|

Add a bookmark to get started

Bookmarks info
12 December 20244 minute read

NIS2: Directors' personal liability for lack of compliance is a warning message

Written by:Giulio Coraggio

The NIS2 Directive has issued a significant warning to companies in the EU: the personal liability of directors for lack of compliance is now a critical issue that can't be ignored.

The NIS2 Directive applies to a massive amount companies that need to notify to the competent authorities of their status and adopt the measures to ensure they comply. As cyber threats continue to escalate, the NIS2 personal liability directors provision puts unprecedented responsibility on management to ensure robust cybersecurity measures are in place. Companies have to treat compliance with this directive as a paramount obligation to safeguard their leadership and operations.

 

Understanding directors' personal liability under the NIS2 Directive

Directors' personal liability under the NIS2 Directive is a major shift in how cybersecurity compliance is enforced. Its Italian implementation states:

“The National NIS Competent Authority may impose on natural persons referred to in paragraph 5 of this article, including administrative and management bodies of essential and important entities as per Article 23, as well as those performing managerial functions at the level of CEO or legal representative of an essential or important entity, the application of the accessory administrative sanction of incapacity to perform managerial functions within the same entity. This temporary suspension is applied until the interested party adopts the necessary measures to remedy the deficiencies or comply with the warnings as per Article 37, paragraphs 6 and 7.”

 

Key Points:
  • Direct accountability: Directors and high-level managers are personally responsible for ensuring compliance with the NIS2 Directive.
  • Administrative sanctions: Non-compliance can lead to personal sanctions, including temporary incapacity to perform managerial roles in the same entity.
  • Conditional reinstatement: The suspension remains until the director takes corrective actions to address the compliance failures.

 

Implications of directors' personal liability for lack of compliance

The NIS2 personal liability directors' clause has several profound implications:

  • Operational disruption: The incapacitation of key directors can lead to significant operational challenges and strategic setbacks.
  • Reputational damage: Personal sanctions against directors can harm both individual and corporate reputations, affecting stakeholder trust.
  • Legal and financial risks: Companies may face increased legal scrutiny and financial penalties due to directors' non-compliance.

 

Steps to avoid personal liability under the NIS2 Directive

To mitigate the risk of personal liability for lack of compliance, directors should:

  • Prioritize compliance as a paramount obligation: Recognize that adhering to the NIS2 Directive is a critical duty requiring immediate attention.
  • Implement robust cybersecurity measures: Adopt appropriate technical and organizational measures to manage cybersecurity risks effectively.
  • Establish clear governance structures: Define roles and responsibilities for cybersecurity within the management hierarchy to facilitate accountability.
  • Foster a cybersecurity culture: Promote awareness and training at all organizational levels to embed cybersecurity into the company's culture.
  • Engage regularly with authorities: Maintain open communication with national competent authorities for guidance on compliance obligations.
  • Conduct regular audits and assessments: Periodically review cybersecurity policies to ensure they meet the evolving standards of the NIS2 Directive.

 

Why complying with the NIS2 Directive is a paramount obligation for companies

Given the potential for personal liability of directors under the NIS2 Directive, companies have to treat compliance as a paramount obligation:

  • Protecting leadership: Ensuring compliance safeguards directors from personal sanctions, preserving leadership stability.
  • Maintaining operational continuity: Avoiding the incapacitation of key managers prevents operational disruptions.
  • Enhancing corporate reputation: Demonstrating commitment to cybersecurity strengthens stakeholder trust and market positioning.
  • Mitigating legal and financial risks: Compliance reduces the risk of fines, legal actions, and financial losses associated with cyber incidents.

 

Conclusion

The NIS2 personal liability directors provision serves as a critical warning message, elevating cybersecurity from a technical concern to a fundamental aspect of corporate governance. Directors' personal liability for not complying with the NIS2 Directive underscores the importance of proactive measures and diligent adherence to regulatory requirements. Companies have to recognize complying with this directive is a paramount obligation. And they have to take immediate steps to enhance their approach to cybersecurity to protect their directors from personal liability and contribute to a more secure and resilient digital environment.

Print
Legal noticesPrivacy policyCookie policyFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper