D&O Liability and the New Cyber Laws

DORA and NIS2 have established a principle with far-reaching consequences for directors and managing directors: responsibility for cybersecurity lies personally with the management body. It cannot be fully delegated to the IT department, an external service provider, or a CISO.

What the laws require #

Personal responsibility of management is concretely established in several laws:

Art. 5(2a) DORA: The management body bears ultimate responsibility for ICT risk management.
Art. 50(5) DORA: The competent authority can impose administrative sanctions on members of the management body.
Art. 20(1) NIS2: Management bodies must approve risk management measures and oversee their implementation. They can be held personally liable.
Art. 32(5)(b) NIS2: Authorities can temporarily prohibit natural persons from exercising management functions — a temporary ban as an escalation measure.
Art. 32(6) NIS2: Natural persons can be held liable for breaches of their obligations.
§ 38(1-2) NIS2UmsuCG (German law): Management is obliged to implement and oversee risk management measures. They are personally liable for culpably caused damages.
Art. 5(2) GDPR: The controller must be able to demonstrate compliance with the principles ("accountability"). GDPR fines under Art. 83 are paid by the company but regularly lead to recourse claims against management — particularly when compliance with technical and organisational measures under Art. 32 was not documented.

The training obligation #

Both laws require members of management bodies to undergo training:

Art. 5(4) DORA: The management body must actively keep sufficient knowledge and skills up to date.
Art. 20(2) NIS2: Members of management bodies must participate in training to be able to assess risks and evaluate measures.
§ 38(3) NIS2UmsuCG: Management must regularly participate in training.

This is not a recommendation. It is a legal obligation.

Why D&O insurance often does not help #

Many directors rely on their D&O insurance. But D&O policies typically exclude deliberate regulatory violations. And this is precisely the problem: when a law establishes a personal obligation to actively implement and oversee, and a director demonstrably fails to fulfil this obligation, it is not a management error. It is a regulatory violation.

The consequence: precisely the cases where a director would most urgently need the insurance are the cases where it is least likely to respond.

What a director must do #

The laws establish a clear duty profile:

Approve risk management measures and actively oversee their implementation
Regularly participate in training and demonstrate knowledge
Know the software supply chain — including open source dependencies
Make documented decisions when risks are identified
Maintain evidence that can be presented to an auditor or authority

What OTTRIA can take over #

OTTRIA cannot replace a director's personal responsibility — nobody can. What OTTRIA delivers is the operational foundation and documentation on which informed decisions can be made:

Risk analysis and assessment of all open source components in your supply chain
Remediation protocols with documented outcomes per vulnerability
Decision briefs that transparently present options and risks
Audit-ready evidence demonstrating that action is being taken systematically

You make the decisions. OTTRIA ensures you have a solid foundation for them — and that this foundation is documented.