Personal management liability is one of the most significant innovations of NIS2. Art. 20 requires governing bodies to take direct responsibility for cybersecurity — and Art. 32/33 enable sanctions directly against natural persons.
Personal liability under NIS2 Art. 20 and 32/33
NIS2 creates three liability levels: (1) organisational liability — fines up to €10M or 2% of global annual turnover against the organisation, (2) personal liability — governing bodies can be directly held accountable for demonstrated negligence, (3) suspension from office — supervisory authorities can request temporary suspension of managers at essential entities who have violated security obligations.
NIS2 Art. 32 (5) erlaubt bei wesentlichen Einrichtungen die vorübergehende Amtsenthebung von Führungspersonen — ein bisher einmaliges Instrument im EU-Cybersicherheitsrecht.
What must executives concretely do?
To avoid personal liability, executives must: (1) formally approve and document cybersecurity measures under Art. 21, (2) complete cybersecurity training (demonstrably), (3) regularly receive and demonstrably acknowledge cybersecurity status reports, (4) be personally involved in significant incidents and govern reporting processes, (5) actively supervise TPRM measures for the supply chain.
360TPRM liefert Geschäftsführern ein klares Executive Dashboard mit Cybersicherheitsstatus, Lieferantenrisiken und Compliance-Nachweis — für informierte Entscheidungen und dokumentierte Aufsicht.
FAQ
Minimise liability risks
See in a 45-minute demo how 360TPRM specifically meets your requirements.
Request free demo →