CISO on Trial: NIS2, Legislative Decree 231, and Personal Liability

Why CISOs are now personally liable — and what it means for your business

For years, cybersecurity was treated as a technical problem. Something the IT department handled. Something that lived in a server room, not a boardroom. That era is over.

With the arrival of NIS2 and DORA, the European Union has fundamentally rewritten the rules. Cybersecurity is no longer just an operational concern — it is a governance responsibility. And for the first time, the people at the top can be held personally accountable when things go wrong.

If you run a small or medium-sized business in Europe, this shift affects you directly. Here is what you need to understand.

The new regulatory landscape: NIS2, DORA, and personal accountability

The NIS2 Directive, which EU member states were required to transpose into national law by October 2024, dramatically expands the scope of cybersecurity obligations. It covers a far wider range of sectors than its predecessor — from energy and transport to digital infrastructure, waste management, and food production. Estimates suggest that over 160,000 entities across Europe now fall under its scope.

DORA (the Digital Operational Resilience Act), which applies from January 2025, does something similar for the financial sector. Banks, insurance companies, investment firms, and even their critical ICT service providers must now meet strict requirements for digital resilience.

But the real shift is not about scope. It is about who bears responsibility.

Under NIS2, management bodies — boards of directors, CEOs, managing directors — must approve cybersecurity risk management measures and oversee their implementation. Article 20 is explicit: senior management can be held personally liable for non-compliance. Member states can impose sanctions directly on natural persons holding management positions.

In Italy, this intersects with an existing legal framework that makes the implications even more serious.

The Italian dimension: D.Lgs. 231 and organizational liability

Italy’s Legislative Decree 231/2001 (D.Lgs. 231) establishes a unique model of corporate criminal liability. Under this framework, companies can be held directly responsible for crimes committed by their directors, managers, or employees — if the organization failed to adopt adequate prevention measures.

Cybersecurity failures now fit squarely into this picture. If a data breach occurs because the company lacked proper security governance, the organization itself can face sanctions under D.Lgs. 231. These include fines, disqualification from public contracts, and even judicial administration of the company.

For Italian SMBs, the combination of NIS2 and D.Lgs. 231 creates a dual layer of accountability:

• At the organizational level, the company must demonstrate it adopted an adequate organizational model (Modello 231) that includes cybersecurity governance.
• At the personal level, directors and officers who failed to oversee cybersecurity measures can face individual sanctions, including fines of up to €10 million or 2% of global annual turnover under NIS2.

The CISO — Chief Information Security Officer — sits at the intersection of these two layers. While CISOs are rarely board members themselves, they are increasingly the ones expected to design, implement, and report on the very measures that management is legally required to oversee.

What this means in practice for European SMBs

Many small and medium-sized business owners assume these regulations target large enterprises. That assumption is dangerous.

NIS2 applies to organizations with as few as 50 employees or €10 million in annual turnover in covered sectors. DORA affects financial entities of all sizes, including smaller firms that provide technology services to the financial sector. According to ENISA, over 40% of cyberattacks in Europe already target SMBs, yet only 17% of small businesses have a cybersecurity incident response plan in place.

Here is what the new framework requires, in concrete terms:

• Risk assessments: Regular, documented evaluations of cybersecurity risks, approved by management — not just IT staff.
• Incident reporting: Mandatory notification of significant incidents within 24 hours (early warning) and 72 hours (full report) to the relevant national authority.
• Supply chain security: You are responsible for assessing and managing cybersecurity risks in your supply chain and third-party relationships.
• Training and awareness: Management must undergo cybersecurity training. This is not optional — NIS2 Article 20(2) states it explicitly.
• Business continuity: Plans for backup management, disaster recovery, and crisis management must be in place and tested.

Failure to comply does not require an actual breach. Regulators can impose sanctions simply for inadequate measures. For essential entities under NIS2, administrative fines can reach €10 million or 2% of worldwide annual turnover. For important entities — the category most SMBs fall into — fines can reach €7 million or 1.4% of turnover.

The CISO’s shifting role

The traditional CISO role was technical: configure firewalls, manage patches, respond to incidents. Under NIS2 and DORA, the role has become strategic and, in many ways, legal.

CISOs are now expected to translate technical risk into business language for the board, produce documentation that can withstand regulatory scrutiny, and ensure that management decisions about cybersecurity are informed and traceable. In several EU member states, including Italy, prosecutors have already begun examining whether individual officers exercised adequate oversight of cybersecurity — not just whether the technology was in place.

This creates a challenging dynamic. The CISO carries operational responsibility, but may lack the authority or budget to implement what the regulations demand. Without clear governance structures, this gap becomes a liability — for the CISO, for the management, and for the company.

How to prepare: practical steps for business owners

The good news is that compliance does not require massive budgets. It requires structure, commitment, and documentation. Here is where to start:

1. Determine if you are in scope. Review whether your sector and company size place you under NIS2 or DORA obligations. If you are in doubt, consult your national cybersecurity authority — in Italy, that is the ACN (Agenzia per la Cybersicurezza Nazionale).

2. Assign clear responsibilities. Cybersecurity governance must have a named owner at the management level. If you have a CISO, define their authority and reporting lines clearly. If you do not, designate who will fulfill that function.

3. Update your organizational model. For Italian companies, integrate cybersecurity into your Modello 231. Document policies, procedures, and risk assessments. Make sure they are reviewed and approved by the board.

4. Invest in training. Board-level cybersecurity training is a legal requirement under NIS2. Make it regular and substantive, not a checkbox exercise.

5. Establish incident response procedures. Draft and test an incident response plan that meets the 24/72-hour notification requirements. Know who to contact, what to report, and how to preserve evidence.

6. Review your supply chain. Map your critical vendors and assess their cybersecurity posture. Include security requirements in contracts.

The bottom line

NIS2 and DORA represent the most significant shift in European cybersecurity regulation in a decade. They move responsibility from the server room to the boardroom and attach real consequences — financial and personal — to inadequate oversight.

For SMBs, the message is clear: cybersecurity is no longer something you can delegate and forget. It is a governance obligation, and the people running the business are the ones who will answer for it.