisory on the vulnerability in January 2020. Verbatim quote from then-BSI President Arne Schönbohm (September 2020): “We warned of the vulnerability back in January and pointed out the consequences of its exploitation. Attackers gain access to internal networks and systems and can paralyse them months later. I can only urge you not to ignore or postpone such warnings.” Online: NVD CVE-2019-19781 | BSI Cyber-Sicherheitswarnung (January 2020) | Computer Weekly (Schönbohm quote)

  21. Cologne prosecutors opened a preliminary criminal investigation on suspicion of fahrlässige Tötung (§ 222 StGB — negligent manslaughter) against the unidentified ransomware operators following the patient’s death. The investigation was subsequently closed without indictment, as direct causation between the ransomware and the death could not be established to prosecutorial standard given the patient’s underlying critical condition. The investigation’s existence — not its outcome — marks the first instance in Europe of a ransomware attack triggering a homicide-track inquiry. Online: Healthcare IT News | BleepingComputer / AP report | PMC / NIH archive

  22. Claudia Plattner, President of the Federal Office for Information Security (BSI), interview with heise online published 6 January 2026 on the launch of the BSI portal: “NIS2 has been implemented comparatively quickly despite the change of government, and we are ready. We’re good to go.” Online: heise online — Plattner interview

  23. Claudia Plattner, President of the Federal Office for Information Security (BSI), interview with heise online, 6 January 2026, on the launch of the BSI portal and the personal-liability dimension of NIS2 enforcement. Online: heise online — Plattner interview, 6 January 2026

  24. Bundesamt für Sicherheit in der Informationstechnik (BSI), entity scope estimates: approximately 29,000 entities under NIS2 versus approximately 4,500 under the prior KRITIS regime. See also Greenberg Traurig analysis, December 2025; Reed Smith analysis, January 2026. Online: BSI NIS2 portal

  25. BSI position paper on the NIS2 implementation law, 10 October 2025: requests for expanded technical powers including resilience scans, command-and-control tracking, and direct warnings. Online: heise online — BSI position paper coverage

  26. Sentencing remarks, Judge William H. Orrick III, United States v. Sullivan, ND California, 4 May 2023, regarding the documentary record of concealment as decisive. Online: Axios | CSO Online

  27. NIS2 Directive, Article 20. Article 20(1) — see footnote [2] for verbatim text. Article 20(2) verbatim: “Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” German implementation: § 38 BSIG (n.F.) — see footnote [15] for verbatim text. § 38(3) imposes the recurring training obligation on management bodies. Online: EUR-Lex NIS2 | § 38 BSIG

  28. Sentencing remarks, Judge William H. Orrick III, United States v. Sullivan, ND California, 4 May 2023. Online: Axios | QZ | CSO Online