NIS2 and DORA: Managers Are Liable for Cybersecurity

Why NIS2 and DORA is a matter for management - Cybersecurity blog

Introduction

Manager liability in connection with undetected cybersecurity incidents in Europe is subject to different legal frameworks, which can vary depending on the country and industry. NIS2 (Network and Information Systems Directive 2) and DORA (Digital Operational Resilience Act) are now intended to standardize the specific legal framework and regulations at the European level and provide new guidelines for the management of corporate cyber risks, the reporting of attacks, but also for the liability of managers in the event of cybersecurity breaches.

Both the NIS2 Directive and DORA officially came into force on January 17, 2023. In order for the NIS2 Directive to become legally binding for the companies concerned, it still needs to be incorporated into the respective legislation of the EU member states; the deadline for this is October 17, 2024.

In contrast to NIS2, DORA is an EU regulation and, as such, does not need to be transposed into the national law of the EU member states in order to become enforceable. It will be fully enforceable on January 17, 2025, two years after its entry into force.

Under both policies, managers and executives can be held accountable for cybersecurity breaches if they are found to have failed to take reasonable steps to prevent or mitigate such incidents or to implement appropriate cybersecurity policies and risk-based programs to manage vulnerabilities in networks, resources and assets. Liability will vary depending on factors such as the nature and severity of the breach, industry and local jurisdiction.

Management obligations and liability arising from NIS2

In the future, companies in various new sectors - now extended by NIS2 - will fall under the scope of NIS2, regardless of their size, such as transportation, financial market infrastructure, pharmaceuticals and medical tech, chemicals, public administration and many more. The extended scope is due to the fact that NIS2 classifies entities according to whether they are "essential" (e.g. energy, transportation, banking and healthcare) or "important" (e.g. postal and courier services, waste management, etc.) which includes more sectors and services.

ExeonTrace gives you full visibility into corporate networks to detect anomalies in complex environments

In terms of manager liability for undetected cybersecurity incidents, managers can be held legally responsible if it is proven that they have neglected their duty of care with regard to their company's cybersecurity. This can occur, for example, through inadequate implementation of security measures, insufficient risk assessment or a lack of contingency plans: NIS2 requires companies' management to constantly review their cybersecurity risk management and adjust it if necessary, as well as monitor its implementation and internal compliance. This requires senior management to acquire sufficient knowledge of cyber risks to assess the proposed measures and, above all, to accurately determine the potential damage - even beyond their own company boundaries. Constant and close communication with the IT teams is crucial in this context, especially as cyber risks are constantly changing and require adjustments in cybersecurity risk management.

Coordination between management and IT

Two key management obligations must be observed:

1. Firstly, operational and organizational measures are required to manage security risks in connection with network and information systems and the prevention measures to minimize potential impacts.

2. Secondly, the competent authorities must be informed immediately of any data incident that significantly affects the company's operations or the provided services. Where appropriate, institutions must also inform the recipients of the service of any significant event that could have a negative impact on the provision of the (critical) service.

Strict sanctions

The NIS2 directive stipulates that network and information systems and the physical environment of these systems must be protected against incidents. As a minimum, companies must adopt internal policies on risk analysis and IT security, e.g. incident handling, disaster recovery, supply chain security, network and information systems in procurement, access controls and access management, etc. [More can be found in our NIS2 blog]

Violations of the NIS2 requirements will result in national penalties, fines and sanctions as set out in Articles 34, 35 and 36. For critical sectors, penalties for breaches of Article 21 or 23 (relating to cybersecurity measures and notifications) may be up to a maximum of at least EUR 10 million or 2% of global turnover. For important sectors, the penalties for breaches of Article 21 or 23 can be up to a maximum amount of at least EUR 7 million or 1.4% of global turnover.

The NIS2 Directive also introduces a significant innovation by placing direct obligations on "management bodies" to ensure a high level of accountability for compliance with cybersecurity requirements. Although NIS2 does not clearly define who is considered a member of a "management body", board members and certain senior executives are likely to fall within its scope.

Why managers are NIS2-liable: in detail

Governing bodies of material and significant entities must approve and oversee the implementation of cybersecurity risk management measures required under NIS2 and may be held personally liable for the company's failure to adopt and comply with such measures. Significant and important entities are required to notify the competent authority and, where applicable, inform their service recipients of any cyber incident with a significant impact.

These are incidents that have caused or may cause serious operational disruption or financial loss to the entity, or have caused or may cause significant material or immaterial damage to other (natural or legal) persons.

The timelines for reporting incidents include an early warning, which must be submitted to the authority within 24 hours of becoming aware of the incident, a more detailed and formal incident report within 72 hours and a final report one month after the submission of said incident report.

In addition, facilities must respond to requests from the authority for status updates and/or to submit progress reports. The competent authority may also compel the facility to inform the public about the significant incident or make a public statement about it.

As a result, governing bodies such as the CEO can be held personally liable for breaches of cybersecurity rules, exposing them to significant potential penalties. Although such penalties are subject to the rules of individual EU member states, NIS2 stipulates that they must be "effective, proportionate and dissuasive". One possible penalty could even be suspension from the board.

DORA

On the same day as NIS2, the related EU legislation - the new EU Digital Operational Resilience Act ("DORA"), consisting of an EU Regulation and an EU Amending Directive, which aims to harmonize the cybersecurity and resilience of IT systems used by the financial services industry - also came into force.

Sector-specific cyber rules for the financial services industry:

Like NIS2, DORA aims to create a high common standard for digital resilience by establishing uniform criteria for the security of networks and information systems. This includes aspects such as the establishment of a risk management framework that "ensures effective and prudent management of the rapidly evolving threat landscape", the reporting of significant ICT-related incidents, notable operational or security incidents related to payments, tests for digital operational resilience, and provisions for contractual agreements between third-party ICT providers and financial institutions. In particular, the DORA also formulates requirements for third-party providers that offer cloud services for financial institutions, for example.

While DORA does not explicitly state how management is liable under the regulations, the responsibility for implementing a standardized risk management framework, establishing processes for identifying, handling and reporting incidents or third party audits lies with management. The scope of DORA is monitored by the authorities through the designation of companies and responsible persons who are sanctioned in the event of violations. The monitoring of these measures is to be carried out by the regulatory authorities and enforced through measures such as the public designation of companies and, if applicable, the responsible persons.

Managers are liable for cybersecurity regulations such as NIS2 and DORA.webp

How can I protect myself and my company from sanctions? What steps should I take?

  • It is essential that companies check now whether they fall within the scope of the NIS2 Directive or the DORA Regulation. If so, they should ensure compliance with the directives by implementing agreed cybersecurity measures.

  • Familiarize yourself with the requirements that apply to you and carry out an analysis of the current situation.

  • Appoint a cyber security officer at management level. As the management bears responsibility in the event of an inspection, it is crucial to assign this responsibility at this level.

  • Follow a structured approach to risk management. This includes systematically addressing issues of business continuity, crisis management and supply chain security. Develop policies and procedures for cyber security risk management measures.

  • Establish a well-organized incident management system to ensure that you are able to meet the requirements for detecting, taking appropriate action and reporting incidents within the specified deadlines.

  • Implementing the necessary training procedures and ensuring that relevant training is also provided to employees.

  • Conducting a comprehensive assessment of the risks to the security of the network and information systems used by the entity for its business activities or the provision of its services.

  • Conducting annual cybersecurity audits.

  • Externalize your risk to a Managed Security Operations Center if inhouse expertise is lacking.

  • Implement security measures to protect network security and information systems.

  • Network Detection and Response as a key tool for effective network monitoring in accordance with NIS2 and DORA.

Many regulations, one efficient solution

To meet the challenges of NIS2 and DORA and to ensure the security and resilience of their networks and information systems, Network Detection and Response (NDR) solutions offer various benefits for organizations that need to ensure compliance, including:

  1. Visibility: NDR solutions provide comprehensive visibility into network traffic, enabling organizations to identify potential threats and vulnerabilities before they can be exploited.

  2. Detection: By continuously monitoring network traffic, NDR solutions can detect and alert organizations to suspicious activity such as unauthorized access attempts or data exfiltration.

  3. Response: NDR solutions enable organizations to respond quickly and effectively to potential threats by initiating incident response procedures.

  4. Compliance: NDR solutions help organizations comply with reporting requirements under NIS2 and DORA by providing detailed logs and reports of network activity and incidents.

ExeonTrace-network-security-man-in-office.webp

Summary

Manager liability for undetected cybersecurity incidents in Europe varies depending on the legal framework and industry. In order to create a uniform regulation, the NIS2 Directive and the Digital Operational Resilience Act (DORA) were introduced, which set out specific regulations for managers in the event of cybersecurity breaches.

The NIS2 Directive came into force on January 17, 2023 and must be implemented by EU member states by October 17, 2024. Managers can be held personally liable for breaches and sanctions may include fines and/or management restrictions. Companies should take appropriate measures, including training, risk assessments, implementation of cybersecurity measures and incident reporting, to ensure compliance. This is particularly important as non-compliance can lead to significant fines.

To protect themselves from NIS2 sanctions, companies should review the scope, appoint a cybersecurity officer, take a risk-based approach, implement security measures, introduce an incident management system, and take a structured approach to risk management. For guided steps on how to do this, download our NIS2 action plan & checklist!

Michael Tullius

Author:

Michael Tullius

Sales Director, Germany

email:

michael.tullius@exeon.com

Share:

Published on:

18.01.2024