Liability is no longer limited with NIS-2
NIS-2 represents a significant development in the European Union’s stance toward cybersecurity, expanding upon its predecessor to introduce stricter regulatory requirements and broader applicability across sectors.
One of the most notable aspects of NIS-2 is its implications for the liability of Chief Executive Officers (CEOs) and other top-level management in ensuring compliance and safeguarding against cyber threats. Under NIS2, CEOs are tasked with the ultimate responsibility for their organisation’s cybersecurity posture. This includes ensuring the implementation of cybersecurity measures, reporting major cybersecurity incidents, and mandating regular risk assessments.
NIS-2 emphasizes the need for top-level management to be directly involved in cybersecurity governance, recognizing that effective cybersecurity starts with senior leadership involvement.
Fines can reach up to €10 million or 2% of the company’s worldwide annual turnover, whichever is higher. This represents a substantial financial risk for organisations and is intended to incentivize CEOs to prioritize cybersecurity within the IT budget in 2024 and beyond.
The directive encourages member states to pursue legal action against individual executives, including CEOs, for failures in compliance that lead to significant cybersecurity breaches. This personal liability aspect underscores the importance of CEOs actively participating in their organisation’s cybersecurity and emergency planning.
Investing in cybersecurity has become a core component of most organisations’ general risk management strategies.
The CEO can also bridge the communication gap between IT security and data professionals who build their infrastructure (ShadowIT) and prioritize speed over security because corporate IT cannot meet their infrastructure and data access demands in time.