§38 BSIG + §43 GmbHG

Personal Liability of the Management Body Under NIS 2

Article 20 of the NIS 2 Directive assigns three duties to the management body: approve the cybersecurity risk-management measures, oversee their implementation, and undergo training. National company law converts a breach of those duties into a personal claim against the individual.

Simon OrzelSimon Orzel·

What Article 20 actually says

Article 20 of Directive (EU) 2022/2555 places the cybersecurity duty on the management body of every essential and important entity. The management body must approve the risk-management measures required by Article 21, must oversee their implementation, and can be held liable for the entity's infringements of Article 21.

Article 20(2) adds a separate obligation: members of the management body must follow training so they gain sufficient knowledge to identify risks and assess cybersecurity risk-management practices. The directive also encourages similar training for employees.

These are duties of the natural person, not the company. NIS 2 does not itself create a private cause of action against the director, but it raises the standard of conduct against which national company law measures the director's behaviour. In Germany, that standard is the Sorgfaltspflicht in §43 GmbHG and §93 AktG.

The two layers and the German transposition
NIS 2 is a directive at EU level. CIR 2024/2690 specifies the technical and methodological requirements for certain digital-sector entities. Germany transposes the governance duty in §38 BSIG and converts it into personal liability via the general company-law Sorgfaltspflicht.

EU Directive

Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.

Article 20(1) NIS 2 (Directive (EU) 2022/2555). The duty is assigned directly to the management body, not to the company as a separate legal person.

EU Implementing Regulation

Essential and important entities shall establish, apply, and maintain an appropriate cybersecurity risk-management framework setting out the policies, processes, procedures, and roles relevant to the management of cybersecurity risks.

Commission Implementing Regulation (EU) 2024/2690, Annex section 1. The regulation binds the narrow category of digital infrastructure and digital service providers listed in Article 1; for all other sectors it is a quality benchmark, not the binding standard.

National transposition

Die Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen müssen die von diesen Einrichtungen zur Einhaltung ihrer Pflichten nach §30 zu ergreifenden Risikomanagementmaßnahmen billigen und ihre Umsetzung überwachen.

§38(1) BSIG (as drafted in the NIS2UmsuCG, the German implementing act for NIS 2). §38(3) requires the management body to undergo regular training. The personal-liability hook sits in the general company law that §38 references, not in §38 itself.

Three statutory hooks that interact
The NIS 2 duty does not create a new liability statute. It feeds the existing Sorgfaltspflicht under company law.
Art. 20 NIS 2

Approve, oversee, train

Article 20(1) requires the management body to approve the Article 21 measures and oversee implementation. Article 20(2) requires training. Both duties attach to the individual member of the management body.

§38 BSIG

German transposition

§38 BSIG repeats the approval, oversight, and training duty in German law. §38 does not itself state a damages figure; it defines the conduct standard. The financial sanctions sit in §65 BSIG and target the entity, not the director.

§43 GmbHG / §93 AktG

Sorgfaltspflicht as the liability bridge

§43 GmbHG requires the Geschäftsführer to apply the care of a prudent businessperson, and §43(2) makes them jointly and severally liable to the company for damage caused by a breach of duty. §93 AktG sets the equivalent standard for the Vorstand of an Aktiengesellschaft. A failure to discharge the Article 20 duty becomes evidence that the Sorgfaltspflicht was breached.

Two principles that govern the liability theory
Both principles existed in German company law long before NIS 2. NIS 2 simply specifies what good cybersecurity governance looks like, which sharpens the standard the courts measure against.

Personal liability runs to the company, not to third parties

The §43 GmbHG and §93 AktG claims are claims of the company against its own director. They become operative when the supervisory body, shareholders, an insolvency administrator, or a successor management decides to pursue them. NIS 2 does not create a direct claim by regulators or affected third parties against the individual; it creates the underlying breach.

Sorgfaltspflicht is measured against industry practice

German courts assess the Sorgfaltspflicht against what a prudent businessperson in the same role and sector would have done. NIS 2 plus the implementing regulation now define part of that benchmark for cybersecurity. A management body that ignores Article 21 measures runs against a standard that is now written down in statute.

How national bodies frame the duty
The directive leaves the liability regime to national company law. National regulators describe the governance duty in their own language.
DE

BSI guidance

The Bundesamt für Sicherheit in der Informationstechnik (BSI) frames §38 BSIG as a non-delegable management duty. The Handreichung zur Geschäftsleitungs-Schulung (April 2026, v1.0) is research input, not a binding curriculum; it does describe the substantive content the BSI expects the management body to know.

DE

German company-law jurisprudence

The Bundesgerichtshof has long held under §43 GmbHG that a Geschäftsführer must organise the company so that legal duties are actually fulfilled, including by setting up reporting lines and oversight. NIS 2 specifies one of those legal duties in detail.

EU

ENISA Technical Implementation Guidance

The European Union Agency for Cybersecurity (ENISA) publishes the Technical Implementation Guidance for NIS 2 Article 21 measures and maps them to ISO 27001, NIST CSF 2.0, ETSI 319 401, and CEN/TS 18026. The guidance is non-binding but is the reference text auditors and courts treat as the state of the art.

Three common misreadings of the liability question
Each of the following is a sentence that gets repeated in pitches and panels and that the statute does not support.

  • We delegated cybersecurity to the CISO, so the management body is off the hook.

    Article 20(1) places the approval and oversight duty on the management body itself. Operational execution can be delegated, but the duties to approve the measures and oversee implementation cannot. §43 GmbHG case law treats organisational failure as a primary breach by the Geschäftsführer, regardless of who was tasked operationally.

  • If a Geschäftsführer is not technical, the duty cannot apply to them personally.

    Article 20(2) requires the members of the management body to undergo training that gives them sufficient knowledge to assess cybersecurity risk-management practices. Lack of expertise is precisely what Article 20(2) addresses; it is not a defence against §43 GmbHG.

  • D&O insurance covers any NIS 2 liability.

    D&O policies typically respond to claims by the company against the director under §43 GmbHG or §93 AktG, which is where the Article 20 breach lands. Policies regularly exclude regulatory fines (e.g. the entity-level fines under §65 BSIG), intentional acts, and knowing violations. The exclusions, retention, and coverage triggers are policy-specific and are described, not pre-judged, here.

How the duty actually shows up in operations

In practice the Article 20 duty produces three artefacts. A written approval of the Article 21 risk-management measures by the management body. An oversight record that shows the management body received status updates and reacted. A training record for each member of the management body.

Auditors, insurers, and, in a downside scenario, a successor management or insolvency administrator will look for these three artefacts. Their absence is what turns the Article 20 duty into a §43 GmbHG claim.

Where the platform fits

The platform models the Article 20 duty as the GOV category in the NIS 2 obligation register. Approval of the risk-management measures sits on a sign-off requirement assigned to the management body. Oversight is the audit trail across the Article 21 requirements. Training is tracked per member with completion evidence.

The substantive question of whether a court would find a Sorgfaltspflicht breach in a given case is a question for legal counsel. The platform produces the documentary record that the legal question is decided on.

Sources
  • Directive (EU) 2022/2555 (NIS 2), Article 20 and Article 21. Source: EUR-Lex.
  • Commission Implementing Regulation (EU) 2024/2690, Annex section 1. Source: EUR-Lex.
  • BSI-Gesetz, §38 (governance duty of management bodies) and §65 (sanctions). Source: gesetze-im-internet.de.
  • §43 GmbHG (Sorgfaltspflicht of the Geschäftsführer). Source: gesetze-im-internet.de.
  • §93 AktG (Sorgfaltspflicht of the Vorstand). Source: gesetze-im-internet.de.
  • BSI Handreichung zur Geschäftsleitungs-Schulung nach §38(3) BSIG, v1.0 (April 2026). Non-binding research input. Source: bsi.bund.de.
  • ENISA Technical Implementation Guidance for NIS 2 risk-management measures. Source: enisa.europa.eu.
Check whether NIS 2 applies
The Article 20 duty only attaches if the entity is in scope. The applicability check uses sector and size criteria from Annex I and II of NIS 2.
Run the applicability check