Director Liability

Responsibility Is Not an Appendix

Executive peace of mind comes not from optimism, but from clear accountability and demonstrable follow-through.

In Director Liability, the focus is on demonstrability: translating standards into ownership, planning, and review.

This way, the topic becomes not a periodic discussion, but a manageable part of regular business operations.

Immediate measures (15 minutes)

• Assign ownership, decision lines, and escalation for this topic.
• Translate measures into KPI/KRI and board-level reporting.
• Schedule periodic reviews with clear deadlines and responsible parties.

Why this matters

The core of Director Liability is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

The director who thought IT was "something for the department"

In 2017, the CFO of a mid-sized Dutch logistics company was held personally liable after a ransomware attack. The company was down for three weeks. The damage: 2.3 million euros. The bankruptcy trustee established that the board had ignored IT department recommendations for years, had no incident response plan, and the last penetration test dated from 2012. The court ruled: improper management.

The CFO had no knowledge of cybersecurity. That was precisely the problem. Because ignorance is not a defense -- it is an accusation.

This chapter explains when directors are personally liable for cybersecurity incidents, what the law requires, and how you as a director can demonstrate that you have fulfilled your duty of care. No legal jargon without explanation, no vague advice. Concrete rules, concrete steps.

This chapter builds on the general board responsibility from chapter 1. Where that chapter outlines the broad responsibility, here we zoom in on the legal consequences when that responsibility is not met.

What does the law say?

Book 2 Dutch Civil Code: improper management

The basis lies in the Dutch Civil Code, Book 2. Directors are obligated to fulfill their duties "properly" (art. 2:9 DCC). If they fail to do so, they are jointly and severally liable for damages resulting from that improper management.

The legal test is clear: there must be a serious reproach. That sounds like a high bar, but in practice the bar is lower than many directors think. Ignoring known risks, failing to act on advice, or structurally underfunding security can all qualify as a serious reproach.

Important: liability is joint and several. This means that each board member can be personally held liable for the full damage -- not just the one who "was in charge of IT."

The duty of care for IT security

The duty of care of directors encompasses everything reasonably necessary to protect the organization. Cybersecurity unambiguously falls under this in 2026. The court examines:

• Did the board know the risks? Was there a risk analysis? Were incidents reported to the board?
• Were measures taken? Was there budget, policy, a responsible person?
• Were the measures proportional? Did the security level match the nature and size of the organization?
• Was action taken on warnings? Were recommendations from auditors, penetration testers, or the CISO addressed?

Key point: As a director, you don't need to be a cybersecurity expert. You do need to demonstrate that you took it seriously, allocated budget for it, and acted on the advice you received.

NIS2: personal liability becomes explicit

The European NIS2 directive -- which has been transposed into Dutch law as the Cybersecurity Act -- fundamentally changes the playing field. For the first time, the board's responsibility for cybersecurity is explicitly enshrined in legislation.

What NIS2 requires of directors

1. Approval of measures. The board must formally approve cybersecurity measures. Delegating to the IT department without involvement is no longer sufficient.
2. Oversight of compliance. The board must ensure that measures are actually implemented.
3. Personal training. Directors must personally undergo training on cybersecurity risks and measures. Yes, really. You personally.
4. Personal liability. In cases of negligence, directors can be held personally liable. The directive makes it possible to temporarily ban directors from holding executive positions.

Who falls under NIS2?

NIS2 applies to organizations deemed "essential" and "important." This includes energy, transport, healthcare, digital infrastructure, government, food, and more. But suppliers to these sectors can also fall under it. In practice, this affects more organizations than most directors think.

When are you and aren't you liable?

Scenario	Liable?	Why?
No risk analysis conducted, no security policy	Yes	Basic duty of care not fulfilled
Security budget structurally rejected despite CISO advice	Yes	Deliberately ignoring known risks
No follow-up on critical audit findings	Yes	Serious reproach: knowledge of risk, no action
Incident despite reasonable measures (zero-day exploit)	No	No serious reproach if measures were proportional
Penetration test commissioned, findings addressed, budget allocated	No	Demonstrable due diligence
No incident response plan, causing unnecessarily large damage	Yes	Negligence in preparation increases the damage
Ransomware paid without legal advice or reporting to authorities	Possibly	Depends on circumstances, but risky
Deliberately no cybersecurity because "we're not interesting to hackers"	Yes	Culpable underestimation of risks
Annual boardroom training on cyber threats completed	No (contributes)	Demonstrates awareness and board involvement
Insurance taken out but no technical measures	Yes	Insurance does not replace prevention

Note: The question is not whether you could have prevented every incident. The question is whether you took reasonable measures. Perfection is not the standard -- diligence is.

Court cases and precedents

The Netherlands

Dutch case law on director liability and cybersecurity is still relatively young, but the trend is clear. Courts increasingly examine whether the board has taken digital risks seriously. In bankruptcy situations, the trustee routinely investigates whether there was improper management, and inadequate IT security is increasingly factored in.

The Dutch Data Protection Authority has also imposed substantial fines for inadequate protection of personal data under the GDPR. Although this formally affects the organization, the fine can prompt shareholders or trustees to hold directors personally liable.

International

Internationally, precedents are further advanced. In the United States, directors and executives are increasingly being personally sued after data breaches. The trend is clear: regulators and courts expect cybersecurity to be a board matter, not an IT matter.

The lesson for Dutch directors: what is happening now in the US and UK will come here too. NIS2 accelerates that development.

D&O insurance: protection with limitations

A Directors & Officers insurance (D&O) covers the personal liability of directors. Many directors rely on this as a safety net. But that safety net has holes.

What a D&O insurance typically does cover

• Legal defense costs
• Damages in civil claims
• Settlement amounts (with insurer approval)

What a D&O insurance typically does not cover

• Intent and deliberate recklessness. If you willfully ignored risks, the insurer will not pay out.
• Regulatory fines. Most D&O policies exclude administrative fines (such as DPA fines).
• Fraud and criminal conduct. Obviously.
• NIS2 sanctions. It remains unclear how insurers will handle the new NIS2 sanctions, including the management ban.

Premiums are rising

Insurers are setting increasingly stringent cybersecurity requirements before issuing or renewing a D&O policy. Expect questions about incident response plans, penetration test frequency, and security awareness training. Insufficient security can lead to higher premiums, lower coverage limits, or denial of coverage.

Advice: Consider a D&O insurance as your airbag, not your power steering. It helps in an accident, but it doesn't prevent one. Invest in prevention. Also see chapter 9 on cyber insurance for a deeper analysis of the interplay between D&O policies, cyber insurance, and the requirements insurers place on your security level.

What constitutes "sufficient measures"?

The law does not prescribe specific technical measures. The court examines what is reasonable given the size, sector, and risk profile of the organization. But there are broadly accepted minimum standards.

Basic hygiene every organization must have

1. Risk analysis. At least annually. Documented. Discussed in the board.
2. Security policy. Formally established, current, accessible to employees.
3. Incident response plan. What do we do when things go wrong? Who calls whom? Within what timeframe do we report to the DPA or NCSC?
4. Access management. Who has access to what? Principle of least privilege.
5. Patch management. Promptly remediate known vulnerabilities.
6. Backups. Regular, tested, stored offline.
7. Security awareness. Training for all employees, including the board.
8. Periodic assessment. Penetration tests, audits, or comparable assessments by independent parties.

The bar differs per organization

A hospital processing patient data is held to a higher standard than a sole proprietorship. But even for smaller organizations: the basics must be in order.

Organization type	Minimum expectation	Elevated expectation
SME without special data	Basic hygiene, annual awareness	--
SME with customer data or financial data	Basic hygiene + penetration test + incident plan	GDPR compliance demonstrable
Larger organization or NIS2-obligated	All of the above + CISO + SIEM/SOC + continuous monitoring	Formal governance, boardroom reporting
Critical infrastructure	All of the above + sector-specific requirements + exercises	Government oversight, reporting obligation, NIS2 compliance

Ten steps to demonstrate due diligence

As a director, you want to be able to show that you have fulfilled your duty of care. Here are ten concrete steps, each with a tangible outcome.

1. Have a risk analysis conducted and discuss the outcomes in the board. Record this in the minutes.
2. Establish a cybersecurity budget that fits the risk profile. Document the rationale.
3. Appoint a responsible person -- a CISO, or for smaller organizations an external security officer.
4. Have periodic penetration tests conducted and treat findings as action items. Follow up on them.
5. Develop an incident response plan and practice it at least annually.
6. Take cybersecurity training yourself. This is mandatory under NIS2, but it is wise regardless.
7. Make security a standing agenda item in board meetings. At least quarterly.
8. Take out cyber insurance in addition to D&O insurance. But don't use it as an excuse to invest less in prevention.
9. Ensure demonstrable compliance with the GDPR, and where applicable NIS2 and sector-specific regulations.
10. Preserve documentation. Minutes, reports, decisions, training records. If it ever comes to a lawsuit, paperwork is your best friend. Good logging and monitoring is indispensable here: technical log files serve as evidence that measures were actually implemented and that incidents were detected in a timely manner.

The golden rule: If you cannot demonstrate that you did it, you didn't do it. Documentation is not bureaucracy -- it is your proof of diligence.

The costs of negligence

Directors weigh costs and benefits. Here is the trade-off in perspective.

Investment in prevention	Costs of negligence
Annual penetration test: 10,000 -- 50,000 euros	Average data breach damage in the Netherlands: 4.5 million euros
CISO (part-time/external): 30,000 -- 80,000 euros/year	GDPR fine DPA: up to 20 million euros or 4% global revenue
Security awareness training: 5,000 -- 20,000 euros/year	NIS2 fine: up to 10 million euros or 2% global revenue
Incident response plan: 5,000 -- 15,000 euros (one-time)	Reputational damage: incalculable
Cyber insurance: 5,000 -- 30,000 euros/year	Personal liability: no upper limit

The math is simple. Investing in security is cheaper than the consequences of negligence. And the personal financial consequences for directors can be far-reaching -- D&O insurance or not.

Summary

Director liability for cybersecurity is no longer a theoretical risk. The legislation is in place, enforcement is becoming stricter, and case law is developing rapidly.

Three things to remember:

1. Ignorance does not protect you. You don't need to be an expert, but you do need to demonstrate that you take the risks seriously.
2. NIS2 makes it personal. The board must approve measures, oversee compliance, and be trained itself.
3. Documentation is your shield. Minutes, reports, decisions -- record that you acted.

Remember: A director who says "the IT department handled that" has no defense. The law says the board is responsible. The only question is whether you also lived up to that.

Do this this month

• Verify that there is a current risk analysis that has been discussed in the board and recorded in the minutes
• Verify that a formal cybersecurity budget has been established and documented
• Check whether the incident response plan is current and has been practiced in the past year
• Determine whether you as a director have completed a cybersecurity training in the past year (NIS2 requirement)
• Confirm that findings from the latest penetration test or audit have been addressed as action items and resolved
• Check whether cybersecurity is a standing agenda item at board meetings (at least quarterly)
• Check whether your D&O insurance still provides adequate coverage and whether the insurer is aware of your security level
• Ensure that all the above points are demonstrably documented -- minutes, reports, and decisions preserved

Limiting liability starts with investing in the right measures. But how much is enough, and where do you spend the budget most effectively? In the next chapter, Security budget and investing, you will read how to build a well-founded security budget, prioritize, and present it to the board.

← Previous GDPR Privacy Compliance Next → Security Budget and Investing