NIS2 and the personal liability of management – what does the new directive really change?

New cybersecurity regulations are entering a decisive phase. The NIS2 Directive, which has already been implemented in Poland, significantly changes the approach to responsibility for the security of information systems. Importantly, the new rules introduce personal liability for members of management, including in medium-sized enterprises.

These changes are discussed by Alicja Szyrner, Associate and attorney-at-law from our TMT practice, in an article published on Infor.pl. The publication clearly explains why cybersecurity is no longer solely a technical matter and has become a real area of legal risk for management boards.

Management board liability under NIS2

As the author emphasizes, the NIS2 Directive explicitly requires senior management to be actively involved in the information security management system. Responsibility is no longer limited to the formal approval of documents or internal procedures.

It also includes supervision over their implementation, regular cybersecurity risk assessments, and ensuring effective responses to cybersecurity incidents. As a result, cybersecurity becomes an integral part of day-to-day corporate governance.

The new regulations also provide for specific legal consequences in the event of a failure to exercise due diligence. These include not only significant financial penalties for organizations, but also the personal liability of members of management, which marks a substantial shift in existing market practice.

NIS2 also applies to medium-sized companies

The article also highlights that NIS2 is not a regulation intended exclusively for the largest entities or the public sector. The new obligations also apply to medium-sized enterprises, including those operating in the technology, digital services, infrastructure and regulated sectors.

Failure to properly prepare an organization for the new requirements may result not only in administrative sanctions, but also in serious business consequences, including loss of customer trust, contractual issues and reputational risks.

Why is it worth reading the full publication?

Alicja Szyrner’s article offers a practical and concise overview of the key aspects of the NIS2 Directive from the perspective of management and executive liability. It is particularly valuable reading for decision-makers who want to consciously manage cybersecurity risks and adapt their organizations to the new regulatory landscape.

We encourage you to read the full article on Infor.pl:
NIS2 introduces personal liability of management – what do the new regulations mean in practice?