German Executives Now Personally Liable for Cybersecurity Failures Under Stricter NIS2 Rules

When Germany’s NIS2 implementation law took effect around the turn of the year, it did more than tighten technical standards. It placed executives squarely in the legal crosshairs. Company boards now face personal liability for gaps in risk management — a shift experts describe as transforming cybersecurity from an IT concern into a core governance duty.

“Protecting the company has become a boardroom priority,” said Friedrich P. Kötter of KÖTTER Security, speaking at the STATE OF SECURITY conference in Berlin on June 3. The law, formally known as NIS2UmsuCG, was passed in November 2025 and applies to any business with at least 50 employees or €10 million in annual revenue operating in regulated sectors such as energy, transport or manufacturing. Organisations must self-identify whether they qualify as “especially important” or simply “important” facilities.

The legal teeth come from a clear accountability chain: senior management bears personal responsibility for compliance. That message landed hard on an audience already grappling with relentless attack data. Deloitte’s Global Future of Cyber Survey found that 97 percent of large companies in Germany, Austria and Switzerland reported cyber incidents last year, with over 60 percent hit by six or more attacks. Nearly two-thirds of firms plan to raise their security budgets; on average, 19 percent of IT spending already goes to cybersecurity.

Cloud environments are a particular worry. Under the shared-responsibility model, providers secure the infrastructure, but clients must protect their own data, applications and configurations. Misconfigurations and weak access controls remain top risk factors. In 2025 alone, almost 50,000 new vulnerabilities were published — a stark reminder that continuous auditing is no longer optional.

Physical safety remains a parallel challenge. Deutsche Bahn recorded roughly 2,690 assaults on staff in 2025, an 11 percent increase. In June, the railway operator began a multi-month trial of protective helmets for mobile support teams in Berlin. Meanwhile, the DGUV Barometer Arbeitswelt 2026 reiterates workplace first-aid requirements: firms with two to 20 employees must have at least one first aider on site; in larger administrative offices the quota is 5 percent of those present, and in other workplaces 10 percent.

Keeping your risk assessments current is essential for workplace safety compliance. A free Risk Assessment Toolkit provides 41 ready-to-use templates, checklists and training materials to help you document hazards and protect your team. Download the free Risk Assessment Toolkit

Recent court rulings are also sharpening compliance expectations. In late May, the Lower Saxony State Labour Court dismissed a damages claim brought by two managers under Germany’s whistleblower protection law (Hinweisgeberschutzgesetz). The decision made clear that legal protection only applies when reports are submitted through designated channels and within the prescribed deadlines. Further administrative adjustments loom: the cabinet approved amendments to the General Equal Treatment Act (AGG) on May 6, extending the time limit for filing discrimination lawsuits from two to four months and broadening safeguards against harassment and sexual misconduct.

To help leaders navigate this denser regulatory landscape, a specialised digital course on nuclear safety culture — targeting executives in high-risk sectors — is scheduled for November and December. The message from Berlin is unambiguous: cybersecurity and workplace safety are no longer optional line items; they are personal obligations written into law.

en | boerse | 69490483 |