Management body change — transferring NIS 2 responsibility safely
When the CEO or Geschäftsführer leaves, the §38 BSIG training duty does not go with them. Three things have to happen at handover, or personal liability transfers in the worst way.
Why handover is the most overlooked NIS 2 moment
Most entities prepare for the day NIS 2 first applies to them. Few prepare for the day the person who owns the implementation hands it on. That moment is where §38 BSIG personal liability quietly transfers, where BSI registration data goes stale, and where signed risk acceptances become orphaned.
Under Art. 20 NIS 2 the management body 'can be held liable' for infringements. Liability attaches to the role, not to the person. The incoming Geschäftsführer inherits everything the outgoing one approved, including risks they have never been briefed on. The handover protocol exists to make that briefing happen on the record.
There is no separate NIS 2 handover regulation. The duties come from three places: the §33(5) BSIG 2-week update rule for registration data, the §38 BSIG training duty for the new management body member, and the general Art. 20 NIS 2 approval-and-oversight duty that ports over the moment the new person signs the appointment.
Art. 20(1) NIS 2 + §38 BSIG (training)
Member States shall ensure that the management bodies of essential and important entities can be held liable for infringements by the entities of Article 21. The members of the management bodies shall be required to follow training in order to gain sufficient knowledge.
Liability and training duty attach the day the new management body member is registered, not at a convenient later date. There is no grace period in the directive.
§33(5) BSIG + Art. 27(2) NIS 2 (registry update)
Wesentliche und wichtige Einrichtungen teilen dem Bundesamt Änderungen der für die Registrierung erforderlichen Angaben innerhalb von zwei Wochen mit.
Two-week deadline. The contact person registered with the BSI is the channel through which incident requests, advisories, and supervisory notices arrive. A stale contact person means BSI inquiries silently fail.
Art. 20(1) NIS 2 (approval continuity)
The management bodies of essential and important entities shall approve the cybersecurity risk-management measures taken by those entities and shall oversee its implementation.
'Approve' is a continuing duty. Approvals signed by the outgoing CEO bind the entity, but the incoming CEO becomes accountable for their oversight from day one. They cannot disclaim what they have not been briefed on, so the briefing has to happen at handover.
§38 BSIG training records (outgoing)
Proof of completion for the outgoing management body member. The new member's own §38 training has to be arranged separately and promptly.
Signed risk acceptances
Every risk register entry the outgoing CEO accepted (rather than mitigated) is now an obligation the incoming CEO inherits. Review them at handover, do not discover them at audit.
Supplier dependency map
Which suppliers carry NIS 2 risk under Art. 21(2)(d). The incoming CEO needs to know who they cannot terminate quickly, who holds contractual liability, who is overdue for review.
Incident response ownership
Who has portal access, who signs off on notifications, who is the designated reporting officer. Names, contact details, escalation chain. This is the document that gets pulled at 03:00 during an incident.
Step 1 — Update BSI registration
Via the BSI portal under §33(5) BSIG: new contact person, role, contact details. Two weeks from the appointment date. Use the existing ELSTER organisation certificate, that does not change when the management body does.
Step 2 — Schedule §38 BSIG training
The new member is required to take cybersecurity risk-management training. No fixed deadline in the BSIG but 'unverzüglich' (without undue delay) under §38(2). Schedule within the first quarter of the new role.
Step 3 — Re-confirm or replace outgoing approvals
Walk the new member through the risk register and the supplier map. Their own signature on whatever they want to keep, a separate decision on whatever they want to revisit. Document the briefing date.
BSI contact never updated
The two-week §33(5) clock runs in the background of a busy transition. Missed update means the BSI's incident contact is a person who no longer works at the entity. Fine exposure under §65 BSIG plus a worst-case incident-notification failure.
Risk acceptances inherited blindly
Incoming CEO signs the appointment, by operation of law becomes accountable for risks accepted by the predecessor. Without a briefing they cannot defend the position at audit. The handover briefing is the bridge.
§38 training scheduled 'later'
There is no specific deadline, so it slips. Years pass. At the next supervision the BSI asks for proof and there is none. Schedule within the first quarter, not 'when there is time'.
Three failure modes compound. First, the BSI registration is stale, so incident-notification reaches no one. Second, the incoming CEO has no briefing on risks they have inherited, so audit defence collapses. Third, the §38 training is missing, which is a separate breach under §38(3) BSIG.
Each of the three triggers the same enforcement path: supervisory notice under Art. 32 NIS 2, possible fine under §65 BSIG, personal exposure of the management body member who signed without checking. None of it is reversible by a retroactive briefing.
- Directive (EU) 2022/2555 (NIS 2), Art. 20, Art. 27, Art. 32, www.eur-lex.europa.eu
- Act on the Federal Office for Information Security (BSIG), §33(5), §38, §65, www.gesetze-im-internet.de
- BSI handreichung zu §38 BSIG (April 2026, version 1.0), www.bsi.bund.de
- NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG)
This page provides structured guidance based on publicly available sources (NIS 2 Directive, BSIG, BSI Handreichung §38). It does not constitute legal advice within the meaning of §2 RDG. Personal liability exposure of management body members is a legal question for an admitted lawyer. As at 2026-06-04.