Management and board liability for cybersecurity

New cybersecurity rules mean that management may be held liable for breach of duties to ensure compliance and board members may face suspension. The NIS2 Directive, replacing the NIS1 Directive, shall enhance cybersecurity and resilience of organisations across the EU. Countries have until the 17 October 2024 to transpose the measures under NIS2 into national law. Management bodies, including board members, should be prepared for the new regime

NIS2 has an extended scope compared to NIS1. This is because NIS2 eliminates the distinction between operators of essential services and digital service providers and instead classifies entities based on whether they are "essential" or "important", with the result that more sectors and services are now included.

Essential entities include, amongst others, companies operating in sectors of high criticality (e.g. energy, transport, banking and health sectors) who exceed the staff headcount and financial ceilings for medium-sized enterprises, as well as top-level domain name registries or providers of public electronic communications networks irrespective of their size. Important entities encompass all the entities referred to in Annex I (Sectors of high criticality) or II (other critical sectors, e.g. postal and courier services, waste management etc) of the Directive, which do not otherwise qualify as essential entities, including those identified by Member States themselves.

As such, businesses in all types of sectors may fall within the purview of NIS2, regardless of their size. This includes digital service providers, research organisations, public sector bodies, companies operating within the energy, ICT service management or transport sectors, companies working within digital infrastructure and companies supplying chemical products or medical devices, to name a few.

NIS2 imposes two main obligations on both types of entities.

Firstly, they must implement appropriate and proportionate technical, operational and organisational measures to manage security risks linked to network and information systems, as well as prevent or minimise the effects of incidents on recipients of their services and on other services.

Secondly, they must, without undue delay, notify the national competent authorities or computer security incident response teams (CSIRTs) of any data security incident that significantly affects the service they provide. Where appropriate, the entity must also notify the recipients of the service of significant events that are likely to have a negative impact on the provision of the service.

If entities fail to comply with either one of these obligations, they may be subject to administrative fines. Essential entities face a maximum fine of EUR 10 million or 2% of annual worldwide turnover (whichever is higher), while important entities face a maximum fine of EUR 7 million or 1.4% of annual worldwide turnover (whichever is higher).

Whereas essential entities will be subject to an ex ante and ex post supervisory regime by competent authorities as of the introduction of NIS2, important entities will be subject to ex post supervision (meaning that action is only taken if authorities receive evidence of non-compliance).

Another significant change resulting from NIS2 is the increased responsibilities imposed upon management bodies. NIS2 does not define who is considered a member of a "management body", but boards of directors and certain executives are likely to fall within its scope.

Management bodies of essential and important entities must approve the cybersecurity risk-management measures required under NIS2 and oversee their implementation. Moreover, they may even be held personally liable for the entity's failure to adopt and comply with such measures.

In relation to essential entities, NIS2 requires that natural persons acting as a legal representative of an essential entity on the basis of their power to represent it, the authority to take decisions on its behalf or the authority to exercise control of it, have the power to ensure the essential entity's compliance with NIS2. National law must also hold such natural persons liable for breach of their duties to comply with NIS2. This rule applies in a similar way to the supervisory and enforcement measures that may be imposed upon important entities.

Consequently, management bodies, such as the chairman of the board, may assume personal liability for breach of the cybersecurity rules, exposing them to significant potential penalties. Though such penalties will be subject to the rules of individual EU Member States, NIS2 requires that the penalties are effective, proportionate and dissuasive. One potential penalty may, for example, include suspension from the board.

In light of the increasing responsibilities, management bodies of both essential and important entities should consider adopting the following measures to ensure compliance with NIS2: 

• Implement the required training procedures and make sure that employees are also offered relevant training;
• Conduct a thorough assessment of the risks posed to the security of the network and information systems which the entity uses for their operations or for the provision of their services;
• Evaluate what technical, operational and organisational measures are required based on the findings of the risk assessment;
• Complete annual cybersecurity audits;
• Adopt an operational procedure so employees can report on security incidents, and are aware of how to comply with reporting obligations;
• Complete vendor risk assessments before engaging new IT suppliers or service providers.
  
  

Norway
On 23 August 2023, the Norwegian government announced that its preliminary assessment is that NIS2 is EEA-relevant and acceptable for Norway.

Sweden
On 23 February 2023, the Swedish government decided to appoint a special investigator to propose the adaptations of Swedish law that are necessary for the implementation of NIS2.¹ The assignment is ongoing and shall be reported back to the Swedish government no later than 23 February 2024. The Swedish government has stated that violations of NIS2 should not be subject to criminal liability, but we do not yet know how NIS2 will change directors' and CEO's personal administrative or civil liability² under Swedish law.

<sup>1 Dir. 2023:30, Genomförande av EU:s direktiv om åtgärder för en hög gemensam cybersäkerhetsnivå i hela unionen och EU:s direktiv om kritiska entiteters motståndskraft.

2 Dir. 2023:30 p. 9.</sup>