German Executives Face Personal Liability as Thousands Miss Cyber Compliance Deadline
21.06.2026 - 11:04:28 | boerse-global.de
Personal liability for company directors is among the stiffest penalties lurking in Germany’s transposition of the EU’s NIS-2 cybersecurity directive, as roughly 30,000 businesses in 18 sectors scramble to meet a registration deadline roughly 13 months away. The Federal Office for Information Security (BSI) has so far registered only about 18,500 organisations, leaving a gap of nearly 12,000 firms that have not yet complied. The clock runs out on 31 July 2026.
Management teams must formally approve and supervise all cybersecurity measures. Any failure in that duty can be traced directly back to the boardroom. The directive, which entered force in December 2025, lays out two penalty tiers. For “essential entities,” fines reach up to €10 million or 2% of global annual turnover. “Important entities” face penalties of up to €7 million or 1.4% of turnover. The personal accountability clause puts top executives in the firing line even before monetary sanctions are applied.
A core compliance requirement is third-party risk management (TPRM). A report from security firm BlueVoyant found that responsibility for TPRM is scattered across German companies: in 64% of organisations, the function sits outside IT, landing in legal, finance or procurement departments. Only 36% have placed it within IT. Despite the regulatory pressure, 96% of surveyed companies plan to expand their supplier ecosystems. Around 60% classify between 30% and 50% of their vendors as critical to operations. Yet barely half of firms currently use dedicated TPRM systems for continuous monitoring.
The directive broadens the definition of critical infrastructure (KRITIS) to include sectors previously untouched by such rules. Newly covered industries are machinery and plant engineering, waste management, food supply chains, and postal and courier services. Any company with at least 50 employees and annual revenue exceeding €10 million falls under the rules. For the machinery sector, securing operational technology (OT) remains a weak spot, with the IEC 62443 standard serving as a frequent benchmark.
Technical obligations are extensive. They include multi-factor authentication, encryption, network segmentation, and a three-stage incident reporting procedure: an early warning within 24 hours, a detailed report within 72 hours, and a final report no later than one month after the incident. Business continuity plans must ensure rapid recovery from cyberattacks.
NIS-2 does not stand alone. From 11 September 2026, the EU Cyber Resilience Act (CRA) will impose a duty to report actively exploited vulnerabilities, with all obligations enforceable by December 2027. Fines there reach €15 million or 2.5% of turnover. In August 2026, the EU AI Act will add strict requirements for high-risk AI systems. Together, the three regulatory frameworks multiply the documentation and auditing burden on companies.
A Bitkom study from June 2026 underscored the awareness gap: fewer than half of the German population can correctly define basic terms such as phishing. Meanwhile, the federal government has moved on a different front. On 27 May, the cabinet approved a draft law that would allow authorities including the BSI and the Federal Criminal Police Office (BKA) to conduct “hackbacks” — active countermeasures — under certain conditions. A first reading in the Bundestag is scheduled for 25 June.
