Cybersecurity is a management responsibility – no longer just a buzzword, but a real liability trap.
Dear fellow CEOs, your D&O insurance covers a lot – but not what is coming your way as of December 6, 2025.
NIS2 has made cybersecurity a matter for executive boards and managing directors – in a legal, not a rhetorical, sense. Anyone who still believes in 2026 that this can be “delegated to IT” is setting themselves up for personal liability.
With the NIS2 Implementation Act (NIS2UmsuCG), a new level of responsibility has come into effect: managing directors and supervisory board members are now subject to legal liability for cyber risks. Section 38 of the BSIG requires management to approve risk management measures, monitor their implementation, and undergo regular training.
More than 90 percent of SMEs rate their own security posture as “good.” However, studies conducted by the BSI indicate quite the opposite: according to their findings, German SMEs meet only 56 percent of the basic security requirements on average.
The gap between “90% believe they are secure” and “56% actually have the basics under control” is exactly the zone where executive liability begins. With average damages of around €100,000 even for small SMEs – and with D&O insurance potentially refusing to pay – the question is: do you really want to take that risk
When was the last time you formally addressed and documented cyber risk in the supervisory/advisory board – including a resolution?
Expected counterarguments & responses:
• “I don’t understand IT.”
That is exactly the point. §38 BSIG does not require IT expertise, but a duty of training for executive management – not technical detail knowledge, but risk awareness.
• “We have an IT manager.”
Delegating responsibility has not been sufficient since the KonTraG. With NIS2, this is finally no longer acceptable.
• “Fines are probably not that serious.”
Perhaps. But the bigger risk is liability claims under §43 GmbHG (breach of duty of care) by shareholders – an often-underestimated escalation level.
For more information, play the video below:
