NIS2 Management Liability: What German Executives Owe
Under Germany's NIS2UmsG, management is personally liable for cybersecurity oversight. What CTOs, CISOs and boards are now accountable for.
Cybersecurity has long been treated, inside many German enterprises, as something the IT department handles and the board hears about only when something breaks. Germany's NIS2 implementation act ends that arrangement. Since the NIS2UmsG applied on 6 December 2025 — with no transition period — the management body of an in-scope organisation is personally on the hook for cybersecurity governance. This is not a metaphor or a soft "tone from the top" expectation. It is a concrete legal duty with personal liability behind it.
This post is for the people who now carry that duty: managing directors, CTOs, CISOs and board members at European enterprises operating in Germany. We focus on what executives are actually accountable for, where the personal liability bites, and how to build oversight you can defend.
TL;DR — Key takeaways
- The duty is personal and non-delegable. Management must approve and supervise the cybersecurity risk-management measures. You can delegate the work, never the accountability.
- Liability attaches to the oversight failure, not only to a breach. A board that never reviewed or approved the measures is exposed even on a quiet day.
- Fines reach EUR 10M or 2% of global turnover, and supervisory measures can target management directly.
- No transition period applied. The NIS2UmsG has bound in-scope entities since 6 December 2025; the BSI registration deadline of 6 March 2026 has passed, and late registration remains required.
- Evidence is the defence. Minuted approvals, a reporting cadence, completed management training and a tracked risk register are what distinguish active oversight from negligent sign-off.
Why management liability is the real story of NIS2
Most NIS2 coverage fixates on technical controls and reporting timelines. Those matter. But the structural change that German lawmakers made — and the one that should reach the boardroom — is the explicit allocation of accountability to the management body (Geschäftsleitung). The NIS2UmsG requires management to approve the cybersecurity risk-management measures and to oversee their implementation. It also expects management to undergo cybersecurity training so that approval is informed rather than reflexive.
The legal centre of gravity here is subtle but important: liability does not wait for an incident. The duty is to govern. A management body that has never formally reviewed the measures, never received structured reporting, and never trained has already failed the duty — independently of whether an attacker ever shows up. That reframes cybersecurity from an operational cost centre into a governance obligation sitting alongside financial controls and health-and-safety duties.
In our own delivery work at CC Conceptualise, the hardest part of NIS2 readiness has rarely been the technology. It is getting management to internalise that "we have a good security team" is not, by itself, a defence. The defensible position is "we, the management body, reviewed, approved, are monitoring, and can prove it."
What German executives are now accountable for
The duty breaks down into a small number of distinct obligations. Treat each as something the management body owns, not something IT reports on.
| Obligation | What it means for management | Common failure mode |
|---|---|---|
| Approve risk-management measures | Formally review and sign off the measures as a board act, with minutes | Measures exist as an IT document the board never approved |
| Supervise implementation | Receive and act on a recurring reporting line covering posture and gaps | Board hears about security only after an incident |
| Undergo training | Each member completes documented cybersecurity training | Training treated as optional or skipped at executive level |
| Oversee supply-chain risk | Ensure supplier and ICT-service risk is assessed and tracked | Third-party risk owned nowhere |
| Ensure incident reporting works | Confirm the 24h / 72h / 1-month chain to the BSI functions | Reporting plan exists on paper, never tested |
| Maintain evidence | Keep approvals, minutes, training and risk register current | Oversight cannot be demonstrated retrospectively |
Approval is a legal act, not a formality
The single most overlooked point: the approval of the risk-management measures is itself the regulated act. When the management body minutes its approval, it is discharging a statutory duty. When it does not, the gap is visible to any auditor. We advise clients to treat this approval with the same seriousness as approving the annual accounts — a named, dated, minuted decision.
Supervision means a cadence, not a one-off
Approval at a single point in time is insufficient. The law expects ongoing oversight. In practice that means a defined reporting cadence from the CISO to the board: risk posture, open and recent incidents, supply-chain exposure, and remediation status, each minuted. The cadence is your evidence that supervision is real.
Training is now expected of the board
The NIS2UmsG anticipates that management members complete appropriate cybersecurity training. This is not box-ticking; it is what makes the approval defensible. A board that approves measures it does not understand is approving in name only. Document the training each member completes.
Scope: are you actually bound by this?
Before building governance, confirm you are in scope. The thresholds are size-based within the regulated sectors:
| Classification | Thresholds | Supervisory posture |
|---|---|---|
| Important entity | At least 50 staff or more than EUR 10M turnover | Reactive supervision (ex-post) |
| Particularly important entity | At least 250 staff or more than EUR 50M turnover and more than EUR 43M balance sheet | Proactive supervision, stricter scrutiny |
If you are unsure where you land, the determination is worth getting right early, because it drives which obligations and supervisory intensity apply. Our NIS2 scope test for the NIS2UmsG walks through the classification in detail. Note that being in scope is not a future event — the act has applied since 6 December 2025, with no transition period.
The registration obligation you may have missed
The BSI registration portal opened on 6 January 2026, and the registration deadline was 6 March 2026. If you missed it, the position is straightforward: late registration is still legally required and strongly advisable. Missing the deadline does not remove the obligation; it adds a documented lapse that a supervisor will note. Management should confirm registration status as part of its oversight, not assume IT handled it. For the mechanics, see our BSI registration walkthrough.
Building oversight you can defend
The goal is not perfect security — no regime promises that. The goal is defensible oversight: the ability to show, on demand, that the management body governed cybersecurity actively and competently. Here is the sequence we use with clients.
- Confirm scope and classification. Run the size-and-sector test and minute the conclusion. This determines which regime binds you.
- Approve the risk-management measures formally. Move the measures out of the IT drawer and onto the board agenda. Minute the approval as a named, dated decision.
- Install a reporting cadence. Define a recurring CISO-to-board reporting line covering posture, incidents, supply-chain exposure and remediation. Keep the minutes.
- Complete and document management training. Each member of the management body undertakes appropriate cybersecurity training and records it.
- Test the incident-reporting chain. Run a tabletop that exercises the 24-hour early warning, 72-hour detailed report and one-month final report, confirming management's decision points. Our 24/72-hour incident reporting runbook is built for exactly this.
- Maintain an evidence file. Centralise approvals, minutes, training records and the risk register so oversight can be demonstrated to an auditor or supervisor on demand.
Incident reporting: where management decisions become time-critical
The reporting timeline is where governance meets the clock. Under the regime, an in-scope entity must deliver an early warning within 24 hours, a detailed report within 72 hours, and a final report within one month. The reason this is a management concern, not just an operational one, is that the decision to classify an event as significant — and therefore to start the clock — often requires executive judgement and carries legal weight. If the board has never rehearsed that decision, the 24-hour window will be consumed by confusion. A tested chain is itself evidence of oversight.
Why a strategic engineering partner matters here
NIS2 management liability sits at an awkward intersection: it is a legal duty, but it can only be discharged through genuine engineering and operational reality. A glossy policy document approved by an uninformed board is exactly the kind of paper compliance a supervisor sees through. Conversely, excellent security with no governance trail leaves management exposed.
The work that closes this gap is unglamorous and specific: hardening the controls, wiring the detection and reporting chain so the 24-hour clock is survivable, and giving the board a reporting cadence grounded in real telemetry rather than reassurance. This is where Zero Trust architecture and disciplined DevSecOps stop being buzzwords and become the substance of a defensible oversight story.
If you are a CISO or board member who needs cybersecurity governance that is both technically real and legally defensible, our Zero Trust and cybersecurity practice helps European enterprises build exactly that — oversight you can stand behind, not just policies you can file.
FAQ
Are German executives personally liable under NIS2?
Yes. Under the German NIS2 implementation act (NIS2UmsG), the management body of an in-scope entity must approve and oversee the cybersecurity risk-management measures and cannot fully delegate this duty away. Personal liability attaches to the oversight and approval failure itself, not only to a breach. This is a deliberate shift from treating cybersecurity as a purely operational IT matter.
Can a CEO delegate NIS2 responsibility to the CISO or IT?
Operational implementation can and should be delegated, but the legal duty to approve and supervise the risk-management measures stays with the management body. You can delegate the work; you cannot delegate the accountability. Boards should document how they exercise oversight, including the cadence of reporting they receive and the decisions they sign off on.
What size companies are in scope for NIS2 in Germany?
Important entities are those with at least 50 staff or more than EUR 10M turnover; particularly important entities have at least 250 staff or more than EUR 50M turnover and more than EUR 43M balance sheet total, within the regulated sectors. The NIS2UmsG applied from 6 December 2025 with no transition period, so being in scope means the obligations already bind you.
What are the fines for NIS2 non-compliance in Germany?
Fines reach up to EUR 10M or 2% of global annual turnover, whichever is higher, for the most serious breaches. Beyond the corporate fine, supervisory measures can target management directly. The reputational and supply-chain consequences of a publicised enforcement action often exceed the headline fine.
Did the NIS2 registration deadline pass, and does it still matter?
The BSI registration portal opened on 6 January 2026 and the registration deadline was 6 March 2026. Late registration is still legally required and strongly advisable. Failing to register does not remove your obligations; it simply adds a missed duty to the record an auditor or supervisor will later examine.
What evidence should the management body keep to show NIS2 oversight?
Keep minuted approvals of the risk-management measures, a documented reporting cadence from the CISO to the board, records of training completed by management, and a tracked register of risk decisions with named owners. The test is whether you can demonstrate active, informed oversight rather than passive sign-off after the fact.
Topics