Management obligations under NIS2

Management obligations under NIS2 are the responsibilities the directive places directly on the leadership of in-scope entities. Where IT security was once routinely delegated to a technical department, the NIS2 Directive explicitly addresses managing directors and the board. They must actively approve the risk-management measures required by Article 21 NIS2, oversee their implementation, and cannot escape accountability through delegation. Cybersecurity thereby becomes a genuine leadership duty rather than a purely operational matter.

The obligations fall into three core areas. First, the duty to approve: management must formally authorise the specific technical and organisational risk-management measures and satisfy itself that they are appropriate. Second, the duty to oversee: the implementation and effectiveness of the measures must be monitored on an ongoing basis, for example through reporting, key indicators and internal audits. Third, a training duty: members of management bodies must take part in training so they can assess cybersecurity risks and management practices, and they are expected to offer comparable training to their employees.

Breaching these duties carries significant sanctions. Article 20 NIS2 and its national transposition in the German NIS2 Implementation Act provide that management bodies can be held responsible for the entity's failure to comply with its cybersecurity obligations. A personal internal liability towards the entity itself is under discussion, and any contractual or advance waiver of such claims is intended to be void. In addition, substantial fines apply - up to EUR 10 million or 2 percent of total worldwide annual turnover for essential entities. Careful documentation of approval, oversight and training therefore serves both to discharge the duty and to limit liability.