WOODLANDS ADVISORY
All articles
NIS2· 6 min

NIS2: What Executives Are Now Personally Liable For

The NIS2 Directive makes cybersecurity a board-level matter – with personal liability of up to €10 million. What this means in practice and how to protect yourself.

Since October 2024, the NIS2 Directive has been transposed into German law. What many executives have yet to realise: the Directive does not create a new IT regulation. It creates personal liability.

What NIS2 Actually Means

NIS2 obliges companies in critical and important sectors – including digital infrastructure, healthcare, energy, logistics and many B2B SaaS categories – to meet a minimum standard in cybersecurity. Requirements include:

  • Risk analysis and security policies
  • Supply chain security
  • Incident response capabilities and reporting obligations
  • Business continuity and crisis management
  • Regular training and awareness programmes

None of this is new. What is new: who is liable when any of it is missing.

Personal Liability for the Executive Board

NIS2 requires senior management to approve and oversee cybersecurity measures. Violations can result in fines of up to €10 million or 2% of global annual turnover – whichever is higher.

Critically: this liability cannot be fully delegated to the IT department or external service providers. As an executive, you must be able to demonstrate that you know, manage and control security risks.

Why Many Companies Remain Unprepared

The most common responses we hear in initial consultations:

"We have ISO 27001 – isn't that enough?" ISO 27001 is a solid foundation, but it does not guarantee NIS2 compliance. The Directive imposes its own requirements around governance, reporting processes and supply chain security.

"We're not a critical company." The scope of NIS2 is broader than expected. B2B SaaS companies with 50 or more employees or €10 million in revenue in certain categories fall under the Directive.

"Our IT team handles that." IT can implement the technology. But liability sits with the executive board – not in the server room.

What You Should Do Now

Three concrete steps:

  1. Applicability assessment: Does your company fall under NIS2? Which sector category applies? What specific requirements apply?

  2. Gap analysis: What is already in place? Where are the most critical gaps? Which measures address the highest-risk areas?

  3. Governance documentation: Make it demonstrable that management is informed, makes decisions and steers measures – not merely delegates.

Woodlands Advisory guides mid-market companies and PE portfolio companies through NIS2 compliance. Our Compliance Sprint brings you into a documented, auditable security posture within four weeks.

Schedule an initial consultation →

Woodlands Advisory

Let us discuss your specific situation.

30 minutes. Confidential. Non-binding.

Schedule initial consultation →← Back to all articles