NIS2 — Personal Liability of Management: What You Need to Know Now as a CEO
With Austria's NISG 2026, something fundamental changes: cybersecurity is no longer just an IT topic. It is a liability topic for management — personally.
Article 20 of the NIS2 Directive makes it clear: governing bodies must approve the cybersecurity measures, oversee their implementation — and attend training themselves. In case of breach of duty, not only corporate fines loom, but also personal consequences for managing directors.
What Article 20 NIS2 Says About Management Responsibility
The NIS2 Directive puts management under obligation in three ways.
First, the approval obligation: management must formally approve the cybersecurity risk-management measures. That means it is not enough to "let the IT department handle it". Management must know, understand, and sign off on the measures.
Second, the oversight obligation: implementation of the measures must be supervised by management. That presupposes regular reports exist — and that management actually takes note of them and responds.
Third, the personal training obligation: the members of the governing bodies must attend training themselves. Not delegated, not via email summary — in person.
Fines and Sanctions
The sanctions in the NISG 2026 are substantial. For essential entities, fines of up to 10 million euros or 2 percent of worldwide annual turnover can be imposed — whichever amount is higher. For important entities, the ceiling is 7 million euros or 1.4 percent of turnover.
Beyond that, the competent authority can temporarily prohibit individuals from exercising managerial functions. That is the personal dimension: it is not the company that is punished, but the responsible person.
Three Steps to Protect Yourself as a Managing Director
The first step is your own training. Managing directors should complete a documented security awareness training — with certificate and date. It does not have to be a full-day event. A structured online training covering the relevant threat scenarios fulfills the requirement. What matters is the documentation.
The second step is mandating and evidencing employee training. Management should pass a formal resolution requiring all employees to complete regular security awareness training. This resolution, combined with the training records, documents the duty of care.
The third step is regularity. A one-off training is not enough. Management must ensure training is repeated — at least annually — and that new employees are trained promptly.
How a Training Program Reduces Liability
A documented, regular training program is the most direct way to reduce personal liability. In the event of a security incident, the question will be: "Did you take appropriate measures?" Whoever can prove that employees were trained, phishing simulations were conducted, and results were documented stands in a far better position than a company with no awareness measures at all.
Evidence of "appropriate measures" is no guarantee against liability — but it is the strongest defense a managing director can have.
This article is for general information and does not replace legal advice.
Start with the free security awareness training for your company. Learn more in the free security awareness training.
Start for free →