Kortave
Get protected
Back to Blog
NIS228 April 20257 min read

NIS2 Is Being Enforced. Here Is Who Is Actually Liable.

NIS2's management liability provision is the provision most companies have not read. Directors can be personally fined and temporarily banned from management roles.

NIS2 entered into application across the EU in October 2024. Most coverage has focused on its expanded scope — the near-tripling of covered sectors compared to NIS1 — and the new incident reporting timelines. What has received less attention is the provision that fundamentally changes how cybersecurity compliance is managed inside organisations: management liability.

What management liability means in NIS2

Article 20 of NIS2 places explicit personal liability on the management bodies of essential and important entities. Management bodies must approve the cybersecurity risk management measures their organisation implements, oversee implementation, and can be held liable where non-compliance occurs.

The consequences are not abstract. Article 32(6) allows competent authorities to temporarily prohibit individuals found responsible for NIS2 infringements from performing management functions — essentially, a ban on serving as a director or senior executive. This power exists for essential entities and goes beyond anything available under NIS1.

This is a significant departure from the previous regulatory posture, where cybersecurity failures were treated as organisational failures attracting fines against the entity. NIS2 makes it a personal governance failure attracting consequences against the individual.

The training requirement that few have read

Article 20(2) requires that the members of management bodies "follow training" on cybersecurity and "encourage their employees to do so on a regular basis." This is not a soft recommendation. It is a binding requirement. Competent authorities can take it into account when assessing compliance.

In practice, this means organisations need to document that their board and senior management have received cybersecurity awareness training, what that training covered, when it took place, and when the next session is scheduled. A one-hour session in 2022 is not sufficient in 2025.

Who counts as an essential or important entity?

NIS2's scope is broadly defined and the implementing regulations in each member state determine exact thresholds. In general terms:

  • Essential entities are large organisations (250+ employees or €50m+ turnover) in: energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, ICT service management, public administration, and space sectors.
  • Important entities are medium organisations (50+ employees or €10m+ turnover) in: postal and courier services, waste management, chemicals, food production, manufacturing (medical devices, vehicles, electrical equipment, machinery, computers, motor vehicles), digital providers, and research organisations.

Critically, member states can extend the scope to smaller entities in certain sectors. Germany, the Netherlands, and Belgium have all indicated they will apply NIS2 more broadly than the directive's minimum requirements.

Incident reporting: three deadlines, not one

Unlike GDPR's single 72-hour breach notification window, NIS2 uses a three-stage reporting process for "significant incidents":

  • Early warning — within 24 hours of becoming aware of the incident. A short notification to the national CSIRT or competent authority.
  • Incident notification — within 72 hours. Includes initial assessment of severity, impact, and indicators of compromise where available.
  • Final report — within one month of the incident notification. Full description of the incident, root cause, mitigation measures, and cross-border impact where relevant.

A "significant incident" is one that causes or could cause severe operational disruption or financial losses, or has affected or could affect other natural or legal persons by causing considerable material or non-material damage. This is a broad threshold. Organisations should err on the side of reporting rather than waiting for certainty.

Supply chain risk is now your problem

Article 21(2)(d) requires that cybersecurity risk management measures address the security of the supply chain — "including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."

This means you cannot achieve NIS2 compliance in isolation. You need to assess the cybersecurity posture of your direct suppliers, incorporate security requirements into supplier contracts, and monitor the threat landscape affecting your supply chain. For organisations that rely heavily on third-party SaaS, cloud infrastructure, or managed service providers, this is operationally significant.

NIS2 is not a regulation you can defer to a future compliance cycle. National authorities are already conducting investigations, and the management liability provisions mean that a significant incident without an adequate compliance programme is a personal risk for directors, not just an organisational one. The time to establish your programme is before the incident, not after.

Handle compliance automatically

Kortave automates GDPR, AI Act, NIS2 & DORA compliance for EU businesses.

See plans →

— More from Kortave —

AI Act

Eight Weeks to the EU AI Act High-Risk Deadline: What Is Still Missing in Most Compliance Files

10 min readGDPR

Every AI Tool Your Company Uses Is a GDPR Liability — Most Legal Teams Have Not Noticed Yet

9 min readNIS2

NIS2 in Practice: What a Compliant Incident Response Actually Looks Like

9 min read