The new rules mean senior executives face increased scrutiny, greater personal liability, and must pay close attention to the role of D&O insurance in this new era of digital risk.
As digital transformation accelerates, effective governance, compliance, and risk management are now essential for sustainable success. Christian Hörper, Competence Centre Manager Deputy for Financial Lines at GrECo International, examines the wide-ranging impact of the EU’s NIS2 Directive on company management. The new rules mean senior executives face increased scrutiny, greater personal liability, and must pay close attention to the role of D&O insurance in this new era of digital risk.
Managerial Accountability Under NIS2
Companies across the EU are facing new cybersecurity requirements with the introduction of the NIS2 Directive. The Directive places explicit responsibility on company management, significantly extending personal liability for management bodies.
A key question arises regarding D&O insurance: how important is the typical exclusion for “deliberate breach of duty”? This exclusion could mean the insurer is not obliged to pay in the event of a claim – a sensitive issue with potentially severe consequences for managers.
More Than Just IT Security
The NIS2 Directive aims to ensure a high, common level of cybersecurity across the EU. It requires certain companies, especially operators of critical infrastructure, to implement comprehensive security measures – both technical and organisational. These include binding minimum standards for risk management, incident response, training, and compliance with specific reporting obligations.
Responsibility for implementing NIS2 lies squarely with management: they must identify risks, take appropriate action, and ensure compliance. Failure to do so can result in fines and personal liability. This is where D&O insurance becomes crucial.
The Role of D&O Insurance: Protection with Limits
D&O insurance is designed to protect company management from financial losses arising from breaches of duty in their roles. It typically covers legal defence costs and any damages that must be paid by the insured person. However, this only applies if there are no grounds for exclusion.
The main issue is the exclusion for “deliberate breach of duty”, which can completely remove insurance cover – for example, if legal requirements such as the NIS2 Directive are knowingly ignored.A relevant factor in this context is workplace culture. IT departments often take on the role of the “fire brigade”, which must be ready for action around the clock. Contingency plans, on-call services and the expectation of being available outside of regular working hours add to the pressure.
What Does “Deliberate Breach of Duty” Mean?
A deliberate breach of duty occurs when a manager knowingly fails to fulfil a duty, understanding both the duty and the violation. This exclusion is especially relevant for breaches of so-called cardinal duties – core professional responsibilities that management is expected to know.
For instance, if a company skips a required security measure for budget reasons and a cyber incident occurs, the managing director could be held personally liable. In such cases, discussions with the D&O insurer are inevitable, and it is crucial to determine whether there is a direct link between the breach and the damage.
Even if a manager is not directly responsible for IT security, they can still be liable for inadequate oversight of colleagues. The “deliberate breach of duty” exclusion may still apply.
NIS2 as a Liability Trap
NIS2 sets clear requirements for management. If a manager fails to implement IT security measures, despite knowing the legal requirements, this could be seen as a deliberate breach of duty. In such cases, the typical D&O insurance exclusion may apply, with serious consequences for the organisation.
Decision-makers must understand that they are ultimately responsible for implementing NIS2 requirements and cybersecurity measures – even if tasks are delegated to specialist departments or external providers.
It is also important to note that, in Austria, statutory fines are not insurable. If a company is fined due to a management breach and seeks recourse against the manager, the law generally prevents the company from reclaiming these penalties from decision-makers or employees.
Recommended Actions for Managers
Proactive Leadership Is Key
The NIS2 Directive brings new obligations – and new risks – for managers. Personal liability is real, and D&O insurance does not guarantee protection. The exclusion for “deliberate breach of duty” can lead to disputes with insurers and, in the worst case, financial catastrophe for decision-makers. It is more important than ever to take the Directive seriously, act proactively, identify risks, and implement countermeasures in good time.
HORIZON Risk Thought >> Fast Forward
The complexity of today´s risk environment is changing at an accelerating pace, making risk management even more challenging. We have created HORIZON, firstly as a print publication and now as a page for sharing the latest insights about ongoing transformations. Our risk specialists will continue to provide their expertise and knowledge to shine a light on the challenges of the future.
Christian Hörper
Competence Centre Manager Deputy for Financial Lines
GrECo International,
T +43 5 04 04 260
