NIS2 Management Liability
§38 BSIG makes CEOs and managing directors personally liable for cybersecurity failures – a first in German law.
§38 BSIG introduces something unprecedented in German cybersecurity regulation: personal liability for management. The Geschäftsführung of every company subject to NIS2 – whether GmbH, AG, or KG – is now personally responsible for ensuring cybersecurity measures are implemented, overseen, and maintained. This is not delegable to the IT department.
This is entirely new. Under the original NIS1 framework (the previous IT-Sicherheitsgesetz), liability rested with the company as a legal entity. §38 BSIG changes the game: individual managing directors can now be held liable with their personal assets if they fail to fulfill their cybersecurity duties. The law explicitly references Geschäftsleiter – the people who sign on behalf of the company.
The law defines three core duties for management: approval (Billigung) of cybersecurity measures, oversight (Überwachung) of their implementation, and personal training (Schulung) in cybersecurity. Failing any one of these creates personal liability exposure – even if the company itself has implemented reasonable measures.
Approval (Billigung)
Management must formally approve the cybersecurity risk management measures required under §30 BSIG. This means reviewing and signing off on the company's information security policies, risk assessments, and treatment plans. A verbal 'go ahead' is not sufficient – you need documented, traceable approval with timestamps and signatures.
Oversight (Überwachung)
Management must actively oversee the implementation of approved measures. This means regular status reviews, progress tracking, and escalation handling. You must be able to demonstrate that you monitored whether measures were actually implemented – not just that you approved them and walked away. Quarterly management reviews are the minimum defensible frequency.
Training (Schulung)
Management must personally complete cybersecurity training to develop sufficient knowledge to evaluate risks and measures. This is not the general employee awareness training from §30(2)(9) – it is a separate obligation specifically for Geschäftsleiter. The training must be adequate to understand the company's risk profile, the measures in place, and the residual risks accepted.
No cybersecurity measures implemented
Fines up to €10 million or 2% of global annual turnover (whichever is higher) under §65 BSIG for besonders wichtige Einrichtungen. For wichtige Einrichtungen: up to €7 million or 1.4% of turnover. Management faces personal liability claims from the company for damages resulting from the violation.
Incident not reported to BSI
§32 BSIG requires initial notification within 24 hours, follow-up within 72 hours, and final report within one month. Missing these deadlines triggers enforcement action. If management was aware of an incident and failed to ensure reporting, personal liability applies under §38 for oversight failure.
Management hasn't completed training
Direct violation of §38(1) BSIG. This is the easiest violation for the BSI to prove – either you have training records or you don't. It also undermines your defense on all other points: how can you claim adequate oversight if you lack the training to evaluate what you're overseeing?
No active oversight of implementation
If measures were approved but management cannot demonstrate ongoing oversight (review meetings, status reports, escalation records), the approval alone is insufficient. The law requires all three duties. Approving without overseeing is like signing a contract without reading it – you're still on the hook.
I can delegate this to the IT department
You can delegate execution, but not responsibility. §38 BSIG explicitly names Geschäftsleiter – not IT managers, not CISOs, not external consultants. You must personally approve, oversee, and be trained. Your IT team implements; you approve and monitor. The distinction matters in court.
D&O insurance covers NIS2 liability
Most D&O policies exclude regulatory fines and penalties. Even where civil liability claims are covered, insurers can deny claims if management knowingly failed to comply with statutory duties. Check your policy's exclusion clauses – 'failure to comply with mandatory regulations' is a standard exclusion in German D&O policies.
I'm not technical – I can't be held responsible
§38(3) BSIG imposes the training obligation precisely to eliminate this defense. The law assumes that after completing adequate cybersecurity training, management has sufficient knowledge to fulfill their duties. 'I don't understand technology' is not a defense – it's proof of a training violation.
Shareholders can waive my liability
§38(2) BSIG explicitly states that claims for damages arising from violations of §30 BSIG duties cannot be waived by shareholders, nor can they be settled in a manner that is disproportionate to the company's financial situation. This overrides the normal GmbHG §43 rules. The Gesellschafterversammlung cannot release you from NIS2 liability.
We're too small for anyone to care
The NIS2 scope threshold starts at 50 employees and €10 million turnover. If you meet these thresholds in a covered sector, you are subject to the full regime – including §38 management liability. The BSI has already begun requesting registration from companies in this size range. Size is not a defense; it's a scoping criterion, and you're in scope.
Here's what catches most managing directors off guard: under §38 BSIG, you are liable to your own company. If the company suffers damage because you failed to implement, oversee, or be trained on cybersecurity measures, the company (or its insolvency administrator, or its shareholders) can claim damages from you personally. This is an internal liability – your own organization can sue you.
§38(2) BSIG contains a provision without precedent in German corporate cybersecurity law: shareholders cannot waive or settle these liability claims if doing so would be disproportionate to the company's financial situation. In practical terms, if the company goes bankrupt due to a cyber incident, the insolvency administrator will come after your personal assets – and the shareholders cannot have waived that right in advance.
The training obligation in §38(3) BSIG is not optional professional development – it is a legal prerequisite that removes ignorance as a defense. Once the law requires you to be trained, your failure to obtain that training is itself a violation. You cannot claim you didn't understand the risks when the law required you to learn about them.
Formally approve cybersecurity measures
Review the risk assessment, security policies, and treatment plans prepared under §30 BSIG. Sign off with your name, date, and role. Store the approval in an auditable system – not in an email inbox. This creates the documented evidence that you fulfilled your Billigung duty. Repeat whenever measures are materially changed.
Establish oversight processes
Schedule quarterly management reviews of cybersecurity status. Review implementation progress, open risks, incident reports, and effectiveness metrics. Document attendance, decisions, and action items. This creates the continuous trail proving your Überwachung duty – not just a one-time approval, but ongoing engagement.
Complete cybersecurity training
Complete a training program that covers your company's threat landscape, the §30 BSIG measures, incident reporting obligations, and your personal duties under §38. Document the training: provider, date, content covered, certificate if available. Refresh annually. This eliminates the ignorance defense gap and fulfills your Schulung duty.