Personal Liability of Managing Directors Under NIS2: What German SMEs Must Know

The new cyber reality: the German NIS2UmsuCG is officially in force

The German law implementing the NIS2 directive, the NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG), officially entered into force on December 6, 2025^[1], after the Bundestag approved it on November 13, 2025 and the Bundesrat on November 20, 2025. For managing directors and IT managers in the German Mittelstand, this marks a turning point, as the law applies without any transition period from the day of its promulgation. Affected organizations have since been under a legal obligation to demonstrate extensive security safeguards. Hesitating is legally risky, since the Federal Office for Information Security (BSI) strictly monitors compliance with the new standards and violations can be sanctioned directly.

Who in the Mittelstand is affected?

The impact on the Mittelstand is far greater than under earlier IT security laws, which focused primarily on operators of critical infrastructure. The new law now covers an estimated 29,500 companies in Germany that are active in one of the 18 defined sectors. For mid-sized businesses, a threshold of 50 to 499 employees or an annual turnover from 10 million euros generally applies in order to be classified as an important or essential entity. The affected industries include, alongside energy and water supply, the manufacturing sector, the waste management industry, food production and the chemical industry. To avoid legal uncertainty, managing directors should immediately run their own NIS2 obligation check to determine whether their company falls within the scope.

• Companies with 50 to 499 employees in one of the 18 regulated sectors.
• An annual turnover of at least 10 million euros or a corresponding annual balance sheet total.
• Industries such as mechanical engineering, food production, waste management, chemicals, as well as transport and logistics companies.
• Providers of digital services and managed IT services that are classified as an important pillar of the supply chain.

No transition periods and direct obligations

The biggest challenge for managing directors is that the law grants no grace period. The required risk-prevention measures must be implemented from day one and reflect the current state of the art. Among other things, the law requires structured risk management, business continuity concepts, the safeguarding of supply chains, and regular cybersecurity training. To solve these complex tasks pragmatically, many mid-sized businesses turn to external support. As an integrated platform, CAVRIX, operated by CITO GmbH based in Hamburg, offers tailored solutions. With the Managed IT and Cybersecurity services, companies can modernize their entire IT infrastructure while seamlessly meeting the requirements for information security.

A decisive lever of the law is the tightened responsibility of management. With the entry into force of the NIS2UmsuCG, delegating responsibility to IT leads or external service providers is no longer legally possible. Management must not only approve the security measures, but also actively monitor their implementation. In the event of breaches of duty, a heavy personal liability under Section 38 of the BSI Act (BSIG) looms, which can reach into private assets. With the CAVRIX Compliance service, companies receive structured support to document compliance with all requirements in an audit-proof manner. An integrated system ensures that all evidence for audits is always up to date and that managing directors can fulfill their statutory monitoring obligation. Anyone who does not act now risks, alongside cyberattacks, considerable fines as well.

Under the microscope: three non-delegable duties of management under § 38 BSIG

With the entry into force of the German NIS2 Implementation Act (NIS2UmsuCG) on December 6, 2025, the legal situation for managing directors in the German Mittelstand has drastically tightened. Cybersecurity has been declared a matter for the boss by law. The central lever for this new regulation is § 38 BSIG, which establishes a direct personal liability of management. Managing directors of small and mid-sized companies under 500 employees can no longer simply pass off responsibility for IT security. Instead, the law sets out three concrete, non-delegable duties, for the disregard of which executives are directly liable with their private assets^[2]. A sound understanding of these duties is the first step toward minimizing your own risk and establishing legally compliant NIS2 compliance.

1. Formal approval of risk management measures

The first core duty requires that management formally approves the risk management measures taken by the company in the area of cybersecurity. This means that managing directors must actively sign off on security concepts, contingency plans and technical protective measures. Mere acknowledgment is not enough. The responsibility lies in ensuring that the measures correspond to the actual threat scenario of the business. CAVRIX supports companies in this through the Compliance and Cybersecurity modules, which prepare all necessary security evidence and technical reports in a structured way, so that managing directors can make well-founded decisions.

2. Active monitoring of implementation

The mere approval of security concepts is legally worthless if their practical implementation in everyday operations is not checked. Managing directors are obliged to continuously monitor the actual implementation of the protective measures. They must ensure that security policies are lived out, updates are applied regularly, and security incidents are documented. Through the CAVRIX Command Center, those responsible receive a clear, real-time overview of their security status and the fulfillment of all compliance requirements, directly within their everyday communication channels.

3. Regular cybersecurity training obligation

As a third duty, § 38 BSIG stipulates that the members of management must personally attend regular training on the topic of cybersecurity^[2]. The goal of this statutory requirement is to anchor the necessary knowledge at the executive level so that risks can be realistically assessed and appropriate defense methods evaluated. This training obligation is absolutely personal and cannot under any circumstances be delegated to the IT lead or to external consultants.

• Approval: formal and written sign-off of all cyber-related risk management measures by management.
• Monitoring: continuous control of the actual implementation in the company to fend off acute cyber threats.
• Training: mandatory personal participation in further education to demonstrate one's own cyber-risk competence.

To meet these strict duties without additional administrative effort, German SMEs rely on holistic solutions. With CAVRIX, operated by CITO GmbH in Hamburg, you receive Managed IT, Cybersecurity and Compliance from a single source and are protected in a NIS2-compliant way from day one.

Personal liability and private assets: no shield from the legal form under NIS2

Many managing directors in the German Mittelstand lull themselves into a false sense of security and assume that the limited liability of a GmbH protects their private assets in the event of a cyberattack. The German NIS2 Implementation Act (NIS2UmsuCG), which entered into force on December 6, 2025, however, finally clears up this misconception. Through the newly introduced § 38 of the BSI Act (BSIG), the personal liability of management is anchored directly and indispensably^[3]. If a serious security incident occurs due to negligence regarding the prescribed cybersecurity measures, managing directors are directly liable to their own company with their entire private assets for the resulting damages.

Why liability exclusions and waivers are ineffective

A common attempt to circumvent this personal risk consists of agreeing on liability relief in the managing director's employment contract or through shareholder resolutions. The NIS2UmsuCG, however, puts a statutory stop to this. Under § 38 BSIG, agreements that limit or exclude the liability of management in advance are legally ineffective^[4]. The duties to implement and monitor these measures are a core component of the required NIS2 compliance and absolutely non-delegable. This means that managing directors cannot claim to have handed responsibility over to an external service provider or the internal IT department without continuously monitoring and documenting their work.

To effectively protect themselves against damage claims and personal liability, managing directors must establish demonstrable monitoring and control processes. Complete documentation is the only way to refute the accusation of negligence if it comes to the worst. This is where modern solutions come in: with its integrated services for Managed IT, Cybersecurity and Compliance, CAVRIX offers a platform that automates and documents compliance with the legal standards end to end. Through the Command Center, managing directors and IT leads keep an overview of the security status at all times and, in an emergency, receive immediate, audit-compliant reports that can serve as evidence of exoneration.

Heavy fines: the financial risks for companies and management

Violations of the statutory requirements of the NIS2 directive are not mere trivial offenses, but represent an existence-threatening financial risk for mid-sized companies. The German Implementation Act (NIS2UmsuCG) provides for draconian fines in the event of breaches of duty, which are directly tied to the global turnover of the affected company. For particularly important entities, the fine ceiling is up to 10 million euros or 2 percent of the global annual turnover of the previous financial year, whichever amount is higher^[5]. Important entities, to which many mid-sized businesses belong, must reckon with fines of up to 7 million euros or 1.4 percent of their global annual turnover. In an emergency, these enormous sums can mean the economic insolvency of a mid-sized company.

The statutory fine tiers under the new BSIG

The law, in force since December 6, 2025, does not, however, only tighten the sanctions for the legal person of the company. Under § 38 of the revised Act on the Federal Office for Information Security (BSIG), management bears a personal, non-delegable responsibility for risk management. In an emergency, this leads to direct managing director liability, in which managing directors must answer with their private assets for failures in IT security. A waiver by the company of damage claims or a blanket liability indemnification is explicitly excluded by law, which further increases the pressure on management.

Targeted protection against liability risks with CAVRIX

To effectively minimize these massive risks, managing directors and IT leads need a complete and legally compliant implementation of all security requirements. As an AI-native platform for the Mittelstand, CAVRIX offers a comprehensive solution that covers all core areas. The combination of the services Managed IT, Cybersecurity and Compliance ensures end-to-end NIS2 compliance from day one. Operated by CITO GmbH in Hamburg, CAVRIX unites state-of-the-art detection technologies with human expertise to proactively prevent and seamlessly document security incidents. Through the Command Center, those responsible retain full control and can retrieve evidence for audits at the push of a button.

• Automatic capture and structured storage of evidence for fulfilling the duties of care under § 38 BSIG.
• Continuous real-time monitoring of the entire IT infrastructure via the Command Center for the proactive defense against threats.
• Establishment of robust security measures that minimize the risk of operational outages and the associated damage claims.
• Reliable compliance with all requirements without additional administrative effort for the internal IT teams.

Five practical measures to protect against personal liability

Since the entry into force of the NIS2 Implementation Act (NIS2UmsuCG) on December 6, 2025, the responsibility for cybersecurity in the German Mittelstand has fundamentally shifted^[3]. Under Section 38 of the Act on the Federal Office for Information Security (BSIG), managing directors bear a direct, non-delegable responsibility for the implementation and monitoring of security measures. If management culpably breaches these duties, a personal liability of management toward its own company looms, which cannot be excluded in advance^[3]. To minimize this risk, building a complete, audit-proof documentation trail of one's own monitoring activities is absolutely essential.

Structured protection in five steps

1. Document formal approvals: every sign-off on security concepts, risk analyses and IT security policies must be formally carried out by management and archived completely, in order to demonstrate active involvement.
2. Set up a KPI dashboard: managing directors need a continuous overview of the company's security metrics, such as patch status, detection rates or security incidents, in order to fulfill their statutory monitoring obligation.
3. Complete certified training: management must regularly attend specific cybersecurity training in order to competently assess the company's risk situation.
4. Carry out partner assessments in the supply chain: since the statutory requirements also cover security in the supply chain, the security standards of suppliers and service providers must be systematically queried and assessed.
5. Use automated compliance tracking: manual processes are error-prone and tie up considerable resources. Automated capture of compliance evidence ensures that all legal requirements are continuously met and documented.

The implementation of these five measures can be considerably simplified through the targeted use of modern software solutions. With the Compliance product, CAVRIX offers mid-sized companies an integrated and user-friendly platform that automates the demanding evidence process and seamlessly captures all relevant data for external audits NIS2 compliance. Through this continuous monitoring, the current status of all technical and organizational security measures as well as the company policies can be transparently traced at all times, which effectively minimizes the liability risks of management and noticeably reduces the administrative effort in everyday work^[6].

To handle the comprehensive statutory security safeguards in daily operations without additional personnel effort, managing directors can draw on the seamless interplay of Managed IT and Cybersecurity. Through the intuitive Command Center, the responsible actors gain a direct and clear overview of the current security status of all systems and can retrieve required compliance reports at any time through a simple dialogue. This enables managing directors and IT managers of mid-sized companies in Germany to pragmatically integrate the strict statutory requirements of the NIS2UmsuCG into operations and to effectively and permanently protect themselves against personal liability in the event of damage.

How CAVRIX safeguards your SME and automates management compliance

Managing IT security and regulatory requirements in-house is associated with immense risks and high complexity for the German Mittelstand. Smaller and mid-sized companies with fewer than 500 employees in particular face the challenge of having to implement complex requirements without their own highly specialized IT department. With the entry into force of the German NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) on December 6, 2025, the risk for the executive level has drastically tightened. The days when IT security could be pushed off to external service providers as a pure project topic are finally over.

The new reality: personal liability under § 38 BSIG

Under § 38 of the BSI Act (BSIG), the management of particularly important and important entities now bears a direct, non-delegable personal responsibility for the cybersecurity of their company^[7]. In the event of culpable breaches of duty, managing directors and IT leads are personally liable with their private assets for the resulting damages^[3]. Shifting this liability or a blanket waiver by the company is excluded by law. This new regulation forces SME executives to actively engage with their security level and to document the implementation of the required measures completely, in order to avoid personal liability.

• Implementation duty: management must actively introduce and steer the prescribed risk management measures in the area of cybersecurity.
• Monitoring duty: it is not enough to establish security measures once; management must continuously monitor their effectiveness.
• Training duty: the members of management are legally obliged to attend training regularly in order to acquire the knowledge necessary to assess cybersecurity risks.

Integrated safeguarding: Managed IT, Cybersecurity and Compliance

As an integrated, AI-native platform for IT operations and security, CAVRIX solves this regulatory and operational burden for the Mittelstand. Operated by CITO GmbH in Hamburg, the system unites Managed IT, Cybersecurity and Compliance under a single roof. Instead of juggling several service providers, managing directors and IT managers receive a single point of contact. This means: your company is set up technologically and organizationally from day one at a level geared toward NIS2 compliance, since all security measures mesh seamlessly.

The steering and complete monitoring of all measures takes place centrally through the Command Center. This AI-native user interface enables management and IT leads to query the current security status and upcoming tasks in everyday communication tools such as Microsoft Teams or Slack. The system fully automatically generates the audit trails and complete documentation required by auditors and authorities. This way, you provide the legal evidence of your monitoring obligation without manual additional effort and are optimally protected against personal liability claims in an emergency.