The NIS2 Directive emphasizes the personal responsibility of managers
The Directive NIS2 as a piece of legislation provides requirements to strengthen network and information security (NIS 2), making now an excellent opportunity to prepare and strengthen our cyber defences capabilities.
In an increasingly digitized world, where cyber threats lurk behind every click, the concept of liability in the event of an incident is undergoing a significant change. Company executives and IT managers are now personally liable for cybersecurity lapses. This significant change is gaining strength within the European Union's NIS 2 regulatory framework. Imposing personal responsibility on decision-makers will spark much-needed resolve in strengthening cyber resilience.
As security breaches make headlines in the media, among businesses and consumers, the call for reform has never been stronger. With potential financial penalties guaranteed by the requirements in NIS 2 hanging over individuals and not just corporations, there is a palpable sense that this new approach could be the catalyst needed to raise cyber security standards across industries.
The implications of these emerging EU rules will not only lead to a change in corporate governance and attitudes but will also lead to an improvement in the overall level of protection in the EU's critical infrastructure against an ever-evolving threat landscape, including through the training requirements of the Cybersecurity Act.
The new wave of responsibility can serve as a catalyst to foster a culture of cybersecurity awareness within organizations. Executives will need to support training programs that increase employees understanding of potential threats while implementing technologies that improve defences against relentless cyberattacks. By prioritizing sustainable practices at all levels—from the C-level to entry-level employees—companies can transform their approach to risk management into an embedded aspect of corporate strategy, rather than an afterthought driven by compliance mandates. Essentially, this shift creates an opportunity for leaders to not only protect their organizations from external threats but also empower their teams with the knowledge and tools needed to defend against them effectively.
Cybersecurity experts have a crucial and key role in implementing Network and Infrastructure Security 2 (NIS 2) in organizations. Their knowledge and experience are valuable to the development, implementation and maintenance of security policies, procedures and processes. Furthermore, they must be placed at the centre of training and programs to increase preparedness against potential threats of cyberattacks. Achieving compliance with NIS 2 requires updating the knowledge and skills of specialists, both in the field of cyber security and in the IT field in general. This can only be achieved with the support of the company's management, at all levels, throughout the entire process.
What are the sanctions and penalties?
The EU is strengthening its regulatory framework and emphasizing personal liability for information security breaches for managers and executives under NIS 2. With potential consequences extending far beyond financial penalties, decision-makers may face more than just a damaged reputation, but also under increased control by the competent authorities, respectively shareholders and interested parties. This dynamic situation requires leaders to take a proactive stance towards Cyber Resilience, ensuring robust systems are in place to protect against breaches that could compromise sensitive data or operational integrity.
Fines for corporate entities for non-compliance with NIS 2 depend on whether the directive defines them as 'important' or 'substantial'.
An administrative body that fails to implement a coercive administrative measure shall be fined BGN 10,000 to BGN 100,000.
(2) In case of repeated violation under para. 1 the penalty is a fine of BGN 20,000 to BGN 200,000.
The pecuniary sanctions imposed on the essential and important entities under this Article in relation to violations of the law shall be effective, proportionate and dissuasive, taking into account the circumstances of each specific case.
- A significant entity that fails to fulfil its obligations is punished with a pecuniary penalty of BGN 200,000 to 2% of the total global annual turnover for the previous financial year of the enterprise to which the significant entity belongs, but not less than BGN 20,000,000.
- An important entity that fails to fulfil its obligations is punished with a pecuniary penalty of BGN 100,000 to 1.4% of the total global annual turnover for the previous financial year of the enterprise to which the important entity belongs, but not less than BGN 14,000,000.
In case of violation of Art. 21, the managers or members of the management bodies of the essential and important entities are subject to a property sanction in the amount of BGN 1,000 to BGN 100,000.
Coercive administrative measures are imposed on a substantial or important subject to stop a violation of the law in accordance with a previous decision of the competent authority.
In case of failure to comply with any of the imposed measures, periodic property sanctions are imposed on a substantial or important entity for BGN 5,000 for each day of failure(Bulgaria).
For failure to take the actions determined under the Law, the competent local authority may request from a court or other state authority to impose a temporary ban on any natural person performing managerial functions or a legal representative in this substantial entity, from exercising managerial functions in this entity.
The law is categorical:
Art. 27 k. (5) Any person responsible for a substantial or important entity or acting as its legal representative based on authority to represent it, make decisions on its behalf or exercise control over it shall have the necessary powers to ensure compliance with the law. All the measures provided for both the essential and the important entities are applied to these persons. These individuals may be held liable for failure to fulfil their obligations to comply with the law. This paragraph does not affect public administration, concerning the liability of civil servants and elected or appointed officials.
Important steps to implement the NIS 2 Directive
From a technological point of view, the new cybersecurity law - Network and Information Security (NIS 2) sets specific requirements for businesses and the IT industry in overall. Organizations will need to invest in advanced information security management technology, automated threat detection solutions and reliable data backup mechanisms.
To ensure successful compliance with NIS 2 cybersecurity requirements, the companies must first conduct a thorough analysis of their current state. This process includes identifying weaknesses in their systems, determining the likelihood of cyber-attacks and assessing the possible consequences. A professional assessment will help establish customized approaches to combat risks and strengthen cyber resilience.
After conducting the analysis, the companies need to develop a strategy to comply with the requirements of the regulatory framework. This strategy should include specific actions, goals and time frames that will ensure their gradual adaptation to the new requirements of NIS 2. Methodically building and planning an appropriate approach will contribute significantly to the achievement of cybersecurity goals.
Conclusion
With the adoption of the NIS2 Directive, it is clear that cyber security is essential for every business. The challenges associated with the implementation of the directive should not be underestimated, therefore the importance of preparation and compliance with its requirements is in the first place. Personal liability for lapses under EU rules and the need for better network and information security (NIS2) are becoming integral components to successfully strengthening cyber resilience.
We can conclude that new times are coming, bringing new responsibilities and changes. Cybersecurity is no longer the responsibility of the InfoSec manager alone. Top-level executives should be actively involved in creating and managing the company's overall cyber strategy.
If you need advice, or training or have questions about the Cybersecurity Act 2024, please contact us.