Skip to content
SecTepe Mit Sicherheit gut aufgestellt!
DE
Compliance

Director Liability under §43 GmbHG and NIS-2: Why 'Cyber is IT's Job' Can Lead to Personal Bankruptcy in 2026

SecTepe Editorial
|
|
7 min read

Until 2024 cyber security was, for many German managing directors, a topic handled by "IT" or "the insurance". In 2026 that view is finished – not by soft law, but by hard liability case law.

Three Legal Bases That Lock Together

  • §43 GmbHG (duty of care of an orderly businessman): personal liability with private assets for damages caused by breach of duty. Cyber incident without documented security measures = breach of duty.
  • §93 AktG (board duty of care): equivalent for stock corporations, plus reverse burden of proof – the board must prove they were careful.
  • NIS-2 Art. 20: management bodies are explicitly responsible for approving and supervising cyber risk measures. Personal sanctions on breach.

The combination is new: NIS-2 makes the management duty explicit, §43/§93 makes it personal. "I didn't know" no longer works.

What a Court Recognizes as Duty Fulfillment in 2026

  1. Risk inventory with director signature: annually updated, with treatment decisions per top-10 risk.
  2. ISMS by recognized standard: ISO 27001 or BSI IT-Grundschutz. "Own method" only suffices if documented as better.
  3. Incident Response Plan">Incident response plan, tested: annual tabletop exercise with management. Minutes in audit trail.
  4. Awareness program with proof: phishing simulation, training quotas, effectiveness measurement.
  5. Supplier risk assessment (TPRM): NIS-2 Art. 21(2)(d) makes supply chain security explicitly mandatory.
  6. Audit trail of all relevant decisions: who accepted which risk, when, with what justification.

If any one of these is missing and an incident happens, management is in evidentiary trouble. D&O insurance does not cover personal liability when intentional breach of duty is on the table – and "no ISMS despite NIS-2 obligation" gets interpreted exactly that way.

The Cost Comparison That Wakes Directors Up

A realistic scenario: mid-market firm, 200 employees, ransomware incident with 5 days of downtime and €80,000 ransom negotiation. Direct damage: ~€1.2 M. Shareholder sues management for reimbursement based on insufficient cyber measures. Without a documented ISMS: claim is well-founded.

By contrast: ISMS with GRC platform (e.g. SecTepe.Core), self-hosted mail security with CTI/sandbox (SecTepe.Comm) – investment over 3 years: ~€150–250 k. Risk reduction substantial, liability protection documented.

What Management Should Concretely Do – This Month

  • Status audit: is there a documented ISMS? Was it last externally checked? When?
  • Request risk top-10: from CISO/IT lead, with treatment status. If the answer is "we have it verbally", that is itself a finding.
  • Schedule incident response test: tabletop exercise with external moderation. Archive the minutes.
  • Finalize NIS-2 applicability: does it apply to us? Which sector, size class, responsibilities?
  • Read the D&O policy: what does it actually cover for cyber? Which exclusion clauses?

Compliance Mapping

  • NIS-2 Art. 20: management duty to approve and supervise cyber risk measures.
  • NIS-2 Art. 21: minimum security measures catalog (10 areas).
  • §43 GmbHG / §93 AktG: personal liability with reverse burden of proof.
  • BSI Standard 200-1/-2/-3: recognized ISMS methodology in Germany.
  • D&O standard clauses: check whether "gross cyber negligence" is excluded.

Conclusion

"Cyber is IT's job" was a poor statement in 2018, a risky one in 2024, and a potentially personal-bankruptcy-relevant one in 2026. Managing directors who don't kick off an ISMS foundation project in the next 12 months are accepting a liability risk that can severely impact their personal financial planning. The good news: the ISMS is doable, predictable, and – with the right platform – not the 18-month Excel project from the 2010s.

View all articles More in this category