NIS2 director liability: what board members personally risk

In the corporate world before NIS2, cybersecurity sat where IT sat. A CISO reported quarterly. The board noted the update. If anything went wrong, the company carried the liability and the directors carried very little of it personally. NIS2 broke that arrangement, deliberately. The directive places the cybersecurity programme on the desk of the management body and ties personal consequences to failures of governance, not just to operational missteps.

This article walks through the liability mechanics in plain language, with specific reference to the Dutch implementing law (Cyberbeveiligingswet) where it adds teeth on top of the directive. The aim is practical: by the end you should know which articles to read, what each one actually does to you personally, and what evidence reduces your exposure if a supervisor opens a file with your name on it.

What "personal liability" actually means under NIS2

Liability under NIS2 attaches to the management body of essential and important entities. That term is the directive's import from EU corporate law: it covers the statutory board of directors, supervisory board, or equivalent governance organ that takes binding decisions for the entity. In a two-tier structure, both the executive board and the supervisory board are inside the perimeter. Senior managers below the statutory board are not automatically in scope, although they often attend the same training sessions.

Three categories of personal consequence sit underneath the directive: administrative fines (where national law allows), temporary suspension from managerial functions, and public disclosure of supervisory decisions. Each can land on a named individual rather than the entity. A director with a public finding against their name carries that record into every future board seat and D&O insurance application.

NIS2 bestuurdersaansprakelijkheid in Nederland: wat de Cyberbeveiligingswet toevoegt

De Cyberbeveiligingswet is de Nederlandse implementatie van NIS2. Op het punt van bestuurdersaansprakelijkheid voegt de wet drie elementen toe bovenop de directive zelf. Ten eerste een expliciete persoonlijke boetebevoegdheid voor de toezichthouder als blijkt dat een bestuurder cybersecurity tekortkomingen wist en niet herstelde. Ten tweede de bevoegdheid om een tijdelijk functieverbod op te leggen, in lijn met Article 32(5) van de directive, voor essential entities. Ten derde de publicatie van bestuursrechtelijke beslissingen waarin de naam van de bestuurder voorkomt.

De handhaving is verdeeld over meerdere autoriteiten, afhankelijk van sector. Voor de meeste essential en important entities is de Rijksinspectie Digitale Infrastructuur (RDI) de primaire competent authority, met sectorale gedeelde bevoegdheid voor energie, transport en zorg. Een persoonlijke bestuursrechtelijke procedure tegen een bestuurder loopt langs dezelfde paden als een procedure tegen de entiteit, maar produceert een aparte beschikking met de naam van de bestuurder.

The three liability mechanics that matter to directors

Stripped of legal language, three mechanisms produce personal consequences for board members under NIS2 and national transpositions. Understanding which one applies in which situation matters because the defence is different for each.

1. Direct supervisory measures against an individual (Article 32(5))

For essential entities, competent authorities can require the temporary suspension of any natural person discharging managerial responsibilities at chief executive officer or legal representative level when the entity has failed to remedy cybersecurity deficiencies. This is the single most consequential sanction under the directive. It is reserved for repeated failure to fix issues that have been formally identified, not for first-time breaches, but the standard of "remedied" is set by the supervisor.

2. Personal administrative fines (national transpositions)

Article 34 of the directive caps entity-level fines at EUR 10 million or 2 percent of worldwide annual turnover for essential entities (EUR 7 million or 1.4 percent for important entities). The directive does not itself fine directors personally, but it allows Member States to do so. Germany's NIS2UmsuCG, Belgium's federal act, and the Dutch Cyberbeveiligingswet each include personal administrative fines against members of the management body who knowingly breach their Article 20 duties. Amounts vary, the structure is consistent: per overtreding, per individual, on top of any entity-level fine.

3. Public disclosure of findings

Several national regulators now publish supervisory decisions, including the names of directors against whom an individual finding has been made. The reputational consequence is harder to insure against than a fine. A directors and officers (D&O) policy can defend the legal proceedings, but a publicly searchable supervisory record sits in every future background check and influences D&O renewal pricing for years.

Article 20 vs Article 21 vs Article 32: where personal liability lives

Three articles drive almost every conversation about director liability. Each does something different, and confusing them is the single most common error in board briefings.

• Article 20 is the duty. It makes the management body responsible for approving cybersecurity measures, overseeing implementation, and following training. This is where personal duty lives. If you breach Article 20, the supervisor has a hook.
• Article 21 is the substance. It lists the 10 minimum cybersecurity measures (risk analysis, incident handling, business continuity, supply chain, network security, vulnerability handling, training, cryptography, access control, asset management). Article 20 makes you responsible for these being in place. The Article 21 evidence pack is the evidence of Article 20 oversight.
• Article 32 is the sanction toolkit. Article 32(4) lists the entity-level measures (binding instructions, audits, fines). Article 32(5) is the personal one: temporary suspension of named individuals. A supervisor reaches for Article 32(5) when Article 20 duties have been clearly breached and Article 21 measures are not in place.

For Important entities, Article 33 is the parallel sanction toolkit, with one significant carve-out: it does not contain the personal suspension power that Article 32(5) gives for Essential entities. Important entity directors face Article 34 fines and reputational exposure but cannot be barred from their role by NIS2 itself. National law may close that gap.

Real-world enforcement examples from early 2026

The first wave of enforcement decisions in Q1 and Q2 2026 produced a clear pattern: supervisors target governance failures before technical failures. Three illustrative cases from public decisions.

How due diligence protects you (and what doesn't)

The legal defence against personal liability under NIS2 is documented due diligence. Article 20 does not require directors to be cybersecurity experts. It requires them to behave like board members who took the topic seriously. The evidence of that behaviour is what carries weight during supervision.

What works:

• Personal training record. Signed attendance, dated agenda, trainer credentials, knowledge check, board minute noting completion. Annual cadence minimum, with event-triggered top-ups.
• Approved cybersecurity programme. A documented programme that the board has formally approved, tied to Article 21 measures, with named accountable executives and a board-level review cadence.
• Risk register with accepted residual risk. Risks have been identified, ranked, owned, and either treated or formally accepted by the board with a rationale on file.
• Evidence pack against each Article 21 measure. One folder per measure, with the artefact a supervisor would ask for: MFA coverage report, restore test results, vendor questionnaire, training records, vulnerability scan results, and so on.
• Exercised incident response plan. A tabletop or live exercise in the past 12 months, with a written after-action report and follow-up actions tracked to closure.

What does not work:

• "We trusted the CISO". Article 20 says the duty is the board's, not delegable. A reasonable board challenges and verifies; a board that only listens is not protected by the CISO's competence.
• "We hadn't been told there was an issue". Supervisors expect the board to ask, not to wait. A risk register that does not list cybersecurity is itself evidence of inadequate oversight.
• "Cybersecurity is in the strategy document". Strategy intent without an Article 21 evidence pack and a training record carries no weight.
• "Our D&O policy covers this". It covers defence costs. It does not cover fines, and it does not protect against a public finding.

D&O insurance and director indemnification: what's covered

Most directors of in-scope entities carry directors and officers (D&O) insurance, either through a corporate policy or a personal top-up. The 2026 policy market has reacted to NIS2 with three changes that every director should read.

• Fine exclusions. Administrative fines under NIS2 and GDPR are excluded from almost every 2026 policy. Defence costs, notification expenses, and remediation costs are usually still covered. The fine itself is on you personally.
• Warranted controls. Policies now list specific cybersecurity controls (MFA coverage, offline or immutable backups, EDR percentage) that must be in place for cover to respond. A breach of a warranty can void the claim, even when the rest of the policy looks generous. The control evidence your insurer wants is the same evidence your regulator wants. Building it once for both is efficient.
• Panel responders. Many policies now require the use of named incident response firms, forensic providers, and legal counsel. Calling your own preferred vendor without approval can make those costs non-claimable.

Company indemnification of directors via the articles of association is permitted in most EU jurisdictions for civil claims, but typically not for administrative fines or for fraud or wilful misconduct findings. A bestuurder who is found to have knowingly breached Article 20 duties cannot be made whole by the company under most national rules.

A 6-step personal liability checklist for board members

Six concrete actions any board member of an in-scope entity should take in the next 90 days. Each produces evidence on file that supports a due diligence defence.

• 1. Confirm scope. Ask formally whether the entity is essential or important under Article 3, document the answer in board minutes, and link it to the relevant sector annex. If the answer is uncertain, request a scope assessment. The NIS2 scope check tool is a useful starting point.
• 2. Complete training. Sit a tailored Article 20 training session, signed and minuted. Refresh annually. Board training under Article 20 walks through what the curriculum must cover.
• 3. Read the Article 21 evidence pack. Ask to see the binder, folder, or shared drive that maps each of the 10 Article 21 measures to current controls and evidence. If it does not exist, that is the first gap.
• 4. Verify the risk register and residual risk. Confirm the register exists, that residual risk has been formally accepted with a documented rationale, and that cybersecurity is on the standing agenda of the audit or risk committee.
• 5. Test the incident response plan. Push for a tabletop exercise in the next quarter. Article 23 notification deadlines (24 hours, 72 hours, one month) cannot be met by improvisation. The incident reporting playbook covers what evidence supervisors expect after an incident.
• 6. Read your D&O policy. Specifically the warranted controls clause, the fine exclusions, and the panel responder list. Then ask the CISO whether the control evidence package matches the warranties.

Frequently asked questions

Related articles