15. 1. 2026
NIS2 Directive and Management Liability: Cybersecurity as a Strategic Legal and Governance Imperative
The introduction of management liability provisions under Article 20 of NIS2 marks a historic departure from previous frameworks. It exposes individual directors to consequences for gross negligence in cybersecurity governance, including potential temporary suspension from management positions and public naming.
Simultaneously, organizations face fines of up to €10 million or 2% of global annual revenue for essential entities, and €7 million or 1.4% for important entities, depending on specific national implementations. This transformation reflects a broader regulatory recognition that cybersecurity cannot be delegated to IT departments alone but demands active board-level engagement.
The evolution from technical compliance to strategic governance
The original NIS Directive (NIS1), effective from 2016, was the first EU-wide legislation on cybersecurity, but it suffered from limitations that became apparent as the digital landscape evolved. The primary weakness was the excessive discretion granted to member states in determining "operators of essential services," leading to fragmentation.
A company considered "essential" in France might not have been in Germany, complicating compliance for cross-border organizations. Furthermore, NIS1 focused heavily on technical measures without mandating the governance structures necessary to enforce them at a strategic level.
The inadequacies of NIS1 became evident as cyber threats grew in sophistication. Organizations often treated compliance as a "tick-box" IT function, with senior executives detached from risk management. The legislative reform leading to NIS2 addressed these systemic gaps by harmonizing the scope across the EU and elevating cybersecurity to a boardroom responsibility.
Why management accountability became essential
The shift toward management liability in NIS2 mirrors trends in the General Data Protection Regulation (GDPR) and the Digital Operational Resilience Act (DORA). The EU recognized that passive compliance frameworks—where responsibility is pushed down to operational levels—fail to drive necessary cultural changes.
By embedding accountability at the governance level, NIS2 ensures that cybersecurity decisions regarding risk, resource allocation, and business continuity are treated as non-delegable fiduciary duties. For directors, the message is clear: ignorance of cybersecurity risks is no longer a valid legal defense.
This aligns with the "tone at the top" principle, ensuring that organizational resilience is prioritized by those with the authority to allocate resources.
The scope and magnitude of the directive
NIS2 significantly expands the scope of regulated entities, now covering approximately 160,000 entities across the EU. It introduces a "size-cap rule" where all medium and large enterprises in covered sectors fall under the directive.
Essential entities generally include large organizations in high-criticality sectors like energy, transport, banking, health, water, and digital infrastructure. Important entities generally include medium organizations in sectors like waste management, postal services, chemicals, food, and manufacturing of critical products.
Crucially, the directive applies to non-EU companies that provide services within the EU. A US-based cloud provider or an Asian manufacturer marketing services in the EU must comply and, if not established in a member state, must designate a representative in the Union.
This creates a specific legal compliance step for international businesses to avoid regulatory friction.
The challenge of essential vs. important entities across borders
While NIS2 attempts to harmonize rules, member states retain the right to identify smaller entities as "essential" if they are the sole provider of a critical service. This creates a potential patchwork where a subsidiary in one country is an "important" entity, while a sister company in another is "essential," subject to stricter supervisory regimes.
For multinational organizations, this fragmentation requires a coordinated legal strategy. Managing these variances via a platform like Anywhere.legal allows General Counsels to centralize the assessment, utilizing local experts to confirm the specific classification in each jurisdiction.
Management body accountability and personal liability
Article 20 is the cornerstone of the new liability regime. It mandates that member states ensure management bodies of essential and important entities approve cybersecurity risk management measures, oversee their implementation, and can be held liable for non-compliance.
This language removes the ability for directors to hide behind collective board responsibility or claim a lack of technical expertise. Regulators expect directors to maintain records of their engagement, including minutes showing active discussion of cyber risks, approval of budgets, and review of incident response plans.
Scope of non-delegable duties
While execution can be delegated to a CISO, oversight cannot. Directors must personally engage in risk assessment approval, verifying that the organization follows an "all-hazards" approach covering cyber, physical, and supply chain risks.
They must also ensure resource allocation is commensurate with the identified risks. Members of the management body are required to undergo training to gain sufficient knowledge to identify risks and assess risk management practices.
Fines and suspension
The penalties are severe and two-fold, involving both organizational fines and personal repercussions for essential entities. Member states must have the authority to temporarily suspend any person discharging managerial responsibilities from exercising managerial functions in that entity.
This power of suspension is a "nuclear option" for regulators, designed to force compliance. Furthermore, if a director’s failure constitutes gross negligence, they may face personal liability suits under national corporate law and potential exclusion from D&O insurance coverage.
The ten core cybersecurity risk management measures
NIS2 mandates a baseline of security measures based on an "all-hazards approach." These are legal obligations, not just technical guidelines.
Risk Analysis & Information System Security Policies.
Incident Handling.
Business Continuity.
Supply Chain Security.
Security in Acquisition/Development.
Effectiveness Assessment.
Cyber Hygiene & Training.
Cryptography & Encryption.
Human Resources Security.
Multi-factor Authentication (MFA).
Supply chain security as a legal challenge
Supply chain security is often cited as the most difficult requirement as organizations must address the security of their direct suppliers. This triggers a cascade of contractual remediation, requiring companies to update service agreements to include right to audit clauses and security requirement flow-downs.
For cross-border supply chains, this involves navigating different contract laws and liability caps across jurisdictions. Using a platform like Anywhere.legal facilitates the review of supplier contracts across multiple countries, ensuring that a Master Service Agreement in one country complies with local NIS2 transpositions in others.
Incident handling and strict reporting timelines
The reporting timeline is aggressive and rigid. Entities must provide an early warning within 24 hours of becoming aware of a significant incident, followed by an incident notification with an initial assessment within 72 hours, and a final report within one month.
A "significant incident" is one that causes severe operational disruption or financial loss, or affects other persons. The 24-hour clock starts when the entity becomes aware of the incident. This requires a pre-approved legal and technical playbook, as errors in determining which authority to notify in a cross-border scenario can trigger penalties.
Building board-level accountability
Effective compliance requires restructuring governance. The CISO should ideally have a direct reporting line to the management body, bypassing the CIO if necessary to ensure risk concerns are not filtered. Board meetings must feature cybersecurity as a standing agenda item, not an ad-hoc discussion.
Implementing NIS2 is not a one-off task; it is an ongoing legal and operational process. Anywhere.legal supports this by providing a structured environment to coordinate these efforts, especially for entities operating across borders.
Governance Risk or Failure | How Anywhere.legal Facilitates the Solution |
Lack of Evidence: Directors lack proof of oversight, creating liability exposure. | Centralized Case Management. Securely centralize governance records, board minutes, and policy approvals in one audit-ready environment accessible by external counsel and internal stakeholders. |
Fragmented Compliance: Subsidiaries in different EU states face different local rules. | Expert Network. Instantly connect with vetted local legal experts in each jurisdiction to verify specific transposition nuances. |
Contractual Chaos: Updating hundreds of supplier contracts across borders. | Process & AI Support. Use the platform to structure the project, utilizing AI to assist in initial document review and drafting, validated by human experts to ensure legal certainty. |
Incident Response Confusion: Unclear who to notify in a cross-border breach. | Coordination Platform. A dedicated environment to manage the crisis, coordinate multiple legal teams, and ensure 24/72-hour deadlines are met with legally privileged communication. |
The international dimension and cross-border complications
Although NIS2 is a Directive, it requires transposition into national law. While the deadline has passed, implementation varies. Some countries may have rigorous "gold-plating" by adding extra requirements, while others may stick to the minimums.
Generally, entities are under the jurisdiction of the Member State where they are established. Exceptions exist for telecommunications providers and certain digital service providers, which often fall under the jurisdiction of the "main establishment" in the EU.
Non-EU entities
For non-EU entities offering services in the Union, the requirement to designate a representative is critical. This representative can be held liable for non-compliance. Selecting the right jurisdiction for this representative is a strategic legal decision, often influenced by the regulatory environment of the chosen Member State.
Legal Scoping & Classification: Definitively determine if you are Essential or Important in each jurisdiction of operation.
Gap Analysis: Compare current controls against Article 21 requirements.
Governance Restructuring: Update board charters and reporting lines.
Contract Remediation: Review and amend supplier contracts.
Incident Response Testing: Conduct tabletop exercises involving legal counsel to test the 24-hour reporting capability.
Cybersecurity as a strategic governance imperative
NIS2 has fundamentally changed the risk profile for European management bodies. It transforms cybersecurity from an operational expense into a strategic imperative backed by personal liability. The risks of non-compliance—ranging from operational disruption to personal reputational damage and suspension—are too high to ignore.
For organizations operating across borders, the challenge is multiplied by the need to navigate 27 different national implementations. Success requires more than just technical tools; it requires a coordinated legal strategy that connects local expertise with central oversight. This is where Anywhere.legal provides value: by combining a case management platform with a global network of experts and safe AI support, it enables organizations to structure their cross-border compliance, ensuring that management bodies can demonstrate the oversight required by law.
Need international legal help with NIS2 compliance or cross-border coordination? Get in touch with us via Anywhere.legal.
Frequently Asked Questions
What is the practical difference between Essential and Important entities regarding liability?
Both categories impose personal management liability. The key difference lies in supervision and sanctions. Essential entities face ex-ante supervision and the potential for temporary suspension of executives. Important entities generally face ex-post supervision after an incident occurs.Can a director be personally fined €10 million?
No. The administrative fines are levied against the entity. However, the director faces administrative sanctions (suspension) and potentially civil liability (damages) towards the company for breach of duty under national corporate law.What if my company is based in the US but sells digital services in the EU?
If you offer services in the EU, NIS2 likely applies. You must designate a representative in one of the Member States where you offer services. This representative acts as the point of contact for authorities and can be subject to enforcement proceedings.How does the 24-hour reporting rule work in practice?
You must submit an "Early Warning" to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident. This is not a full report, but a flag to authorities. It requires 24/7 monitoring and a pre-established legal protocol to ensure the notification does not inadvertently admit liability without cause.Is NIS2 the same in every country?
No. NIS2 is a Directive, meaning it sets a baseline. Member States translate it into national law. They can impose stricter rules, higher fines, or broader definitions of "essential" sectors. Cross-border compliance requires checking the specific law in each country of operation.
