NIS-2 - Personal liability of the management for cyber security

The NIS 2 Directive calls on the various member states to adapt their national laws so that various facilities covered by the Directive increase their security and resilience.

Certain minimum security requirements are stipulated by the NIS 2 Directive, which are largely identical in wording to the upcoming German implementation law, the NIS 2 Implementation and Cyber Security Strengthening Act (NIS-2-UmsuCG). This concerns the following points, which are regulated in Section 30 (4) BSIG-E:

Measures [...] must be based on a cross-hazard approach aimed at protecting the information technology systems, components and processes and the physical environment of these systems from security incidents and must include at least the following:

1. Concepts related to risk analysis and security for information systems,

2. Management of security incidents,

3. business continuity, such as backup management and disaster recovery, and crisis management,

4. Supply chain security, including security-related aspects of relationships between individual entities and their direct vendors or service providers,

5. Security measures for the acquisition, development and maintenance of information technology systems, components and processes, including vulnerability management and disclosure,

6. concepts and procedures for assessing the effectiveness of cyber security risk management measures,

7. basic cyber hygiene procedures and cyber security training,

8. Concepts and procedures for the use of cryptography and encryption,

9. Personnel security, access control concepts and asset management,

10. use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and, where appropriate, secure emergency communication systems within the facility.

It should be noted in particular that security in the supply chain is also covered in accordance with Section 30 (4) No. 4 BSIG-E. This means ensuring security in the supply chain. With regard to software, for example, this can mean significant new obligations.

Personal liability of the management

To ensure compliance with the numerous requirements of the NIS 2 guidelines and the German Implementation Act, the principle of "cybersecurity is a matter for the boss" is clarified in terms of liability. A new Section 38 BSIG-E is to be introduced with the following wording:

Approval, monitoring and training obligation for managers of particularly important institutions and important institutions

(1) Managers of particularly important institutions and important institutions are obliged to approve the cybersecurity risk management measures taken by these institutions to comply with Section 30 and to monitor their implementation. The commissioning of a third party to fulfill the obligations under sentence 1 is not permitted.

(2) Managers who breach their obligations under paragraph 1 shall be liable to the institution for any damage incurred. Sentence 1 shall not apply to directors of particularly important institutions in the central government sub-sector of the public administration sector.

(3) A waiver by the institution of claims for compensation under paragraph 2 or a settlement by the institution of such claims shall be ineffective. This shall not apply if the party liable to pay compensation is insolvent and makes a settlement with its creditors to avert insolvency proceedings or if the obligation to pay compensation is regulated in an insolvency plan.

(4) Managers of particularly important institutions and important institutions and their employees shall regularly participate in training to acquire sufficient knowledge and skills to identify and assess risks and risk management practices in the area of cybersecurity and its impact on the services provided by the institution.

This therefore sets out the obligation for management to approve the cybersecurity risk management measures taken and to monitor their implementation. If this is not done, the managers are personally liable to the company for damages, among other things.

It should be noted that this obligation does not apply to all companies, but only to those entities covered by the NIS 2 Directive or the upcoming, reformed BSIG. However, the scope of the companies covered is currently being significantly extended compared to the previous regulation. In addition, the exact threshold values have yet to be defined in a German executive ordinance.

The BSI is also to be granted more extensive powers, which may even extend to the temporary prohibition of management authority (Section 64 (6) No. 2 BSIG-E).

Current legal situation

The liability of the management for the proper organization of the "security systems and structures" in the company is not new. Section 43 (2) GmbHG already applies in Germany as follows:

"Managing directors who violate their obligations are jointly and severally liable to the company for the damage incurred."

A corresponding provision for the AG can be found in Section 93 (2) AktG. These provisions have already established liability of the management in the event of organizational or delegation fault. In particular, Section 91 (2) AktG, which applies not only to a stock corporation but also to a GmbH due to its "spillover effect", stipulates that the management is liable if organizational standards have not been created.
Case law has specified these principles and formulated them as follows, among other things:

"The management board only satisfies such an organizational obligation in the event of a corresponding risk situation if it establishes a compliance organization geared towards damage prevention and risk control."

Section 130 of the German Administrative Offenses Act (OWiG) already imposes liability on the owners of a business or company (including managers) if they fail to take supervisory measures and damage is caused as a result.

In addition, management may be liable for damages if they (unintentionally) participate in infringing or unlawful conduct, e.g. if further research (e.g. regarding the existence of copyrights or patents) is refrained from in the context of practical risk decisions. Liability can also arise from laws in special areas.

The regulation on management liability for failure to implement and monitor cybersecurity measures - where relevant in the present case - which is now stipulated at European level by the NIS 2 Directive and generally enshrined in the forthcoming Section 38 BSIG-E is therefore not entirely new in Germany. However, the introduction of the new section with a slightly different scope of application further increases the liability risk and emphasizes its importance.

Summary

Every company, but especially those in the legal form of a GmbH and AG as well as the companies and institutions covered by the upcoming Section 38 BSIG-E, should urgently check whether all necessary internal structures have been set up to prevent damage, in particular those due to cybersecurity risks. Where necessary, such structures should be introduced as a matter of urgency and regularly reviewed - directly at management level. The mere "delegation" of the entire task, e.g. to an IT department or an external service provider, is not sufficient to "release" the management from liability.