Management liability under NIS2: What do you need to know?
Scope of application: when, to whom and where does NIS2 apply?
On 16 January 2023, the NIS2 Directive entered into force. It replaces the NIS1 Directive and aims to increase the European Union’s overall level of cybersecurity. The NIS2 Directive was implemented in Belgium by the law of 26 April 2024 on establishing a framework for the cybersecurity of network and information systems of general importance for public safety (hereafter “NIS2 Law”), which entered into force on 18 October 2024 and started the 30 months transition period.
This article was written by Peter Van Dyck (Partner), Sarah De Wulf (Senior Associate) and Sofia Devroe (Junior Associate), A&O Shearman
The NIS2 Law only applies to private or public entities that provide the services listed in its Annexes I and II. Annex I concerns providers of services in the sectors of energy, transportation, banking, financial market infrastructures, healthcare, drinking water, wastewater, digital infrastructure, B2B ICT service management, public administration and space, whereas Annex II includes providers in the sectors of postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing of certain products, digital providers and research. Organisations that provide multiple services may cover various sectors.
In addition, these entities must be established in Belgium and must qualify as medium or large enterprises. Depending on the size, the entities providing services listed in Annex I and II of the NIS2 Law are considered either “essential” or “important”. Essential entities have usually more stringent obligations under NIS 2 Law than important entities.
As an exception, some entities fall within the scope of the NIS2 Law regardless of their size or their place of establishment. These exceptions apply for instance to providers of public electronic communication networks or publicly available electronic communication services, top-level domain name registries and domain name service providers. To these entities, additional or deviating obligations may apply. Moreover, the Centre for Cybersecurity Belgium may identify additional entities that are subject to the obligations of the NIS2 Law based on the risk of disruptions of their services to public safety, security or health.
Lastly, organisations that are part of the supply chain of an entity subject to the NIS2 Law can also be affected and fall under the scope of the NIS2 Law, since they may contractually be required to implement cybersecurity measures.
Management liability and sanctions: what is at stake?
Contrary to the NIS1 Directive, cybersecurity expressly ascends to the boardroom under the NIS2 Directive. Not only must management assume explicit responsibilities, it also risks severe penalties for non-compliance. It is important to note that managers are broadly defined under the NIS2 Law, being all natural persons that are responsible for an entity or represent it, this could extend beyond the entity’s traditional board of directors.
The NIS2 Law imposes specific responsibilities on the management of important and essential entities. Firstly, management must approve all cybersecurity risk management measures and oversee their implementation, risking liability for the entity’s breach of its obligations. Entities that fall under the scope of NIS 2 Law must take technical, operational and organisational cyber risk-management measures in order to manage the security risks of network and information systems. These measures must be appropriate and proportionate to eliminate or reduce the impact of incidents and to ensure a level of security adapted to existing risks, balancing both state-of-the-art international standards and the cost of implementation. The NIS2 Law mentions eleven topics that must at least be covered by the measures, including risk analysis and information system security policies, cybersecurity trainings, multi-factor authentication, secured communication and a coordinated vulnerability disclosure policy.
Moreover, members of management bodies must attend cybersecurity trainings and regularly offer similar trainings to their employees.
The entity’s management body or its individual members can be held liable for non-compliance with cybersecurity risk management measures, as set out above, and for non-compliance with the notification obligations. In-scope entities must notify all incidents that have a significant impact on the provision of services and that caused, or are likely to cause, a serious disruption to the operations of the entity, a financial loss or significant damage to another entity or person. The notification of incidents progresses through five different stages, each with a specific timeline, going from the submission of an early warning without undue delay to the submission of a final or progress report within one month of the incident’s official notification.
Also, mismanagement of cybersecurity can lead to liability of the management body or its individual members. We will investigate in a follow-up article whether individual members of the entity’s management can exculpate from collective liability based on a task allocation between board members. To date, the question of whether managers can rely on insurance to cover (individual) liability for non-compliance with the NIS2 Law also remains a point of discussion.
In addition to the above, non-compliance with the NIS2 Law can have serious consequences for essential entities, including a temporary prohibition to exercise managerial functions, a suspension of the entity’s certification or authorisation to provide the relevant services. Moreover administrative fines of up to 1.4% (for important entities) or 2% (for essential entities) of the entity’s worldwide annual turnover can be imposed.
A failure to have appropriate governance and oversight over information security is one of the most cited aggravating factors by supervisory authorities when justifying penalties for security failures. A lack of appropriate or proper staff training and culture is also frequently referenced when justifying fines, along with a lack of risk assessments to properly understand and mitigate security threats. The frequency and commonality of these findings is a clear signal that regulators expect information security to be effectively governed and managed across organisations from top to bottom. Senior leadership teams are expected to be able to demonstrate the efficacy of security controls with appropriate reports and documentation. Such trend of holding entities liable for a lack of security measures leads to an increased liability risk of (individual) managers by the company itself or by a third party.
It is worth noting that the NIS2 Law’s liability regime comes in addition to the existing liability regimes under general corporate law and civil law, rather than replacing them. As a result, management can be held liable for non-compliance with the NIS2 Law’s cybersecurity obligations concurrently with contractual liability towards the company (including liability for a breach of the obligation to act in the company’s interest) and liability in tort towards third parties based on a general duty of care. This may be the case, for instance, where management decides to respond to a ransomware attack by effectuating the requested payments, risking contractual liability towards the company as well as liability under the NIS2 Law for cybersecurity mismanagement.
Governance: what can you do?
Compliance with NIS2 requires a shift in mindset. Cybersecurity should not only be a recurring theme on the management’s agenda, but all company members should be aware of the risks. Nevertheless, it should be acknowledged that incidents cannot be avoided and should therefore be prepared for. In addition, entities should adopt more practical measures to decrease the risk of non-compliance with the NIS2 Law. Preparation for incidents is crucial and entities should establish a crisis management plan and a response to cybersecurity threats. This plan should adopt a practical approach, focusing on concrete risks. Moreover, management should be provided with clear directions, the authority to act and a cybersecurity budget to ensure an efficient response.
Conclusion
The NIS2 Law’s enhanced cybersecurity framework and associated sanction mechanisms increase the pressure on entities’ management to fine-tune their cybersecurity strategy.