NIS Directive – A liability trap for managing directors?

The NIS Directive has been in force since January 16, 2023 and it defines EU-wide minimum standards for the protection of network and information security in critical sectors. It is to be implemented in Germany by October 17^th, 2024 through the NIS Implementation and Cyber Security Strengthening Act (NIS2UmsuCG in Germany). In addition to obligations to ensure adequate Cyber security, it also implements the associated personal liability of corporate bodies. In particular, the prohibition of liability waivers, which is also likely to result in the ineffectiveness of liability exemptions and limitations with regard to claims for damages resulting from breaches of NIS obligations, will have an aggravating effect on liability. This leaves managing directors of affected companies with only one option to limit their personal liability risk: taking out D&O insurance.

NIS Directive and its implementation in Germany

Companies are now confronted with Cyber threats and their effects on an almost daily basis. Europe-wide and globally-networked processes as well as the increasing digitalisation of all economic sectors are leading to greater vulnerability to external factors. IT in critical facilities and companies in infrastructure-supporting sectors plays a key role in this. The explanatory memorandum to the German NIS2UmsuCG states: “Their security and resilience form the basis for security of supply and the functioning of the market economy. Increasing the resilience of the economy to the dangers of the digital world is therefore a central task for the stakeholders involved in the state, economy and society in order to keep Germany robust and efficient as a business location. […] The aim of the NIS Directive is therefore to introduce binding measures for public authorities and businesses to ensure a high common level of Cybersecurity throughout the European Union.”

The NIS Directive must be implemented in national law by October 17^th, 2024 in accordance with EU requirements. It is currently still uncertain whether the deadline for implementation can be met. Although the current draft of the NIS Implementation Act suggests that it will not be implemented in national law until the beginning of 2025, it is certain that it will significantly expand the group of affected companies on the one hand and the requirements and obligations with regard to IT security standards and the associated liability on the other. There is currently no provision for a transitional period for the implementation of the measures. This means that NIS obligations will affect relevant companies and their bodies immediately after it comes into force.

Obligations and liability

The NIS directive obliges affected companies to comply with minimum Cyber security standards. These include risk management and the implementation of measures such as policies, incident management, business continuity management, supply chain security, vulnerability management, cryptography, personnel security, access controls and more. Depending on a company’s categorisation, there may be additional obligations such as mandatory audits or registration and reporting obligations to supervisory authorities or the public.

The NIS requirements for companies are not entirely new, but they are more far-reaching than before. In addition, the directive’s reporting obligation has been reversed, which means that companies must proactively check whether they fall under the NIS directive and proactively submit evidence of the security standards accordingly.

This also places increased requirements on the managers of affected companies. According to Article 20 of the NIS Directive, member states must ensure that the “management bodies of essential and important entities approve the Cybersecurity risk management measures taken by those entities to comply with Article 21, monitor their implementation and can be held responsible for breaches of this Article by the entities concerned”. This provision is to be implemented in national law by Section 38 of the BSI Act. In the first paragraph, this adopts the wording of the NIS Directive and additionally stipulates in paragraph 2 that a waiver by an affected company of claims for compensation due to a breach of the obligations under paragraph 1 or a settlement of these claims by the organisation shall be ineffective.

What does this mean for the liability of directors of affected companies?

• Compliance with the obligations associated with NIS is part of corporate compliance. Managers of affected companies are obliged to ensure that the measures prescribed by the NIS Directive are implemented in their company. Even if auxiliary persons are involved, the management body remains ultimately responsible.
• If directors violate the obligations associated with the NIS Directive, they are liable in accordance with the general statutory liability provisions with their own assets for damages arising from non-compliance with the requirements of NIS. The internal liability of the executive bodies therefore arises – as with the breach of other governance obligations – from Section 43 (2) GmbHG for GmbH managing directors, Section 93 (2) AktG for management boards of stock corporations, or from special statutory provisions for managing directors of other types of companies.
• An affected company is legally prevented from waiving or settling claims for damages against its corporate bodies. In contrast to breaches of other governance obligations, it is not at the discretion of the company concerned to apply and enforce claims for damages against its corporate bodies for non-compliance with the requirements of the NIS Directive. This means that not only waivers and settlements are likely to be ineffective, but also exemptions and limitations of liability, general settlements and even exonerations in relation to these damages cannot be effectively agreed or granted. The legislator only makes an exception for court-proposed settlements: These should continue to be permissible, as in this case it can be assumed that the concession made by the company concerned is generally proportionate to the litigation risk.

In the event of breaches of duties of corporate bodies under the NIS Directive, tried and tested protective mechanisms, such as exemptions or limitations of liability agreed in employment contracts, should not apply. Exonerations granted to the corporate body are also unlikely to help in this respect, as is a waiver of the assertion of claims by the company. Considering the high level of requirements, which are not even regulated by law yet, but have to be implemented immediately after the NIS2UmsuCG comes into force, the NIS2UmsuCG appears to be a real liability trap for the management bodies of the 30,000 affected companies in Germany.

Adequate insurance cover is essential

The legislator itself appears to provide a solution to the problem. The explanatory memorandum to Section 38 of the BSI Act states: “The regulation is not intended to restrict the possibility of insuring the liability risk by taking out a so-called D&O insurance policy.”

This is because claims for damages due to breaches of duties under NIS fall within the scope of D&O insurance. Regardless of whether it is a corporate D&O policy or a personal D&O policy, it insures the personal liability risk arising from the professional activities of managing directors. If a board member is accused of a breach of duty and a claim is made for compensation for the financial loss caused by the alleged breach of duty (insured event), it is the task of the D&O insurer to examine the question of liability, defend against unjustified claims against the manager and – if the defence is unsuccessful – to pay compensation for the manager.

In this case, the company policy takes effect first. Only when the sum insured under this policy has been exhausted and the manager concerned wishes to involve their personal D&O insurance will this also provide cover.

In addition to these typical functions of Liability insurance, there are usually other cover components that can protect the manager in certain situations (e.g. covering legal costs in the event of premature termination of the employment contract prior to a claim for damages, criminal legal protection, costs to minimise reputational damage, etc.).

Conclusion:

Comprehensive insurance cover is the only way for directors and officers to limit the risk of personal liability for damages due to breaches of NIS obligations. It should therefore be ensured that a D&O insurance policy with broad cover, an adequate sum insured and adequate grace periods exists in favour of the directors of affected companies. To ensure adequate insurance cover, this should be supplemented by Personal D&O insurance, Criminal Legal Protection and Crime Insurance.

The following images are released for reprinting subject to editorial, non-commercial use.

Beata Drenker | (press photo)

Photo credit: Finlex GmbH