ANALYSIS

NIS2 Personal Liability: What the Directive Actually Says About Board Members

On 15 April 2026, the Dutch House of Representatives voted the Cyberbeveiligingswet into law — the Netherlands’ transposition of the EU’s NIS2 Directive. The bill now moves to the Senate, with the government targeting simultaneous entry into force in Q2 2026. Dutch board members are now on the clock.

They are not alone. Twenty-two of twenty-seven EU member states have transposed NIS2 into national law. In Germany, where the implementation law was published on 5 December 2025, the BSI is actively auditing registration compliance — only around one third of covered entities registered by the March 6 deadline. In Belgium, among the first EU states to fully implement the directive, essential entities face an April 18 deadline to submit self-assessments to the Centre for Cybersecurity Belgium. In France, the ANSSI framework will bring an estimated 10,000 to 15,000 entities into scope, with full enforcement expected from late 2026.

The directive is no longer a future obligation. It is an active regulatory environment — and it names management bodies directly. The governance and digital exposure risks NIS2 targets are part of a wider picture covered in our Corporate Digital Footprint hub.

What Article 20 Requires

Article 20 of Directive (EU) 2022/2555 is the provision that places cybersecurity governance on the boardroom agenda. It requires three things of management bodies in essential and important entities:

Approve the organisation’s cybersecurity risk-management measures under Article 21.

Oversee the implementation of those measures.

Be held liable for infringements of these obligations.

Article 20 also introduces a mandatory training requirement. Members of management bodies must undergo cybersecurity training sufficient to “identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.” Entities must also offer equivalent training to employees on a regular basis.

Board members looking for a structured starting point can work through their own exposure surface across ten reconnaissance categories, each tagged with the response its findings need.

This is not a recommendation. It is a legal obligation with no precedent in NIS1.

What Personal Liability Actually Means

This is where the vendor marketing diverges from the legal text. Many cybersecurity consultancies present NIS2 as directly fining individual board members up to €10 million. That is misleading.

The administrative fines — up to €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% for important entities — apply to the entity, not to natural persons. Personal liability for board members flows through a different mechanism.

Article 32(5)(b) gives national authorities the power to request that courts or tribunals temporarily prohibit any natural person responsible for managerial functions at CEO or legal representative level from exercising those functions. This applies to essential entities only, requires judicial process, and is subject to procedural safeguards.

Beyond this suspension power, the directive delegates the specifics of personal liability to national law. The form it takes varies by jurisdiction:

In Germany, the revised BSI Act makes cybersecurity a board-level issue with explicit management body obligations. The BSI can issue binding orders, conduct on-site audits, and make compliance failures public — creating reputational exposure before any fine is levied.

In the Netherlands, the Cyberbeveiligingswet layers NIS2 obligations onto the existing framework of bestuurdersaansprakelijkheid under Book 2, Article 9 of the Dutch Civil Code — the standard for director liability in cases of mismanagement. Board members will have a maximum of two years from the Cbw’s entry into force to complete mandatory cybersecurity training.

In Belgium, the CCB’s CyberFundamentals framework requires organisations to submit self-assessments demonstrating active compliance. With over 4,500 organisations already registered and the April 18 deadline for essential entities, Belgium is the jurisdiction most likely to produce early enforcement actions.

In France, ANSSI will serve as the supervisory authority with audit and investigation powers across an estimated 10,000 to 15,000 entities, with full enforcement beginning in late 2026.

In Italy, the transposition arrived early. Decreto Legislativo 138/2024, published in the Gazzetta Ufficiale on 1 October 2024 and in force from 16 October 2024, designates the Agenzia per la Cybersicurezza Nazionale (ACN) as the national competent authority. In-scope entities had until 28 February 2025 to register through the ACN platform. The decree leaves audit cadence open, empowering the ACN to impose audits on essential and important entities at its discretion rather than to a fixed cycle. For management bodies, the Italian framework folds into the country’s existing corporate-liability regime under D.Lgs 231/2001, where failure to oversee risk-management measures can compound entity-level administrative liability with civil-law claims against directors.

In Spain, the position is the contrasting case. The Draft Law on Cybersecurity Coordination and Governance — Spain’s NIS2 transposition vehicle — was approved by the Council of Ministers on 14 January 2025 and remained in parliamentary processing as of June 2026, not yet published in the Boletín Oficial del Estado. The European Commission issued Spain a reasoned opinion on 7 May 2025 for failure to notify full transposition, the procedural step that precedes formal infringement proceedings. Pending enactment, supervisory responsibility sits across multiple ministries by sector, with the National Cryptologic Centre (CCN) and the Instituto Nacional de Ciberseguridad (INCIBE) operating as the principal technical bodies and INCIBE-CERT acting as reference CSIRT for private-sector entities. For Spanish directors, the position until the law completes its passage is that the Article 20 obligations apply through the directive’s direct effect on member states, while the specific personal-liability mechanism will firm up only when the implementing statute clears the Cortes.

The pattern across jurisdictions is consistent: the entity pays the fine, but the board member carries the personal consequences — suspension, civil liability claims from the company or shareholders, reputational damage, and in cases where national criminal law applies, potential criminal liability for gross negligence.

Enforcement has begun to move at the entity level. Through the first half of 2026, the early-transposition states opened the first proceedings: Germany’s BSI against entities that missed incident-notification deadlines, France’s ANSSI issuing formal warnings to entities operating without the minimum measures in place. The first compliance-audit deadline falls on 30 June 2026. No enforcement action against an individual board member has been publicly reported yet. That is expected this early in the cycle. The absence of a precedent is not the absence of exposure, and the window to prepare is closing.

How Personal Liability Actually Attaches

NIS2 contains no provision that fines a director personally. What it does is raise the standard of care. The directive sets a statutory duty — approve the Article 21 measures, oversee their implementation, understand the risk — and leaves the consequence of failing that duty to each member state’s existing law on director liability. The mechanism is not new. NIS2 supplies the benchmark; national company law supplies the claim.

In practice the liability travels through four channels, and a board can face more than one at once.

The management ban. Article 32(5)(b) lets a competent authority ask a court to suspend a CEO or legal representative from managerial functions until the entity remedies the deficiency. It applies to essential entities only, runs through judicial process, and carries the usual safeguards of a fair trial, the presumption of innocence, and the right of defence. It is the directive’s one direct personal sanction, and it is corrective rather than punitive: the ban lifts once the failure is fixed.

Civil claims. This is the channel most likely to bite. Where a breach causes loss, the company, its shareholders, or an insolvency trustee can sue the directors under national director-duty law — Book 2, Article 9 of the Dutch Civil Code, §93 of the German Stock Corporation Act and §43 of the GmbH Act, the Italian regime layered onto D.Lgs 231/2001. NIS2 hands those claims a concrete yardstick: the board’s documented compliance with Articles 20 and 21, or the absence of it.

Regulatory naming. Several authorities can publish a finding before any fine is levied. Germany’s BSI can issue binding orders, conduct on-site audits, and make compliance failures public. For a listed company or a regulated firm, being named lands on identifiable individuals well ahead of any monetary penalty, and it does not wait for a court.

Criminal exposure. Where national criminal law attaches to gross negligence in the discharge of a managerial duty, the directive’s standard feeds into it. This is the narrowest channel and the least likely to be used early. It is not theoretical in jurisdictions that already criminalise serious management failure.

Which channels are even available depends on how closely the entity is watched. Essential entities sit under ex-ante supervision: regulators can audit them on a routine basis, including unannounced on-site inspections, without waiting for an incident. Important entities sit under ex-post supervision, where authorities act only once evidence of a failure reaches them through an incident report, a complaint, or a disclosure. The management ban exists only on the essential side. The civil and criminal channels run regardless of tier, because they originate in company law rather than in the directive.

The Business-Judgment-Rule Defence

None of this makes a director liable for being breached. Courts apply a business-judgment standard to management decisions, and they leave a wide margin. A director who treated cyber risk seriously, followed an orderly process, and decided on the basis of relevant information will generally not be held liable for a loss that followed in spite of those steps. The protection is real. It is the right place for a board to aim.

The defence turns on two words: relevant information. It holds when the board can show it understood the risk it was deciding about. It fails when a known, assessable category of risk was never put in front of the board at all. A risk the directors never examined is not a risk they exercised judgment over. That is the opening a claimant’s lawyer works toward, and it is documentary: what did the board know, when did it know it, and what did it do.

Where D&O Insurance Stops

Directors who assume their D&O policy absorbs this should read the exclusions. Most policies carve out gross negligence and knowing violations of regulation, which is the precise conduct NIS2 is built to catch. A board that was aware of a cyber-governance gap and left it unaddressed sits inside the exclusion rather than the cover. The insurer can decline, and the liability reverts to personal funds. Insurance rewards the same thing the directive does: a documented, defensible decision. It does not rescue an undocumented one.

The Exposure Blind Spot

Most NIS2 compliance programmes focus on technical measures: incident response, supply chain risk management, encryption, access control. These are the requirements of Article 21, and they are necessary.

But Article 20 requires management bodies to understand cybersecurity risk — not merely to approve a budget for it. And one of the most significant and least addressed risks to any organisation is the personal digital exposure of its leadership.

Board members and senior executives are high-value targets. Their home addresses are listed on data broker sites. Their credentials circulate in breach databases. Their travel patterns, family connections, and professional affiliations are visible through social media and public records. This information is not abstract — it is the raw material for spear-phishing, social engineering, and targeted attacks against the organisation. We set out how each of those vectors maps to the directive’s named risk categories in our analysis of why executive digital exposure is a NIS2 compliance risk.

When a CFO’s personal email and password pair from a 2023 breach is used to access a corporate system, the failure is not in the firewall. When a CEO is impersonated using publicly available photos and voice samples, the failure is not in the endpoint detection software.

Under NIS2, the board is required to understand these risks. A management body that approves cybersecurity measures without knowing what is findable about its own members has not fulfilled its Article 20 obligations. It has signed off on a perimeter defence while the gates are open. In the terms of the defence set out above, it has no record of having considered the risk, which is the one position the business-judgment rule does not protect.

A Corporate Audit maps the personal digital exposure of executives and board members — the attack surface that most compliance programmes miss.

Assess organisational exposure

What Boards Should Do Now

Assess your classification. Determine whether your organisation falls under essential or important entity status. The thresholds — broadly, 250+ employees or €50 million+ turnover for large enterprises, 50–249 employees or €10–50 million for medium — determine the severity of your supervisory regime and penalty exposure.

Verify your national timeline. If your jurisdiction has already transposed NIS2, compliance obligations are active now. If you are in the Netherlands, the Eerste Kamer vote and Q2 2026 entry into force are imminent — do not wait for the Senate.

Fulfil the training mandate. Article 20 requires management body members to undergo cybersecurity training. This is not a suggestion. Boards that cannot demonstrate training will have an immediate compliance gap when enforcement begins.

Map your executive exposure. Technical cybersecurity measures protect systems. They do not address the personal digital footprint of the people who run the organisation. People-search profiles and data broker records, credential leaks, and social media exposure create attack vectors that bypass every technical control. Understanding what is findable about your leadership is a governance obligation, not an optional extra. PI Solutions runs that mapping as the OSINT layer of a NIS2 readiness programme — see our NIS2 compliance mapping page for what a scoped exposure assessment covers.

Document your governance. NIS2 compliance is not only about having measures in place — it is about demonstrating that the management body approved and oversaw those measures. Board minutes, risk assessment records, and training documentation are the evidence that matters when a regulator asks questions. The operational shape of that documentation — what a defensible quarterly board pack looks like, how reporting cadence shifts in incident mode under Article 23 — is in our sister piece on cybersecurity board reporting under NIS2.

The NIS2 Directive does not ask boards to become cybersecurity experts. It asks them to take responsibility for understanding the risks their organisations face — including the risks created by their own digital exposure. Twenty-two member states have made this law. The rest are weeks behind, not years.

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.

Or get the quarterly intelligence brief — significant breaches, OSINT technique shifts, and executive privacy risks, once a quarter. Read the briefing →