NIS-2 Director Liability: What Executives Will Personally Carry from 2026

The NIS-2 Directive 2022/2555 shifts responsibility for cybersecurity from the IT department into the boardroom. Whoever signs in 2026 is personally liable in 2027. This text addresses board members, managing directors, and supervisory boards who need to know what they are signing.

What NIS-2 Actually Changes for the Board

The duty of care is no longer an IT duty. It is a director duty. That is the break with prior practice, where CISOs and IT leads carried operational responsibility and the board approved the budget.

Article 20 of the NIS-2 Directive 2022/2555 requires that the management bodies of affected entities approve cybersecurity measures, supervise their implementation, and bear liability for violations. On top comes a training duty for the management body itself. Not for the IT department. For the board.

Article 32 adds the personal liability dimension. If an essential entity violates its duties, competent authorities can temporarily bar natural persons in management positions from their function. The German NIS-2 transposition act NIS2UmsuCG adopts this logic and specifies the personal liability of directors.

The burden of proof is reversed. It is not enough for management to claim that duties were met. It must actively demonstrate that risk management, training, and reporting channels function. Whoever lacks documentation has no defence in dispute.

Penalty Range and Escalation Tiers

The sanctions distinguish between two categories of affected entities. For essential entities, the penalty range goes up to EUR 10 million or 2 percent of worldwide group revenue, whichever is higher. Source: EUR-Lex CELEX 32022L2555.

For important entities, the range is EUR 7 million or 1.4 percent of worldwide revenue. Again, the higher value applies. For a group with EUR 800 million in revenue, that means exposure of up to EUR 16 million for essential and EUR 11.2 million for important entities.

The escalation does not stop at money. As ultima ratio, NIS-2 knows two further sanctions:

1. Activity ban for members of management in repeat cases.
2. Suspension of the certification or authorisation the company needs to operate.

An activity ban means the end of a career in practice. A suspended certification means the end of business operations. Neither is theoretical. The supervisory authorities have the mandate to apply them.

Which Companies Must Check Now

NIS-2 covers ten sectors as essential (energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and eight more as important (post and courier services, waste management, chemicals, food, manufacturing, digital services, research).

The threshold kicks in at 50 employees or EUR 10 million annual revenue. Whoever falls below is not automatically out. Certain providers (DNS, TLD registries, trust services) fall under scope regardless of size.

There is no government list that tells you whether you are affected. Self-classification is mandatory. Whoever classifies wrongly and fails to report it risks the full sanction plus the accusation of wilful evasion.

The supply chain effect widens the circle considerably. SMEs without their own NIS-2 duty are pulled in indirectly through supply to essential entities. The principal must secure its supply chain under Article 21. That cascades contractual duties downward. Whoever supplies cleaning to the hospital, maintenance to the utility, or guard service to the data centre, is contractually bound to NIS-2-compliant processes without being directly affected.

Practical recommendation: anyone working through the KRITIS Umbrella Act checklist in parallel with the NIS-2 review spots double exposure early. Around 60 percent of KRITIS-obligated entities are also NIS-2-obligated.

The Evidence Architecture

Article 21 requires documented risk management. That is not a document written once and filed. It is a living process with ten mandatory components: risk analysis, incident handling, business continuity, supply chain security, security in the acquisition and operation of IT systems, effectiveness assessment, cryptography, access control, asset management, emergency communication.

The reporting duty for significant incidents runs in three tiers. First early warning within 24 hours. Assessment report within 72 hours. Final report within one month. Whoever misses the 24-hour deadline cannot cure the violation through later reporting.

The training duty for the management body itself is the most underestimated lever. Article 20 NIS-2 requires that members of management bodies regularly attend training to gain sufficient knowledge for assessing cybersecurity risks. Annually. Demonstrable. With attendance confirmation, date, content.

The audit-proof evidence stream addresses three recipients: the supervisory authority in case of inspection, the D&O insurer in case of damage, the supervisory board in case of reporting. Whoever maintains three separate documentation systems will fail. Whoever builds a consolidated evidence architecture serves all three from one source.

For those affected multiple times, the double compliance with the KRITIS-Dachgesetz applies. The duties overlap by around 70 percent. Separate fulfilment doubles the effort without security gain.

Where Physical Security Fits the NIS-2 Picture

Article 21 explicitly requires risk-based security measures for the physical and the digital layer. This is often overlooked because NIS-2 is perceived as a pure cyber law. The wording of the directive demands protection of network and information systems "and their physical environment".

In practice, that means: whoever operates a data centre whose perimeter is not under documented control does not meet Article 21. Whoever operates a grid distribution node without continuous physical monitoring does not meet Article 21. The authority does not ask about firewalls. It asks for the full picture.

Perimeter protection with autonomous patrol delivers exactly the audit-proof patrol evidence that the physical layer needs. An autonomous robot like QR-3 with LiDAR for KRITIS sites logs every patrol with timestamp, GPS track, sensor log, and anomaly detection. That is evidence, not a report.

Insurability becomes the second lever. D&O and cyber policies increasingly refuse coverage without documented physical resilience. We are seeing the first 2025 policies that explicitly list "documented physical access control with continuous monitoring" as an exclusion criterion. Whoever lacks that pays themselves in case of damage.

The cost question is not decided between guard service and robotics. It is decided between documented and undocumented patrol. Classic guard services rarely produce the detailed evidence that NIS-2 demands. The comparison figures are in our analysis Guard service cost 2026 TCO.

What Boards Must Do in the Next 60 Days

These five steps are the minimum roadmap. Without them the 2026 compliance statement is attackable.

Step 1: Document the threshold check. Sector, headcount, revenue, supply chain link. In writing. Dated. With sources. The document must explain why the company is essential, important, or not in scope. A verbal estimate from in-house counsel is not enough.

Step 2: Have the risk assessment under Article 21 submitted. The ten mandatory components as chapter structure. Where the company stands today, where the gaps are, which measures take effect by which deadline. Whoever receives this from the CISO has it countersigned by the supervisory board.

Step 3: Complete and document your own training. Do not delegate. Not "the CISO will explain it in the next meeting". A formal training with attendance confirmation, at least four hours, repeated annually. Article 20 is explicit.

Step 4: Inform the insurance broker of NIS-2 status. The D&O policy must reflect NIS-2 status. Whoever conceals status and later reports damage loses coverage due to breach of pre-contractual disclosure duty.

Step 5: Brief the supervisory board on liability exposure. A written briefing that quantifies penalty range, personal liability, and activity ban in concrete numbers. The supervisory board carries co-liability. Whoever fails to inform it creates a second liability track against themselves.

Whoever wants to work through these five steps in 60 days needs an external view on the physical layer. The Robotics-as-a-Service model keeps the investment decision out of the CapEx cycle and delivers patrol evidence from day one. For boards that have no time for procurement procedures between threshold check and training, this is the fastest path to the physical compliance layer.

If you want to discuss the NIS-2 architecture of your organisation with a co-author of the KRITIS operator handbook, contact Marcus Köhnlein, Sales Lead Switzerland directly or via the contact form. The first 60 days decide what can be signed in 2027.