Evolution of D&O liability using the example of the NIS 2 Network and Information Systems Directive

European Union regulations are exposing companies and their management to new and more complex liability risks. In the event of legal violations, the company directors face personal liability for damages, but not only that: sanctions under criminal law (monetary fines and prison sentences) and under the law on administrative offences (usually monetary fines) are also provided for against managers personally, as well as, by way of attribution, claims for damages and other legal consequences against the represented companies. In addition, state authorities have regulatory rights of intervention. It is precisely the combination of these, as well as newly introduced liability provisions, that present those involved with new challenges.

The risk management challenges are exemplified by the Network and Information Security Directive (“NIS2 Directive”) of the European Parliament, which was adopted at the end of 2022. This Directive specifies extensive obligations in the area of cybersecurity and expands them. The transposition of the provisions into national law is almost complete: on 24 July 2024, the German Federal Cabinet approved the Federal Ministry of the Interior and Community’s bill to implement the NIS2 Directive (“NIS2 Implementation Act”). This law essentially provides for a revision of the Act on the Federal Office for Information Security (“BSIG-E” or the “Bill”) (see the Noerr newsletter dated 23 July 2024). The focus is particularly on risk management measures in the area of IT security, which are regulated in sections 30 onwards of the Bill and are to be implemented by the affected entities. Section 38(1) of the Bill directly addresses the directors and officers of a company. They are required to implement the necessary risk management measures and monitor their implementation. In addition to public law supervisory measures and sanction options, the Bill provides for civil liability of the directors and officers in the 1st sentence of section 38(2) of the Bill if they fail to fulfil their duties. We will take a closer look at the practical implications for D&O liability (I.) and legal practice in general (II.).

I. Impact of stricter regulation on D&O liability

The extension of the scope of application of European legislation has an impact on the internal liability of management bodies under company law (1.), on their external liability under tort law and therefore also indirectly on the company itself (2.).

1. Internal D&O liability under company law

The internal liability of directors and officers under company law, i.e. their liability to the company for damages, and unlimited liability with their private assets, arises, depending on the type of company, from section 93(2) of the German Stock Corporation Act (AktG), section 43(2) of the German Limited Liability Companies Act (GmbHG) or section 34(2) of the German Cooperative Societies Act (GenG). The intensified regulatory efforts of the European legislators raise the question of how the increasing number of special provisions in various fields of law relate to the general provisions of company law in Germany. Looking at the court rulings handed down in the area of D&O liability, we can see that the requirements of conduct, particularly in connection with organisational and monitoring measures, have become increasingly specific. Based on the principles developed by the courts, the duties of conduct can be determined in a manner that is appropriate to the situation and thus flexible. It is therefore welcome that in the final draft of the NIS 2 Implementation Act, the German legislators have decided against a liability rule of its own, but instead refer to general company law.

Increasing regulatory provisions for businesses limit entrepreneurial freedom of action. This freedom is protected by what is known as the business judgement rule in the law governing D&O liability. According to this rule, the liability of a managing director is excluded if their decisions were made on the basis of appropriate information and for the benefit of the company (2nd sentence of section 93(1) of the German Stock Corporation Act). However, this liability privilege only applies within the limits of the duty of legality, i.e. the obligation to comply with the law. The more legal requirements directors and officers have to comply with and implement, the more their duty of legality expands and the more their entrepreneurial freedom is restricted. In addition to this duty of legality, there is a duty to monitor legality. According to this, companies must be organised and monitored in a manner that prevents breaches of the law from within the company.

2. External liability of managers and companies in tort law

The comprehensive lists of duties also raise the question of external liability of managers under tort law pursuant to section 823(2) of the German Civil Code (Bürgerliches Gesetzbuch), i.e. liability not to the company but to external third parties. It must be decided in the individual case whether the courts will classify regulatory requirements for conduct as protective laws under section 82(2) of the German Civil Code and thus establish external D&O liability under tort law. The condition for presumption of a protective law is that the legal provision be intended to help protect the individual or individual groups of people against the infringement of a specific legal interest. Using the attribution standard of section 31 of the German Civil Code, the tortious liability of a director or officer leads directly to an unlimited liability for damages on the part of the company concerned. These risks therefore must also be anticipated and controlled by the management.

II. Other effects on general legal practice

The example of cybersecurity regulation makes it clear that liability risks for management and companies should by no means be viewed in isolation. The interlinking of public, civil and criminal liability mechanisms is characteristic of the modern regulatory approach of the European legislators. This is precisely the case not only in the NIS2 Implementation Act, but also, for example, in the case of the German Act on the Stabilisation and Restructuring Framework for Companies (“Framework Act” – Gesetz über den Stabilisierungs- und Restrukturierungsrahmen für Unternehmen – StaRUG) (see the Noerr newsletters dated 29 September 2020, 5 March 2021, 16 July 2021 and 24 March 2022) or the recently adopted Corporate Sustainability Due Diligence Directive (CSDDD; see the Noerr newsletters dated 21 March 2024, 26 April 2024 and 10 June 2024). This trend is also illustrated by the ongoing discussion on whether companies may seek recourse against their management for fines imposed on the company. This question is also relevant in the area of cybersecurity. In cybersecurity, however, the legislators have now moved away from the originally proposed explanatory memorandum to the Bill, which stated that the damages under section 38(2) of the Bill should also include recourse claims and fines. This means that the general legal situation and case law on this point remain in place.

Last but not least, it cannot be ruled out that the courts will trigger disruptive legal developments based on new due diligence obligations and conduct requirements. A glance at developments abroad shows this to be the case: in ESG-related disputes, the UK Supreme Court has already handed down such decisions in the cases of Vedanta (UK Supreme Court, Dec. 10/04/2019, UKSC 2017/0185) and Okpabi (UK Supreme Court, Dec. 23/06/2020, UKSC 2018/0068). In those cases, affected parties domiciled abroad sued not only the foreign subsidiary that had directly caused the damage, but also, and primarily, its UK parent company. On the basis of English law, the Supreme Court affirmed the possibility of the English courts having jurisdiction and of piercing the corporate veil to hold the parent company liable – an outcome that is rejected by German international procedural, tort and corporate law.

III. Conclusion and recommendations

The statutory obligations in the area of cybersecurity illustrate the practical relevance of the European legislators’ regulatory efforts towards comprehensive liability of managers and companies. Special provisions in a wide range of areas restrict entrepreneurial freedom and give rise to new liability risks. From a practical point of view, we therefore recommend keeping a close eye on the latest measures taken by European and national legislators and adapting organisational and monitoring structures in order to avoid costly penalties for managers and companies.

For a detailed discussion of the NIS 2 Directive and manager liability, see Sieg/Bradshaw, PHi 5/2024, 82.

Further tips from us on preparing for the NIS 2 Directive can be found here.

Organisations can check free of charge and without obligation whether they are likely to fall within the scope of the NIS 2 Directive by using our NIS 2 Checker.