NIS2: Personal liability for management and employees

Bull has also written about which businesses are covered and the required security measures.

What does this mean for you?

For Norwegian private and public organizations, NIS2 means stricter responsibility for securing digital infrastructure, especially for businesses not previously regulated. The directive is significant in two main areas:

First, management faces personal liability. Management includes not just the board and CEO, but it can also extend to people further down in the organization. The details of how this liability will look will be determined when Norway implements the directive into Norwegian law. Regardless, NIS2 will tighten the responsibility that already exists under Norwegian general management liability rules, which may inflict personal liability for damages on people throughout an organization.

Second, the business itself has obligations. Management must, for example, approve and ensure that necessary cybersecurity measures are implemented. See more about obligations in our separate article. Violating these obligations can lead to serious consequences for the business:

• Fines: For essential entities, fines must be at least up to 2% of annual group turnover or 10 million euros, whichever is higher. For important entities, fines are somewhat lower, but still significant. In Norway the recent Digital Security Act that implements NIS1 (from 2016) stipulates 4% of the turnover of the entity (not group) up to 50 MNOK.
• Temporary removal of management: Authorities can remove management in essential entities if other measures have not had the desired effect.
• Business shutdown: In serious cases, essential entities can be prohibited from continuing operations.

When do the rules take effect?

Implementation of NIS2 into Norwegian law is being prepared and will likely not take effect before 2026. Since the consultation document did not come out before summer as expected, NIS2 may be implemented together with its sister directive, the CER directive (2022/2557), which covers physical security. Before then, NIS1 will take effect 1 Oktober 2025 in Norway through the Digital Security Act. But many EU countries have implemented NIS2, and more are coming. This means Norwegian businesses that deliver to the EU will need to comply with NIS2 requirements, imposed particularly through contracts.

What should businesses do?

To prepare for NIS2, businesses should act now to ensure compliance and reduce the risk of personal liability. An early start often gives better results at a lower cost. Here are some concrete measures to consider:

• Establish clear accountabilities: Clarify who is responsible for what in the organization and ensure this is documented. This applies both at board level and in daily operations.
• Invest in insurance: Consider directors’ and officers’ insurance, cyber insurance, and other insurance that covers both the business and employees and board members.
• Ensure good underlying security: Conduct risk analyses and implement robust technical and organizational security measures.
• Review contracts: If you're a customer, ensure that suppliers meet security requirements. If you're a supplier, make sure to limit your security liability by requiring NIS2 compliance.
• Conduct training: Ensure that both management and employees are familiar with NIS2 requirements and how to comply with them in practice.

NIS2 is a comprehensive regulation that will affect many Norwegian businesses. To avoid serious consequences for both the business and individuals in management, it is crucial to take action now. Cybersecurity is no longer just a technical issue – it's a strategic responsibility that requires the management's full attention.

Do you have questions about how your business can prepare for NIS2? Contact Kristian Foss here. We help ensure your business is prepared for future requirements.

Bull also assists with advice on other security regulations, such as DORA, that recently became Norwegian law. You can find us here.