NIS2Compass — NIS2-Compliance-Plattform
Use CasesPreise

site_links_bar.explore

  • site_links_bar.blog
  • site_links_bar.faq
  • site_links_bar.glossar
  • site_links_bar.use_cases
  • site_links_bar.branchen
  • site_links_bar.pricing

site_links_bar.official_sources

  • BSI – Bundesamt für Sicherheit in der Informationstechnik
  • NIS2-Richtlinie (EUR-Lex)
  • NIS2UmsuCG (Gesetze-im-Internet)
NIS2Compass — NIS2-Compliance-Plattform

Your Navigator Through NIS2 Compliance

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Imprint

Resources

  • Blog
  • Use Cases
  • Industries
  • Pricing
  • FAQ
  • Glossary

Connect

Contact

kontakt@nis2compass.de

NIS2Compass bietet Informationen und Orientierungshilfen zur NIS2-Compliance. Die Inhalte stellen keine Rechtsberatung im Sinne des Rechtsdienstleistungsgesetzes (RDG) dar und ersetzen keine individuelle rechtliche oder fachliche Beratung.

© Copyright 2026 NIS2Compass. All Rights Reserved.

🇩🇪Made in Germany
Home/Blog/NIS2 Management Liability: §38 BSIG Explained
Guide

NIS2 Management Liability: §38 BSIG Explained

Authored by Louis Bennet, NIS2 Compliance Expert
Last updated:June 3, 20269 min read
Section symbol on a shield with scales of justice and an executive chair – symbolising personal management liability under §38 BSIG

§38 BSIG holds management personally accountable. The three duties, when personal liability applies, and how IT managers can convince the management body.

§38 BSIG holds the management body personally accountable: it must implement and monitor the NIS2 risk management measures itself, and it is personally liable with its private assets in the event of a culpable breach. Around 29,000 companies in Germany are affected. With the Pre-Check from NIS2Compass, you can assess your status in just a few minutes.

What does §38 BSIG regulate regarding management liability?

§38 BSIG is the central provision setting out the duties of the management level. The rule expressly shifts responsibility for NIS2 onto the management body itself and makes it personally accountable. It applies to essential and important entities as defined by the categories in §28 BSIG.

The provision consists of three building blocks that together form the liability logic:

  • Paragraph 1 (duty to implement): The management body must implement the risk management measures under §30 BSIG and actively monitor their implementation. This duty cannot be assigned to the IT department.
  • Paragraph 2 (liability): In the event of a culpable breach of these duties, the management body is personally liable to its own entity. This is an internal liability (toward the entity itself), meaning a claim by the company against its own managers.
  • Paragraph 3 (training obligation): The management body must attend cybersecurity training. This duty is personal and non-delegable.

In practice, this sends a clear message to the leadership level. Management cannot fall back on the argument that NIS2 is purely an IT matter. It bears ultimate legal responsibility and must demonstrably engage with the topic.

Important for the internal argument: NIS2 is not a distant prospect. The NIS2UmsuCG has been in force since 6 December 2025 and transposes the underlying EU Directive into German law. As a result, the duties under §38 BSIG already apply today, not only after a transition period.

You can find the full text in the BSIG on gesetze-im-internet.de. Anyone who, as an information security officer, wants to convince management should use §38 as leverage. NIS2Compass supports this argument with structured expertise and a clear implementation path aligned with the statutory duties.

What duties does management have under §38 BSIG?

§38 BSIG personally obligates the management body to implement, monitor, and undergo training. It must implement the risk management measures under §30 BSIG, actively monitor their implementation, and attend training regularly. By law, this responsibility cannot be fully delegated to the IT department.

§38 BSIG is addressed directly to the leadership level, not to the relevant department. The duties build on the ten minimum measures of §30 BSIG, such as risk analysis, incident handling, backups, and supply chain security.

Duty 1: Implementing the §30 measures (§38 para. 1). The management body must implement the risk management measures required under §30 BSIG. It can delegate the operational work but remains legally responsible. The underlying Art. 20 NIS2 Directive speaks of "approve and oversee." In practice, this means that management must take formal responsibility for the measures, meaning it must approve and authorize them.

Duty 2: Monitoring implementation (§38 para. 1). The final German wording is "to implement and to monitor their implementation." "IT takes care of that" is not legally sufficient. What is required is visible management commitment and documented governance processes, such as regular status reports from the information security officer to the management body.

Duty 3: Personal participation in training (§38 para. 3). The management body must attend training regularly in order to assess cyber risks and measures itself. The legislator estimates an effort of at least around half a day, that is roughly four hours every three years. This participation is personal and non-delegable.

With this, §38 BSIG shifts responsibility clearly to the top level for the first time. Which measures specifically need to be implemented is shown by the structured Implementation Guide from NIS2Compass, which walks you through all §30 duties. How the training obligation for employees and management plays out in practice is explained in our article on training as a NIS2 risk factor.

When are managing directors personally liable with their private assets?

The management body becomes personally liable with its private assets only when it culpably breaches its duties under §38 BSIG and a loss results from this. The fine under §65 BSIG, by contrast, is imposed on the company, not directly on the managing directors. The two mechanisms must be strictly kept apart.

NIS2Compass points to two separate sanction routes that are frequently confused in practice.

Fine against the company (§65 BSIG): Breaches can result in fines against the entity. For essential entities, these reach up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher. For important entities, the limit is up to EUR 7 million or 1.4% of turnover. These fines are paid by the company, not from the private assets of the management body. You can find the exact wording in §65 BSIG on gesetze-im-internet.de. A detailed assessment is provided in our article on NIS2 fines and the penalties at stake.

Personal internal liability of management (§38 para. 2 BSIG): If the management body culpably breaches its implementation and monitoring duties, it is liable to its own entity for the resulting loss. The decisive rules are the company-law provisions of the legal form, such as §43 GmbHG for managing directors or §93 AktG for management board members. This is an internal liability toward the entity itself, not a direct external liability toward third parties or the BSI.

A common misconception concerns the GmbH: The limited liability of the GmbH does not protect managing directors from this personal corporate-officer liability. It operates externally toward creditors, not in the internal relationship between the managing director and the company.

In concrete terms, liability arises when a loss occurs, for example through a security incident or a fine against the company, and management has culpably breached its §38 duties. Examples: no §30 measures initiated, no monitoring documented.

"It is not the fine itself but the internal liability under §38 para. 2 that is the real personal risk for managing directors. The best protection is seamless documentation of the approval and monitoring of the measures." — Dr. Markus Hartmann, Senior Compliance Consultant

Can managing directors delegate NIS2 responsibility?

Operational tasks can be delegated, but ultimate responsibility cannot. §38 BSIG anchors responsibility for the risk management measures with the management body. It can hand over the implementation but remains obligated to monitor. The personal training obligation under §38 para. 3 cannot be delegated at all.

Which tasks may be handed over?

The concrete implementation of the §30 measures can be delegated. Managing directors can transfer execution to the IT management, the information security officer, or external service providers. This is common and sensible in practice, since management rarely has the necessary technical depth.

Why does responsibility nevertheless remain at the top?

Delegating execution does not release management from its monitoring duty. The management body must demonstrably satisfy itself that delegated tasks are actually carried out. This includes careful selection, clear instruction, and ongoing oversight of the person tasked.

The training obligation under §38 para. 3 cannot be delegated. The management body must attend the training in person. It cannot have the IT manager trained on its behalf. This duty deliberately targets the leadership level itself.

Does this apply equally to KRITIS and smaller entities?

For KRITIS operators and essential entities, stricter duties additionally apply than for important entities. The management responsibility under §38 BSIG, however, applies equally to both categories (§28 BSIG).

For IT managers, this offers a practical starting point. Because ultimate responsibility remains at the top, clean documentation of the delegation is in the direct interest of management: who does what, who reports when. This is precisely where you can provide concrete support and build the governance structure. The Implementation Guide from NIS2Compass walks you step by step through the responsibility and governance structure in Chapter 1, and you will find suitable templates in the Template Library.

How can IT managers convince management of NIS2?

NIS2 is not a purely IT task but a matter for top management. The lever is §38 BSIG: this provision personally obligates the management body and gives IT managers strong arguments to firmly raise implementation to the leadership level.

  • Argue with the wording of the law: §38 BSIG makes NIS2 a personal duty of the management body, not a purely IT task. The responsibility cannot be pushed onto the IT department.
  • Argue with personal liability: §38 para. 2 establishes a personal internal liability. The GmbH limited-liability protection does not shield management from this.
  • Argue with the non-delegable training obligation: §38 para. 3 requires the personal participation of the management body in training. No representation is provided for.
  • Argue with documentation as protection: Documented approval and monitoring of the §30 measures is the best evidence in a BSI audit and relieves the management body.

With the Implementation Guide (Chapter 1: Governance and management documentation) and the Template Library, NIS2Compass provides the structure to build exactly this evidence systematically. Where your company currently stands is shown by the free Pre-Check, no login required.

Practical scenario: ransomware without §38 evidence

A mid-sized mechanical engineering company with around 140 employees qualifies as an important entity and is hit by ransomware. IT had indeed implemented some of the ten §30 minimum measures, but management had never formally approved them.

There was no documented monitoring, and no member of the management body had ever attended a training. When the incident is investigated, §38 compliance therefore cannot be demonstrated.

The consequences are significant. The company risks a fine under §65 BSIG of up to EUR 7 million or 1.4 percent of annual turnover. At the same time, management faces the personal risk of internal liability under §38 para. 2.

The lesson: had the IT manager arranged early on for approval and monitoring to be documented, management would have been considerably better protected. A comparison of the two approaches is provided in the article implementing NIS2 with a consultant or on your own.

Frequently Asked Questions

Does §38 BSIG also apply to GmbH managing directors?

Yes, §38 BSIG applies regardless of the legal form. The provision binds the management body of every affected essential and important entity. For GmbH managing directors, the liability under §38 para. 2 refers to the company-law rules, namely §43 GmbHG.

The GmbH limited-liability protection does not shield against this personal corporate-officer liability in the internal relationship.

Is management liable with its private assets?

That is possible. Fines under §65 BSIG initially affect the company. The personal financial liability of management, by contrast, arises from §38 para. 2 BSIG: an internal liability toward the entity itself in the event of a culpable breach of duty. This internal liability can affect the private assets of the management body.

What happens if the management training is missing?

The training obligation under §38 para. 3 is binding and personal. If evidence of regular participation is missing, this is a breach of duty that can establish liability in the event of a loss and is noted negatively in a BSI audit.

The effort remains manageable: the legislator estimates around half a day every three years.

Can management delegate NIS2 liability?

No, ultimate responsibility remains with the management body. Operational tasks can be delegated to IT or the information security officer, but the monitoring duty and the personal training obligation under §38 para. 3 cannot.

Delegation does not release management from its responsibility under §38 BSIG.

How can management protect itself?

The best protection is seamless documentation. Demonstrable approval of the §30 measures, documented monitoring (e.g. status reports from the information security officer), and training records prove fulfillment of the duties under §38 BSIG.

With the Implementation Guide and ready-made templates, NIS2Compass provides the structure for this. Where you stand is shown by the Pre-Check in just a few minutes.

Sources

  • Gesetze im Internet: BSIG (§§ 28, 30, 38, 65)
  • EUR-Lex: NIS2 Directive (Directive (EU) 2022/2555), Art. 20
  • Deutscher Bundestag: Regulatory impact assessment for the NIS2UmsuCG, Drucksache 20/13184

Implement NIS2 step by step

NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.

Get started

blog.related_posts

industry-update

NIS2 Risk Zone 2026: Which Sectors Need to Catch Up

ENISA NIS360 2026: 8 NIS2 sectors are in the risk zone – including space, maritime economy, and healthcare. What this means for your organisation.

7 blog.min_read

guide

What Does External NIS2 Consulting Really Cost? Costs, Models and Alternatives

What does external NIS2 consulting cost? A consulting day averages 1,300 EUR (BDU), the full implementation about 70,000 EUR per company. NIS2Compass costs a fraction from 29 EUR/month.

9 blog.min_read

guide

Employees as the Biggest NIS2 Risk: BSI Monitor 2026

The BSI Cybersicherheitsmonitor 2026 shows only 14 percent of people inform themselves regularly about cybersecurity. What §30 (2) No. 7 and §38 (3) BSIG mean for SMEs — and how a BSI-compliant awareness program is built.

9 blog.min_read

Back to Blog