CWS
CyberWerkSuite
← Back to Blog
NIS2BSIGNIS2UmsuCGCybersecurity ComplianceBoard LiabilityGovernanceISMSDACH

NIS2 Is Not Another Regulation. It Changes Who Gets Fired After a Breach.

How NIS2 shifts cybersecurity governance from organisational responsibility to personal liability — and what Article 20, §38 BSIG, and the German NIS2UmsuCG mean for management bodies in essential and important entities.

DS
Dr. Sait Yalazay, PhD / LLM / MBA
CISO — DPO — Author | CISM — CIPP — AAISM — LA 27001, 27701, 22301, 42001
Architect of Automated Compliance Systems for NIS2, GDPR, ISMS, BCM, DORA, Tisax, AI Act & NATO Cyber Security Framework

Published on May 6, 2026

Most regulations add paperwork. NIS2 adds consequences.

That is not a subtle distinction. That is the entire point.

What Everyone Gets Wrong About NIS2

When a new directive arrives, organisations do what they always do. They push it to compliance. They schedule a workshop. They move on.

This is how organisations handled GDPR. It is how they handled NIS1. It is how most organisations are handling NIS2 right now.

The problem is that NIS2 was specifically designed to stop this from working.

The architects of NIS2 looked at the previous directive — NIS1, in force since 2016 — and saw what happened.1 Organisations implemented the minimum. Supervisory authorities had limited enforcement tools. Incidents happened anyway.2 The same systemic weaknesses appeared in audit after audit across EU member states.3

So they rewrote the directive. And this time, they did something different.

They made it personal.

The Liability Shift Nobody Is Talking About

Article 20 of NIS2 does something no cybersecurity regulation in Europe has done before at this scale.4 It places legal responsibility for cybersecurity governance directly on the management body.

Not on the CISO. Not on IT. Not on the compliance team.

On the board. On the executives. On the individuals who sit in those chairs and sign those decisions.

This is the shift. From organisational responsibility to personal liability.

Article 20(1) of NIS2 is precise: the management bodies of essential and important entities must approve cybersecurity risk-management measures, oversee their implementation, and — in the directive’s exact words — “can be held liable for infringements by the entities of that Article.”5

Germany has already gone further than the directive requires. The NIS2 implementation law — the NIS2UmsuCG — and the revised BSIG6 create a framework where supervisory authorities can pursue natural persons, not just legal entities.7 Where fines do not stop at the company balance sheet. Where the person who delegated cybersecurity to IT because it was “too technical” can find themselves personally named in an enforcement action.8

These provisions go beyond NIS2’s baseline. They are also new. The first enforcement actions under §38 BSIG will refine how courts interpret what it means for a management body to have “nicht beachtet” — to have failed to comply with — its obligations. Practical reach will develop case by case. But the legal architecture is in force, and the BSI has signalled it intends to use it.

The directive is specific about when this liability is triggered. Article 20(1) states that member states shall ensure management body members “can be held liable for infringements by those entities of this Directive.” Not for a successful attack. For an infringement — a failure to fulfil the governance obligations the directive explicitly assigns to them. Recital 137 reinforces this: supervisory authorities “should be able to hold management bodies of essential and important entities accountable where those bodies have not fulfilled their obligations.” The German BSIG goes further still. §38 BSIG n.F. creates direct personal accountability where the management body “nicht beachtet hat” — has not complied with — the cybersecurity obligations assigned to it.9 In the most severe enforcement scenarios, governance failure alone — without a successful attack — can be enough to trigger personal liability under §38 BSIG. This is the legal upper bound. In practice, most enforcement actions follow incidents. But the law makes the lighter case actionable — and that is what shifts the calculation in every boardroom.

If you are reading this and cannot clearly answer who in your organisation is accountable for NIS2 — you already have a problem.

For most executives, this is the moment the room goes quiet.

A Short Story About a Long Meeting

What follows is a composite scenario built from audit patterns observed across multiple essential entities in Germany. No single company is described.

In early 2024, a mid-sized logistics company in Germany received a routine inquiry from its sector regulator. A standard questionnaire. Nothing alarming on the surface.

The CISO prepared the response. The board approved it without reading it. The questionnaire was filed. Everyone moved on.

Six months later, the company experienced a ransomware incident. Trucks stopped. Deliveries failed. Customers started calling. Then regulators did.

Critical transport coordination systems were offline for eleven days. Customer data was exfiltrated. The incident met every threshold for mandatory notification.

The notification went in late.10 The post-incident examination revealed that the governance structure described in that earlier questionnaire did not match reality. The board had approved a document describing controls that had never been implemented. The training records cited did not exist. The management body had signed off on a programme they had never overseen.

Under NIS1, the company received a fine and a corrective action plan.

Under NIS2, the conversation would be different. Because NIS2 asks a question that NIS1 never asked with the same legal force: who approved this, and what did they actually know?

The management body is not a rubber stamp anymore. It is a legally accountable actor.

What Actually Changed — and Why This Time Is Different

NIS2 expanded scope dramatically. It covers sectors NIS1 never touched — food, manufacturing, chemicals, waste management, postal services, public administration.11 It lowered the size threshold, pulling in medium-sized entities that previously had no sector-specific cybersecurity obligations.12 It introduced Article 21 — ten specific security measures that covered entities must implement, oversee, and evidence.13

But the scope expansion and the technical requirements are not the structural shift.

The structural shift is governance accountability.

Under NIS2, the management body must approve the cybersecurity measures. Must oversee their implementation. Must undergo cybersecurity training.14 And when something goes wrong — when a breach occurs, when a notification is missed, when a control that was supposed to exist does not — the question regulators will ask is not “what did your systems do?”

It is “what did your board know, when did they know it, and what did they decide?”

That is a fundamentally different question. One that compliance frameworks, gap reports, and policy documents cannot answer on their own.

The Organisation This Directive Is Actually Aimed At

NIS2 is not aimed at organisations already running mature security programmes. Those organisations will find compliance demanding but achievable.

NIS2 is aimed at the board that has never seen a security report. The executive team that treats cybersecurity as an IT cost centre. The management body that approved a CISO’s annual presentation without asking a single question about what any of it meant.

It is aimed at the organisation where, if something went wrong tomorrow, the honest answer to “who was responsible for this?” would be: no one in particular.

NIS2 makes that answer legally unacceptable.

The Cost of the Old Approach

The directive sets maximum fines of €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% for important entities.15 These numbers get cited frequently.

But the fines are not the most important consequence.

The most important consequence is supervisory scrutiny — the right of competent authorities to conduct on-site inspections, require access to documentation, interview management body members directly, issue binding instructions, and temporarily prohibit individuals from exercising management functions.16

Read that again.

Because this is where NIS2 stops being a compliance exercise.

Temporarily prohibit individuals from exercising management functions.

Not the company. The individual.

This is the most severe sanction available under NIS2 — and it applies, by design, only to essential entities under Article 32(5)(b). For important entities, the parallel regime under Article 33 does not include this measure. But for organisations operating in Annex I sectors — health, energy, transport, banking, drinking water, digital infrastructure — this power is real, and it sits today with national supervisory authorities. Most enforcement actions will use lighter tools first: warnings, binding instructions, fines. The prohibition is the upper bound. But the upper bound exists, and that is what every board now has to plan around.

This is what changes who gets fired after a breach. Not because the organisation decides someone must go. Because a regulator decides that a specific person should not be allowed to hold their current role while an enforcement action is live.17

This is new. This is NIS2.

The Question Your Board Cannot Afford to Get Wrong

NIS2 does not ask whether your organisation takes cybersecurity seriously.

It asks whether the people at the top can prove it.

Prove it through documented decisions. Through training records.14 Through governance structures that existed before the incident — not structures assembled in response to one.18

The organisations that will struggle most with NIS2 are not the ones that lack technology. They are the ones where nobody in the boardroom can answer a single specific question about what their cybersecurity programme actually does.19

That gap is no longer a management problem.

It is a liability. And under NIS2, it has a name attached to it.20 21

  1. Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 (NIS1 Directive), OJ L 194, 19.7.2016, pp. 1–30.

  2. European Union Agency for Cybersecurity (ENISA), NIS Investments Report 2022, ENISA, Athens, 2022. Available at: enisa.europa.eu/publications.

  3. European Commission, Proposal for a Directive on measures for a high common level of cybersecurity across the Union (NIS2), COM(2020) 823 final, 16 December 2020, Explanatory Memorandum, Section 1: Context of the proposal.

  4. Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 (NIS2 Directive), OJ L 333, 27.12.2022, pp. 80–152. Article 20: Governance.

  5. NIS2 Directive, Article 20(1): “Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”

  6. Gesetz zur Umsetzung der NIS-2-Richtlinie und zur Regelung wesentlicher Grundzüge des Informationssicherheitsmanagements in der Bundesverwaltung (NIS2UmsuCG). Passed by the Bundestag on 13 November 2025; approved by the Bundesrat on 21 November 2025; published in the Bundesgesetzblatt on 5 December 2025; entered into force on 6 December 2025 with no transition period. The BSI registration portal opened on 6 January 2026; entities in scope on the date of entry into force were required to register by 6 March 2026.

  7. §38 BSIG n.F. (Bundessicherheitsgesetz, neue Fassung): Verantwortung der Geschäftsleitung für Informationssicherheit. The provision creates direct personal accountability for management body members of essential and important entities.

  8. NIS2 Directive, Recital 127: “In order to make enforcement effective, a minimum list of enforcement powers that can be exercised for breach of the cybersecurity risk-management measures and reporting obligations provided for in this Directive should be laid down […] Due regard should be given to the nature, gravity and duration of the infringement of this Directive, the material or non-material damage caused, whether the infringement was intentional or negligent.” OJ L 333, 27.12.2022, p. 117.

  9. §38 BSIG n.F. (Bundessicherheitsgesetz, neue Fassung): The provision states that the management body of essential entities must ensure cybersecurity risk-management measures are implemented and must verify compliance. Where the management body “nicht beachtet hat” (has not complied with) these obligations, direct personal liability of individual members arises under applicable German civil and corporate law, independent of whether a cybersecurity incident has occurred.

  10. NIS2 Directive, Article 23(4)(a): Essential and important entities shall submit to the CSIRT or, where applicable, the competent authority, “without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning, which, where applicable, shall indicate whether the significant incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.” The 24-hour clock runs from the moment the entity becomes aware of the incident; complete information is not a precondition.

  11. NIS2 Directive, Annexes I and II. Annex I (Sectors of high criticality) and Annex II (Other critical sectors) together cover 18 sectors compared to 7 under NIS1 Directive Annex II.

  12. NIS2 Directive, Article 2(1): The directive applies to public or private entities of a type referred to in Annex I or II that qualify as medium-sized enterprises under Article 2 of the Annex to Recommendation 2003/361/EC.

  13. NIS2 Directive, Article 21(2)(a)–(j): Ten required security measure categories covering risk analysis, incident handling, business continuity, supply chain security, acquisition and development, effectiveness assessment, cyber hygiene, cryptography, human resources security, access control, and multi-factor authentication.

  14. NIS2 Directive, Article 20(2): “Member States shall ensure that members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis.” 2

  15. NIS2 Directive, Article 34(4) (essential entities) and Article 34(5) (important entities). Article 34(4): essential entities are subject to administrative fines of a maximum of at least €10,000,000 or of a maximum of at least 2% of total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher. Article 34(5): important entities are subject to administrative fines of a maximum of at least €7,000,000 or of a maximum of at least 1.4% of total worldwide annual turnover, whichever is higher.

  16. NIS2 Directive, Article 32(2) (supervisory powers in relation to essential entities): on-site inspections and off-site supervision, regular and targeted security audits carried out by an independent body or competent authority, ad hoc audits where justified by a significant incident or infringement, security scans, requests for information necessary to assess cybersecurity risk-management measures, and requests for evidence of implementation. Article 32(4) provides the corresponding enforcement powers (warnings, binding instructions, monitoring officers, administrative fines under Article 34); Article 32(5)(b) provides for temporary prohibition of natural persons at CEO or legal representative level. The temporary-prohibition power applies to essential entities under Article 32; the parallel regime for important entities under Article 33 does not include this measure.

  17. NIS2 Directive, Article 32(5): “Member States shall ensure that competent authorities, when establishing that an essential entity has infringed this Directive, may […] require the temporary prohibition of any person discharging managerial responsibilities at chief executive officer or legal representative level in that essential entity from exercising managerial functions in that entity.”

  18. ENISA, Guidelines on Assurance Frameworks for Security Operations Centres, ENISA, 2023. Section 4: Governance and accountability structures in cybersecurity programme management.

  19. Bundesamt für Sicherheit in der Informationstechnik (BSI), Lagebericht zur IT-Sicherheit in Deutschland 2023. BSI, Bonn, 2023. The report identifies management accountability gaps as a primary driver of systemic cybersecurity failure in German organisations.

  20. NIS2 Directive, Article 32(5) and Recital 127: The personal liability framework is designed to ensure that named individuals — the legal representative or CEO of the entity in breach — bear accountability for governance failures.

  21. NIS2 Directive, Article 32(6): “Member States shall ensure that any natural person responsible for or acting as a legal representative of an essential entity on the basis of the power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it has the power to ensure its compliance with this Directive. Member States shall ensure that it is possible to hold such natural persons liable for breach of their duties to ensure compliance with this Directive.”