The NIS2 Directive makes cybersecurity a matter for top management. Not an IT matter. A matter for top management.
Article 20 of the Directive establishes personal liability for managing directors and board members that cannot be delegated.
In Germany, Section 38 BSIG specifies this responsibility even further: Any waiver by the company of claims against management is invalid. This means: If NIS2 obligations are violated, you are personally liable. Not only the company.
This quick reference summarizes your core obligations.
Print it out. Put it up. Check regularly whether all points are fulfilled.
Why this NIS2 checklist exists
Many managing directors underestimate what NIS2 specifically requires from them.
The Directive does not only require that the company is compliant.
It requires that management actively approves, monitors, and demonstrably assumes responsibility. In case of violations, fines of up to 10 million euros or 2% of worldwide annual turnover may be imposed. For essential entities, managing directors may be temporarily excluded from leadership functions.
D&O insurance may not apply fully, since regulatory violations are often excluded. The following points are not recommendations. They are legal obligations.
Your NIS2 obligations: The quick reference
Approval and authorization
Formally approve risk management measures. Article 20 NIS2 requires that the management approves the cybersecurity risk management measures. No delegation possible. Documented authorization required.
Set an appropriate security budget. Insufficient budgeting despite known risks creates personal liability. Document the basis of your budget decisions.
Approve guidelines and policies. Security guidelines, incident response plans, and business continuity concepts require your documented approval.
Approve risk acceptance in writing. If residual risks are accepted, this must be approved in writing by management. In Germany, a waiver of claims in case of NIS2 violations is invalid under Section 38 BSIG.
Monitoring and control
Request regular security reports. At least quarterly, you should receive status reports on cybersecurity. Read them before meetings. Ask questions. Document.
Track the implementation of the measures. You must monitor implementation, not only approve it. Have progress reports presented to you.
Address identified vulnerabilities. If audits or assessments reveal gaps, ensure that remediation measures are initiated and completed.
Act on warnings. Do not ignore any documented warnings from the CISO, the security team, or external auditors. This creates maximum liability exposure.
Personal training
Complete cybersecurity training. Article 20(2) NIS2 explicitly requires that management bodies attend training to acquire sufficient knowledge and skills. No exception for managing directors.
Document training. Date, content, duration. This evidence is relevant during audits.
Refresh regularly. In Germany, implementation recommends at least every three years. Annual refreshers are best practice.
Organizational obligations
Ensure registration with the competent authority. Affected companies must register with the national authority. In Germany, with the BSI. Observe deadlines.
Establish reporting channels for incidents. 24-hour early warning for significant incidents. Ensure that processes exist and function.
Ensure supply chain security. Article 21(2)(d) requires security requirements for suppliers. Adapt contracts, assess risks, monitor continuously.
Ensure business continuity. Backup management, disaster recovery, and crisis management must be implemented and tested.
Documentation obligations
Record all approvals in writing. Minutes, signatures, formal authorizations. In case of dispute, you must prove that you have fulfilled your obligations.
Document the basis for decisions. Why was a specific budget approved? Why was a risk accepted? Justifications belong in the records.
Keep meeting minutes with security topics. Cybersecurity should be a regular agenda item. Record discussions and decisions.
The ten security domains under Article 21
As a managing director, you should know which areas NIS2 covers.
Article 21 defines ten domains for which measures must be implemented.
Your task is not technical implementation, but the approval and monitoring of the measures in these areas.
The ten domains include risk analysis and information security policies, incident handling and incident response, business continuity and crisis management, supply chain security, secure system development and procurement, evaluation of the effectiveness of measures, cyber hygiene and training, use of cryptography, access control and asset management, as well as multi-factor authentication and secure communication.
For each of these domains, you should understand which measures your company has implemented and how their effectiveness is evaluated.
What happens in case of breach of duty
The consequences of a violation of NIS2 obligations are significant.
For essential entities, fines of up to 10 million euros or 2% of worldwide annual turnover may be imposed, whichever is higher. For important entities, the maximum penalties are 7 million euros or 1.4% of turnover.
In addition, supervisory authorities may issue binding instructions, order audits, make violations public, and, for essential entities, impose a temporary ban on managing directors from exercising leadership functions. Personal liability toward the company is added on top.
If the company suffers damages due to an incident and management has violated its NIS2 obligations, shareholders may claim compensation. Section 38 BSIG makes it clear that the company cannot effectively waive these claims.
Avoid common mistakes
Full delegation to IT. Operational implementation can be delegated. Approval and monitoring cannot. You remain responsible.
Lack of documentation. In case of doubt, the rule is: What is not documented has not taken place. Your defense depends on evidence.
Ignoring warning signals. If your security team reports risks and you do not act, this is documented negligence.
Insufficient budgets without justification. Consistent underfunding of security despite known risks creates personal exposure.
Missing training. The obligation for personal continuing education is explicitly stated in the law. No excuses.
The timeline
The NIS2 transposition deadline was 17 October 2024. Many Member States have missed this deadline and are still working on national implementation.
However, this does not mean that you should wait. The core requirements are clearly evident from the Directive. Companies that begin preparing now have an advantage.
As soon as national law enters into force, compliance will be expected immediately. There is typically no transition period.
For German companies: The BSIG implementation law specifies the requirements in more detail. Expect enforcement to begin as soon as national implementation is completed.
Next steps for managing directors
Start with an initial assessment.
Check whether your company falls within the scope.
The criteria are sector affiliation plus size thresholds of at least 50 employees or 10 million euros in turnover and balance sheet total. Have a gap assessment carried out that compares your current status against the NIS2 requirements.
The results show where action is needed. Plan your personal training. Do not wait for someone else to organize it. Request it.
Establish regular security reporting to management if it does not yet exist. Quarterly is the minimum.
From now on, document all approvals and decisions related to cybersecurity topics. In an emergency, this documentation is your defense.
Kertos
Kertos supports managing directors in fulfilling their NIS2 obligations in a verifiable way.
Our platform provides dashboards on security status, documentation of approvals and monitoring activities, as well as audit trails for regulatory defense.
80% less effort than with traditional consultants.
Start your free NIS2 gap assessment.
.png)