Beyond the firewall: directors' liability under the NIS2 Directive

In an era when digital threats are evolving faster than ever before, the NIS2 directive is poised to arm organizations against cyber attacks and other digital threats starting in the fall of 2024. The European directive sets stricter security standards for the organization itself, but also assigns a role to directors in this regard. However, directors still seem to have insufficient insight into their own liability with regard to mandatory cybersecurity. So also headlined the FD early this month. But what exactly does this role for directors entail and what is at stake for these directors? This blog focuses on directors' liability in light of the NIS2 Directive. In doing so, we will provide some practical tips on how to avoid directors' liability.

#tech
#cybersecurity

Date: May 08, 2024

Modified May 14, 2024

Written by: Daniek Regterschot and Bram Goudkamp

Reading time: +/- 4 minutes

What is the NIS2 guideline?

The NIS2 Directive is European legislation aimed at strengthening cybersecurity within the European Union. This directive, an update and extension of the original NIS directive, aims to ensure a high and consistent level of network and information system security. In principle, the obligations of the directive only apply to medium- and large-sized organizations within specific sectors, such as the production, processing and distribution of food, the manufacture, among others, of medical devices, electrical equipment and means of transport, as well as companies offering digital services. With this tool allows you to assess whether your company is an important or essential entity, and thus falls under the scope of the NIS2 Directive.

Four types of obligations

The obligations under the NIS2 Directive fall into four different types of obligations. First, the obligation to register all entities covered by the Directive. This registration should ensure that there is a picture at the European level of the number of entities covered by the NIS2 Directive. In addition, there is a duty of notification based on which organizations must report an incident to the regulator (and possibly the Computer Security Incident Response Team (CSIRT)) within 24 hours. In addition, there is a duty of care on the basis of which organizations are required to conduct their own risk assessment as a result of which they themselves must take appropriate measures to protect their systems. Finally, organizations falling within the scope of the directive will also be subject to oversight. Essential entities will be subject to both pre- and post-clearance oversight, while significant entities will only be subject to post-clearance oversight.

Directors' liability under the NIS2 directive

If an organization fails to take adequate measures to manage cyber risks or fails to report incidents, the regulator can impose a fine. But the NIS2 Directive can have more far-reaching consequences for a director. In fact, acting in violation of the NIS2 Directive can lead to director liability.

Improper management and serious misconduct

In principle, a director of a company cannot simply be held liable for non-compliance with company obligations. This is different if a director has improperly fulfilled his duties and if he can be (personally) seriously blamed. This is not a simple matter; there is a high threshold for director liability. This is not without reason. Doing business involves risks and directors must be prevented from allowing themselves to be led by defensive considerations. In that light, it is notable that the NIS2 Directive contains a provision specifically requiring member states to ensure that directors can be held liable.

Liability for noncompliance directive

Under the directive, every director must be authorized to make decisions regarding cybersecurity. In addition, directors must be able to control the company and must ensure that the obligations of the directive are met. The flip side of all these powers is that directors may be liable for damages resulting from non-compliance with the obligations of the directive. For example, under the NIS2 directive, measures must be taken to deal with incidents. If such measures are not taken, production subsequently comes to a halt and a customer suffers damage as a result, it could be possible that the director could be held liable for this.

4 tips to avoid liability

To avoid being held liable as a director, you must ensure that all obligations of the NIS2 Directive are met. Although the directive has not yet entered into force, it is wise to make preparations now for the arrival of the new legislation. We recommend taking the following steps now:

  1. Take stock of how the NIS2 directive works for your company

Although it is always important to have cybersecurity in place, minimum requirements apply to NIS2 companies. So it's important to assess whether your company is covered.

  1. Provide a clear cyber policy

Under the NIS2 directive, both preventive and reactive measures must be taken. To draft an appropriate policy, you would do well to analyze and audit your company (or have it analyzed) so that the policy can be drafted specifically for your company.

  1. Take a course or training

The majority of directors are unlikely to have the requisite knowledge of cybersecurity and cyber incidents in their pockets. Nevertheless, it is directors who are at risk of personal liability. After all, they must have sufficient knowledge and skills to identify and follow up on risks. To be a good judge of this, a director should receive training on cybersecurity.

  1. Discuss cybersecurity throughout the organization

A large proportion of cyber incidents arise from outside attacks. Nevertheless, the cause of an incident can also lie within the organization itself. So make sure that all employees are aware of the risks and policies to follow if an incident has occurred.

Conclusion

With the advent of the NIS2 directive, a risk reveals itself for administrators. They must have sufficient knowledge and expertise to prevent cyber incidents, but also to mitigate the consequences of an incident. All the more important to face the NIS2 directive well prepared. 


Stay Focused

Want to know what the NIS2 directive means for your business? Then contact one of our specialized ITattorneys. They will be happy to help you further!

Contact

More on this topic: