NIS-2 for Managing Directors: Duties, Liability, and Implementation

Who is affected by the NIS 2 Implementation Act?

Due to the delayed transposition of the NIS2 Directive into national law, there are no transitional periods for implementing the required technical and organizational risk management measures under Section 30(2) BSIG. As a result, management must act quickly to assess their organization’s status and initiate compliance measures.

The NIS2UmsuCG applies to both “essential” and “important” entities. Classification depends on sector, company size, and financial thresholds.

Affected organizations must register within three months of becoming subject to the law. For many, this resulted in a deadline of March 6, 2026, based on the law’s entry into force on December 6, 2025.

Registration under Section 33 BSIG must be completed electronically via the BSI portal, operated jointly by the Federal Office for Information Security (BSI) and the Federal Office of Civil Protection and Disaster Assistance (BBK).

The NIS2UmsuCG has amended numerous existing laws as a so-called article law, in particular the "Act on the Federal Office for Information Security (BSIG)". In addition to the classic KRITIS operators, companies from almost all supply-critical sectors are now covered by the law within the meaning of Section 28 BSIG (new version) and the sectors defined in Annexes 1 and 2 to the BSIG (new version).

• Particularly important facilities: Energy, transport and traffic, finance, healthcare, water and wastewater, digital infrastructure and space. Special rules apply, among others, to telecommunications providers, DNS services, trust service providers and operators of critical facilities.
• Important facilities: Postal and courier services, waste management, production, manufacture and trade in chemical substances, production, processing and distribution of foodstuffs, manufacturing and production of goods, digital service providers and research.

In accordance with Section 28 BSIG (new version), the so-called size cap rule is decisive: facilities in the aforementioned sectors are generally considered to fall under NIS2 if they meet at least the size criteria of a medium-sized company:

• Particularly important institutions: more than 250 employees or more than €50 million in annual turnover and an annual balance sheet total of more than €43 million.
• Important institutions: more than 50 employees or more than €10 million in turnover and more than €10 million in annual balance sheet total.

Certain entities expressly named in Section 28 BSIG (new version) are covered irrespective of their size, meaning that they fall within the scope of application regardless of the size of the company.

Important for decision-makers and managing directors' liability: Even if your company does not reach the thresholds, you may be indirectly affected by supply chain requirements. Affected entities — such as your customers — will place requirements on your information security and may require evidence of security measures in the future.

NIS-2 for managing directors: these are the to-dos

• Carry out an impact assessment - check on the BSI website
• Register in accordance with Section 33 in a timely manner (within three months)
• Regulate and assign internal responsibilities

Why is NIS-2 a matter for the top management?

... and not a task for the IT department

§ Section 38 BSIG explicitly assigns responsibility for implementing and monitoring cybersecurity measures to management.

The NIS2 Directive represents a clear paradigm shift: cybersecurity is legally established as part of management responsibility, and ultimate accountability for security measures can no longer be delegated. Section 38 BSIG specifies this responsibility on three levels:

• Responsibility for implementation (§ 38 para. 1) 
  Management must implement the risk management measures in accordance with Section 30 and monitor their implementation.
• Internal liability (§ 38 para. 2) 
  Management bears personal liability in the event of a culpable breach of its NIS2 obligations.
• Obligation to provide training (§ 38 para. 3) 
  Regular participation in training to identify and assess risks, and to understand and evaluate the impact of risk management practices in the field of information security. Appropriate training records must be maintained internally and provided to the competent authorities or "independent bodies" (pursuant to Sections 61(1) and 62 BSIG (new version)) upon request.

This means that information security must be designed as an integral part of critical and value-adding business processes and is subject to the direct responsibility and oversight of top management.

Those responsible must understand this in order to be able to actively shape their task. Ignorance does not protect against liability.

Who is "senior management" within the meaning of the NIS2UmsuCG?

According to Section 2 No. 13 BSIG as amended, the management is "a natural person who is appointed by law, articles of association or partnership agreement to manage the business and represent a particularly important institution or important institution". In practice, this includes managing directors and CEOs, board members (CFO, COO, CIO, CSO), as well as managing or personally liable partners. In the current discussion on Section 2 No. 13 BSIG (new version), it is emphasized that the management function of the corporate body is decisive. This means that individuals such as authorized signatories may also be classified as "management" if they are appointed to manage the business by law, articles of association or partnership agreement.

NIS2 for Managing Directors

What Cyber Security requirements must be observed?

According to Section 30(1) BSIG (new version), affected companies must implement suitable, proportionate, and effective technical and organizational measures based on systematic cyber risk management.

For NIS2 directors’ and officers’ liability, this means that risks must not only be addressed technically, but also identified, assessed, prioritized, and documented in a structured manner.

Section 30 BSIG requires a holistic approach across the entire company. The aim is to prevent disruptions to the availability, integrity, and confidentiality of the information technology systems, components, and processes that an organization uses to provide its services. The “state of the art” is decisive, taking into account international standards, i.e. ISO 27001 and ISO 27002 for the purposes of EU regulation.

The core requirements in Section 30 (2) BSIG (new version) include

• Risk management process (analysis, assessment, treatment, documentation)
• Incident management
• Business continuity & emergency planning
• Backup and recovery strategies
• Encryption and multi-factor authentication
• Supply chain security
• Training and awareness
• Effectiveness checks and audits

Managing director liability: these are the to-dos

• Have the company's risk exposure assessed - taking into account the environmental conditions in the context of business objectives, critical services/processes, legal requirements and stakeholder expectations
• Provide binding budgets and resources
• Regularly review the effectiveness of risk management measures, for example by establishing a reporting structure
• Personally approve risk management plans with treatment measures and risk acceptance

NIS2 and reporting obligations - what now applies to companies?

Section 32 BSIG (new version) provides for a three-stage reporting procedure. After becoming aware of a significant security incident, the affected organization must report to the joint BSI and BBK reporting office within:

• 24 hours: Initial notification
• 72 hours: Update with initial assessment, severity and impact
• Within 1 month at the latest: Final report or progress report (if still ongoing)

Compliance with these deadlines requires established processes and no ad hoc action. According to Section 35 BSIG (new version), the BSI may also order that affected customers be informed.

To-dos for the management

• Review incident response structures and crisis plans
• Define binding reporting channels and decision-making responsibilities
• Prepare a communication strategy for customers and partners

NIS2 Managing director liability: What are the specific fines and risks?

Fines of up to €10 million or 2% of global annual turnover may be imposed (Section 65 BSIG). In addition, management may be held personally liable for breaches of duty.

Anyone who does not implement NIS2 correctly, completely, and on time is in breach of regulations and may face the following fines:

• Particularly important facilities: up to €10 million or 2% of global turnover
• Important facilities: up to €7 million or 1.4% of global turnover

Personal liability is particularly relevant for management. This may apply, for example, in the event of:

• Lack of documented risk management (Section 30(1) BSIG as amended)
• Omitted or undocumented training obligations (Section 38(3) BSIG as amended)
• Ignoring known vulnerabilities (Section 30(2), No. 5 BSIG as amended)
• Lack of monitoring of risk management measures (Section 30(1) BSIG as amended)

Important: A cybersecurity incident alone does not establish liability. The decisive factor is whether management has properly fulfilled its organizational and monitoring duties before, during, and after the incident.

How can ISO 27001 help with the implementation of NIS 2 requirements?

An Information Security Management System (ISMS) based on the international standard ISO 27001 covers a large part of the requirements of Section 30 BSIG (new version) in a process-oriented manner. The standard is explicitly recommended by the legislator as an implementation aid.

Effective information security management offers management one thing above all: a reliable control instrument. The abstract duty of cybersecurity is translated into clear processes, responsibilities, and decision-making mechanisms.

The core principle is risk management: risks are identified, assessed and dealt with in a structured manner - not selectively, but for the entire organization. The management ...

• defines safety objectives,
• approves risk treatment measures and risk acceptance,
• provides the necessary resources, and
• regularly reviews their effective implementation.

Every decision, every process step, and every measure must be documented and can therefore be demonstrated to the authorities if required.

With the security measures in Annex A, the ISO 27001 standard also provides a practical toolbox for implementing the measures required under Section 30(2) BSIG (new version).

Important: Certification in accordance with ISO 27001 is not mandatory and does not constitute legally robust proof of compliance. However, it establishes sound governance structures and sends a strong signal of trust to authorities, customers, and partners.

An ISO 27001-based management system supports management through:

• Systematic risk management
• Continuous improvement (PDCA cycle, plan-do-check-act)
• Incident response structures
• Documentation requirements and verification
• Management reviews
• Implementation support through specific security measures in Appendix A

In good hands with DQS

Our certification audits provide clarity. A holistic, independent external perspective on people, processes, systems, and results shows how effective your management system is and how it is implemented and controlled. It is important to us that you see our audit not as an examination, but as an added value for your management system.

Our approach begins where audit checklists end. We deliberately ask “why” because we want to understand the reasoning behind your chosen approach. We focus on opportunities for improvement and encourage a change of perspective. In this way, you can identify options for action that enable you to continuously improve your management system.

DQS carries out all certifications competently, objectively, and impartially. This is verified through regular accreditation and witness audits conducted by national accreditation bodies at our offices worldwide. You can find out more in our audit philosophy.

Trust and expertise

Our articles and white papers are written exclusively by our standards experts and experienced auditors.

Note: For readability purposes, we use the generic masculine form. However, all gender identities are included wherever applicable.