Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

NIS 2 – Personal Liability of Directors For Lack of Compliance

4 days ago
6 minRead time
nis liability directors
Share This Article
Share Post

The NIS 2 Directive has issued a significant warning to companies within the European Union: the personal liability of directors for lack of compliance is now a critical issue that cannot be ignored and the responsible directors must be notified by the end of May 2025.

There are only a few days left before the end of May 2025, when companies that have registered on the Italian National Cybersecurity Agency (ACN) portal will have to provide the additional information requested by ACN.

Among this information, the most important concerns the notification of directors who, pursuant to the provisions implementing the NIS 2 Directive in Italy, are subject to a regime of personal liability for breaches, which assigns unprecedented responsibility to senior management for ensuring the adoption of robust cybersecurity measures. This is a peculiarity currently provided for only by the Italian implementation of NIS 2.

Understanding the Personal Liability of Directors Under the NIS 2 Directive

The personal liability of directors under the NIS 2 Directive represents a major shift in how cybersecurity compliance is enforced. Its Italian implementation states:

“The National NIS Competent Authority may impose on natural persons referred to in paragraph 5 of this article, including administrative and management bodies of essential and important entities as per Article 23, as well as those performing managerial functions at the level of CEO or legal representative of an essential or important entity, the application of the accessory administrative sanction of incapacity to perform managerial functions within the same entity. This temporary suspension is applied until the interested party adopts the necessary measures to remedy the deficiencies or comply with the warnings as per Article 37, paragraphs 6 and 7.”

Key Points:

  • Direct Accountability: Directors and high-level managers are personally responsible for ensuring compliance with the NIS 2 Directive.
  • Administrative Sanctions: Non-compliance can lead to personal sanctions, including temporary incapacity to perform managerial roles within the same entity.
  • Conditional Reinstatement: The suspension remains until the director takes corrective actions to address the compliance failures.

Implications of Directors’ Personal Liability for Lack of Compliance

The NIS 2 personal liability directors clause has several profound implications:

  • Operational Disruption: The incapacitation of key directors can lead to significant operational challenges and strategic setbacks.
  • Reputational Damage: Personal sanctions against directors can harm both individual and corporate reputations, affecting stakeholder trust.
  • Legal and Financial Risks: Companies may face increased legal scrutiny and financial penalties due to directors’ non-compliance.

Steps to Avoid Personal Liability Under the NIS 2 Directive

To mitigate the risk of personal liability for lack of compliance, directors should:

  1. Prioritize Compliance as a Paramount Obligation: Recognize that adhering to the NIS 2 Directive is a critical duty requiring immediate attention.
  2. Implement Robust Cybersecurity Measures: Adopt appropriate technical and organizational measures to manage cybersecurity risks effectively.
  3. Establish Clear Governance Structures: Define roles and responsibilities for cybersecurity within the management hierarchy to facilitate accountability.
  4. Foster a Cybersecurity Culture: Promote awareness and training at all organizational levels to embed cybersecurity into the company’s culture.
  5. Engage Regularly with Authorities: Maintain open communication with national competent authorities for guidance on compliance obligations.
  6. Conduct Regular Audits and Assessments: Periodically review cybersecurity policies to ensure they meet the evolving standards of the NIS 2 Directive.

Why Compliance with the NIS 2 Directive is a Paramount Obligation for Companies

Given the potential for personal liability of directors under the NIS 2 Directive, companies must treat compliance as a paramount obligation:

  • Protecting Leadership: Ensuring compliance safeguards directors from personal sanctions, preserving leadership stability.
  • Maintaining Operational Continuity: Avoiding the incapacitation of key managers prevents operational disruptions.
  • Enhancing Corporate Reputation: Demonstrating commitment to cybersecurity strengthens stakeholder trust and market positioning.
  • Mitigating Legal and Financial Risks: Compliance reduces the risk of fines, legal actions, and financial losses associated with cyber incidents.

Conclusion

NIS 2 provision on personal liability of directors elevates cybersecurity from a technical issue to a fundamental aspect of corporate governance. The personal liability of directors for non-compliance with the NIS 2 Directive emphasizes the importance of proactive measures and diligent adherence to regulatory requirements. Companies must recognize compliance with this directive as a fundamental obligation and take immediate steps to improve their cybersecurity posture. In doing so, they protect their directors from personal liability and contribute to a more secure and resilient digital environment.

ACN has announced that NIS entities that have requested support in finalizing their annual data update will be able to complete the process by July 31. Other companies must submit the data listed HERE by the end of May 2025.

On the topic, you can read the following article “NIS 2 โ€“ The Countdown to Compliance in Italy Has Officially Started“,

(Visited 104 times, 1 visits today)
Tags:
0LikesShare Post