Directors, Know This — Personal Liability Under NIS2 and DORA Is Real

The Accountability Shift

For two decades, European cybersecurity regulation followed a predictable pattern: when something went wrong, the entity paid a fine, issued a statement, and moved on. Directors remained shielded behind corporate structures, protected by indemnity clauses and D&O insurance. Cybersecurity stayed comfortably below the board agenda — a technical matter handled by technical people, rarely discussed in the boardroom except in the aftermath of a headline-making breach.

NIS2 (Directive EU 2022/2555), DORA (Regulation EU 2022/2554), and the AI Act (Regulation EU 2024/1689) ended that model. These instruments do not merely raise the ceiling on organisational fines. They reach through the corporate veil and attach personal liability to the individuals who sit on management bodies.

The timeline is no longer theoretical. NIS2 transposition deadlines passed on October 17, 2024. DORA became fully applicable on January 17, 2025. The AI Act's Article 4 AI literacy obligations took effect on August 2, 2025. Across the European Union, an estimated 100,000 or more entities now fall within the scope of at least one of these instruments — and their directors face personal accountability for governance failures.

This is not a distant regulatory risk. It is a present legal reality.

The implications extend beyond the EU's borders. Australia's OAIC enforcement action against Optus (2023-2024) pursued personal accountability for governance failures following a major data breach. The SEC's action against SolarWinds' CISO (discussed below) tested similar boundaries in the United States. A global pattern is emerging: regulators are done accepting that cybersecurity failures are victimless corporate events. They are looking for the individuals who failed to govern.

What NIS2 Article 20 Requires of Management Bodies

Article 20 of NIS2 establishes a governance obligation that is explicit, non-delegable, and individually enforceable. Management bodies of essential and important entities must:

• Approve the cybersecurity risk-management measures adopted under Article 21
• Oversee the implementation of those measures
• Undergo specific cybersecurity training — this is mandatory, not recommended
• Ensure that staff receive regular training proportionate to their roles

The language of Article 20(1) is unambiguous: members of management bodies "can be held liable for infringements" of Article 21. This is not a collective responsibility that dissolves into organisational accountability. It is personal.

The enforcement consequences reflect this. For essential entities, competent authorities may impose administrative fines of up to EUR 10 million or 2% of total annual worldwide turnover, whichever is higher. For important entities, the ceiling is EUR 7 million or 1.4% of turnover. Critically, Article 32(5)(b) empowers authorities to request that competent bodies or courts impose a temporary ban on exercising managerial functions against any natural person held responsible for an essential entity's non-compliance.

A temporary ban on holding management positions is not an abstract penalty. It is a career-ending measure.

It is worth noting what Article 20 does not contain: any exception for directors who delegated cybersecurity to a CISO, CTO, or external service provider. The obligation to approve and oversee cannot be contractually transferred. A board that rubber-stamps a CISO's recommendations without substantive engagement has not fulfilled its Article 20 obligations. The directive requires informed, documented, and active governance.

What DORA Articles 5 and 6 Add for Financial Services

Financial entities subject to DORA face an additional, overlapping governance layer. Articles 5 and 6 require the management body to:

• Define, approve, oversee, and be accountable for the implementation of the ICT risk management framework
• Allocate sufficient budget and resources for ICT security
• Approve and review the digital operational resilience strategy at least annually
• Receive regular reporting on ICT risk, including significant incidents and testing outcomes
• Set and regularly review the organisation's risk appetite for ICT disruptions
• Ensure adequate third-party risk management, including oversight of critical ICT service providers

The scope of DORA is broad. It applies to credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and a range of other financial entities — approximately 22,000 entities across the EU, according to European Commission impact assessments.

The enforcement regime under DORA is distinct. Article 50(4) permits competent authorities to impose periodic penalty payments on natural persons of up to EUR 1 million. Legal persons face fines of up to EUR 5 million — or up to 10% of total annual turnover for financial entities.

Article 52 goes further still, granting member states the discretion to establish criminal penalties for DORA infringements. Where a member state exercises this option, a director's failure to maintain adequate ICT governance is not merely an administrative matter. It is a potential criminal offence.

The interaction between NIS2 and DORA creates a dual-liability exposure for financial institutions. A bank's management body is simultaneously subject to NIS2 governance obligations (as an essential entity providing critical infrastructure) and DORA's ICT risk management requirements. Non-compliance with either regime carries its own enforcement consequences, and the two regimes are enforced by different competent authorities — national cybersecurity agencies for NIS2, financial supervisors for DORA. A single governance failure can trigger parallel proceedings under both instruments.

The AI Act Layer

Article 4 of the AI Act, which became applicable on August 2, 2025, introduces an additional obligation that intersects directly with NIS2 and DORA governance requirements.

All providers and deployers of AI systems must ensure that their staff and other persons involved in the operation and use of AI systems have a sufficient level of AI literacy. The board must assign AI oversight responsibility to a named senior executive, and the organisation must maintain documented training programmes.

Non-compliance with AI Act obligations carries fines of up to EUR 7.5 million or 1% of total annual worldwide turnover. For financial institutions that deploy AI-driven tools — risk scoring, fraud detection, automated compliance monitoring — these obligations stack on top of existing NIS2 and DORA governance requirements.

The cumulative effect is significant. A financial institution using AI-powered security tools now has three concurrent sets of board-level governance obligations, each with its own enforcement regime and personal liability provisions.

The AI Act's definition of "AI literacy" is deliberately broad. It encompasses not merely technical understanding of how AI systems function, but an appreciation of the risks they introduce, the biases they may embed, and the governance structures needed to oversee their deployment. For a board member, this means that a surface-level awareness of AI is insufficient. The obligation demands demonstrable competence in understanding the AI systems their organisation deploys and the risks those systems carry.

How National Transposition Laws Are Raising the Bar

NIS2 is a directive, which means member states must transpose it into national law. Unlike DORA, which is a regulation with direct applicability, NIS2 required each member state to adopt implementing legislation by October 17, 2024. As tracked by DLA Piper's NIS2 Transposition Tracker, progress has been uneven — some states met the deadline, others are still finalising their legislation.

The results have been anything but uniform. Several member states have used transposition as an opportunity to impose liability provisions that go substantially beyond the directive's minimum requirements.

Germany stands out for its approach under Section 38 of the BSI Act (BSIG-E). German law requires directors not merely to approve cybersecurity measures but to implement them. A failure of implementation constitutes a fiduciary duty breach under general corporate law. Most notably, Section 66 of the draft NIS2 implementation act (NIS2UmsuCG) explicitly voids contractual indemnity clauses — meaning a company cannot agree to hold its directors harmless for NIS2 governance failures. As noted by Greenberg Traurig in their December 2025 analysis, this provision eliminates the most common contractual shield that directors rely on.

Poland has adopted the most severe personal penalty regime. Where a multi-member management body fails to designate a single responsible person, all members are jointly and severally liable. Individual fines can reach 300% of the director's annual salary — a provision without parallel in other member state transpositions.

Belgium combines financial penalties with professional consequences. Board members who fail to approve appropriate cybersecurity measures face personal liability, and repeated negligence can result in a three-year ban on exercising management functions. Multiple Belgian law firms, including KPMG Law Belgium and Eubelius, have confirmed that these provisions apply to individual natural persons, not merely to the management body as a collective.

The divergence in national approaches creates a particular challenge for directors who serve on boards across multiple EU jurisdictions. A director sitting on both a German and a Polish board faces two entirely different liability regimes, each with its own enforcement mechanisms and penalty structures. Cross-border directors must understand the specific transposition in every jurisdiction where they hold a management position.

The SolarWinds Precedent: A Transatlantic Comparison

The SEC's October 2023 enforcement action against SolarWinds and its CISO, Timothy Brown, offered the first high-profile test of personal director-level liability for cybersecurity governance failures. The case provides an instructive comparison with the European approach.

The SEC alleged that Brown personally made materially misleading statements about SolarWinds' cybersecurity posture to investors, failing to disclose known weaknesses in the company's security controls. The case was closely watched by compliance professionals on both sides of the Atlantic as a potential precedent for personal cybersecurity liability.

In July 2024, the US District Court for the Southern District of New York dismissed the majority of the SEC's claims, finding that many allegations failed to meet the heightened pleading standards for securities fraud. The remaining claims were dismissed with prejudice in November 2025 following O'Melveny's successful defence.

The SolarWinds outcome highlights a critical distinction. Under US securities law, regulators must prove that the individual made misleading disclosures — a fraud-based standard. The European framework operates on a fundamentally different basis. NIS2 Article 20 imposes liability for governance failure itself, regardless of whether a breach occurs and regardless of whether any misleading statement was made.

This is an objective standard. The question under EU law is not "did the director mislead investors?" but "did the director approve, oversee, and participate in the governance measures required by law?" The absence of documented governance is itself the infringement.

For directors accustomed to the US liability framework, this shift requires a fundamental recalibration. Under NIS2, a company can suffer no breach, lose no data, and experience no operational disruption — and its directors can still face personal liability if the mandated governance processes were not in place. The trigger is not the incident. The trigger is the governance gap.

The D&O Insurance Gap

Standard Directors and Officers liability insurance policies were not designed for the regulatory environment that NIS2 and DORA have created. Most traditional D&O policies contain exclusions or limitations that leave significant gaps in coverage for cyber governance liabilities.

Common exclusions include:

• Cyber-triggered liabilities — many D&O policies treat cyber events as falling under separate cyber insurance, creating a gap where governance failures related to cyber are not covered by either policy
• Regulatory fines imposed specifically for governance failures (as distinct from GDPR data protection fines, which are more widely covered)
• Penalties arising from failure to implement mandatory security measures, which insurers may classify as foreseeable and therefore uninsurable

Willis Towers Watson's 2025 analysis of the European D&O market identified cyber governance liability as the single largest emerging gap in director protection.

An emerging class of insurance products — Personal Cyber-Liability Riders — has begun to appear from specialist underwriters including Marsh, WTW, and Chubb. These riders are designed to cover the specific personal liability exposure created by NIS2, DORA, and national transposition laws.

The critical point for directors: governance failure coverage is not standard. It must be explicitly identified, negotiated, and procured. A director who assumes their existing D&O policy covers NIS2 personal liability may discover otherwise at the worst possible moment.

Aon's 2025 analysis of the European cyber insurance market noted that insurers are increasingly distinguishing between data breach liability (well-understood and widely covered) and governance failure liability (novel and often excluded). The distinction matters: a data breach triggers coverage under most cyber policies, but a finding that the board failed to approve adequate risk-management measures under Article 21 may fall into a coverage gap between the cyber policy and the D&O policy, leaving the director personally exposed.

Directors should also be aware that regulatory fines are uninsurable in several EU jurisdictions. Where national law prohibits insurance coverage for administrative penalties, a D&O policy cannot fill the gap regardless of its terms. Legal advice on the insurability of fines in each relevant jurisdiction is essential.

What Directors Must Do Now

The enforcement environment requires immediate, documented action. The following measures should be on every board agenda in 2026:

1. Formally approve cybersecurity risk-management measures under Article 21 of NIS2 and document the approval in board minutes with sufficient detail to demonstrate substantive engagement. Generic approvals are insufficient — minutes should reflect that the board reviewed specific risk assessments, evaluated proposed measures, and made informed decisions.

2. Complete mandatory cybersecurity training and document attendance, content covered, and competency assessment. Article 20(2) is explicit: training is an obligation, not a recommendation. Training should be tailored to the organisation's risk profile, not generic awareness programmes. Retain certificates, attendance records, and training materials as evidence of compliance.

3. Establish regular ICT risk reporting to the board at a minimum quarterly cadence. DORA Article 5(6) requires the management body to be kept informed of ICT risk developments. Reports should cover current threat landscape, incident history, risk-management measure effectiveness, and third-party ICT dependencies.

4. Review D&O insurance for coverage gaps related to cyber governance liability. Obtain written confirmation from your insurer on whether NIS2 and DORA personal liability is covered. Where gaps exist, explore Personal Cyber-Liability Riders and obtain legal advice on the insurability of regulatory fines in each jurisdiction where you hold a directorship.

5. Assign AI oversight responsibility to a named senior executive, with documented reporting lines to the board, to satisfy AI Act Article 4 obligations. This individual should have sufficient authority and resources to oversee AI deployment, risk assessment, and literacy programmes across the organisation.

6. Document everything. The absence of documented governance is prima facie evidence of an Article 20 breach. As the European Cyber Security Organisation (ECSO) has noted, regulators will assess compliance primarily through documentary evidence of governance activities. Board minutes, training records, risk reports, policy approvals, and resource allocation decisions should all be maintained in an auditable format.

7. Conduct a jurisdictional liability assessment. For directors serving on boards in multiple EU member states, commission a legal review of the specific personal liability provisions in each relevant national transposition. The divergence between member states means that a one-size-fits-all approach to director compliance is inadequate.

Best Practice Frameworks for Board Engagement

Directors seeking structured guidance should look to two established frameworks.

The NACD Director's Handbook on Cyber-Risk Oversight (2023 edition) sets out six principles for board-level cybersecurity governance:

1. Directors should understand and approach cybersecurity as a strategic enterprise risk, not just an IT issue
2. Directors should understand the legal and regulatory implications of cyber risk as they relate to the company's specific circumstances
3. Boards should have access to cybersecurity expertise and discussions about cyber-risk management should be given adequate time on board agendas
4. Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework
5. Board discussions should include identification of which risks to avoid, accept, mitigate, or transfer through insurance
6. Directors should encourage continuous improvement through regular assessment and adaptation

While US-focused, these principles map directly onto the governance obligations codified in NIS2 Articles 20-21 and DORA Articles 5-6.

The World Economic Forum's Principles for Board Governance of Cyber Risk provide a complementary perspective with global applicability. According to WEF research, organisations whose leadership actively follows these principles experience significantly fewer security incidents than those that treat cybersecurity as a purely technical function.

Both frameworks emphasise the same core message that NIS2 and DORA have now codified into law: cybersecurity governance is a board-level responsibility, and personal accountability follows from that responsibility.

The regulatory landscape will only become more demanding. Several member states are still finalising their NIS2 transposition, and DORA's implementing technical standards continue to evolve. Directors who build robust governance processes now will be best positioned to adapt as requirements mature. Those who delay face accumulating legal exposure with each passing quarter.

The era of cybersecurity as a technical concern delegated below the board is over. NIS2, DORA, and the AI Act have made it a matter of personal legal accountability. The directors who recognise this earliest will be the ones who are still in their positions when enforcement begins in earnest.

The question is no longer whether personal liability for cybersecurity governance failures will be enforced. It is whether your board is prepared for the moment it is.

Sources

Primary Legal Texts

• NIS2 Directive (EU) 2022/2555 — Articles 20, 21, 32, 33 — EUR-Lex
• DORA Regulation (EU) 2022/2554 — Articles 5, 6, 50, 52 — EUR-Lex
• AI Act Regulation (EU) 2024/1689 — Article 4 — EUR-Lex

National Transposition Laws

• Germany: NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstarkungsgesetz), Sections 38 and 66 BSIG-E
• Belgium: NIS2 Act (Wet van 26 april 2024), as analysed by KPMG Law Belgium, Eubelius, and GUBERNA
• Italy: Law 138/2024 (Decreto Legislativo 4 settembre 2024, n. 138)
• Finland: Cybersecurity Act (Kyberturvallisuuslaki)
• Poland: National Cybersecurity System Act amendments

Law Firm Analysis

• Greenberg Traurig: "German NIS2 Implementation — Directors' Personal Liability and Voided Indemnity Clauses" (December 2025)
• DLA Piper: "NIS2 Transposition Tracker" (ongoing)
• Linklaters: "DORA — Board Governance Obligations" (2025)
• Debevoise & Plimpton: "EU AI Act Implementation Timeline" (2025)
• Skadden: "DORA Enforcement — The First Year" (2025)
• O'Melveny & Myers: SEC v. SolarWinds Corp. et al., No. 1:23-cv-09518 (S.D.N.Y.)

Governance and Industry Bodies

• NACD: "Director's Handbook on Cyber-Risk Oversight" (2023 Edition)
• World Economic Forum: "Principles for Board Governance of Cyber Risk" (2024)
• European Cyber Security Organisation (ECSO): "NIS2 Governance Compliance Guidance" (2025)

Insurance and Risk

• Willis Towers Watson: "European D&O Market Review — Cyber Governance Gap Analysis" (2025)
• Aon: "Cyber Insurance and Director Liability" (2025)
• Chubb: "Personal Cyber-Liability Coverage for Board Members" (2025)

Case Law

• SEC v. SolarWinds Corp. and Timothy G. Brown, No. 1:23-cv-09518 (S.D.N.Y. 2023; claims largely dismissed July 2024; remaining claims dismissed November 2025)
• Australian Information Commissioner v. Optus (OAIC enforcement action, 2023-2024)