NIS2 Art.32(7) CEO Personal Liability: Management Accountability in Germany, Netherlands, and Austria (2026)

Most developers and technical teams encounter NIS2 as a list of security measures — encryption, MFA, incident reporting. What rarely surfaces in technical documentation is that NIS2 contains a personal liability mechanism directed at CEOs, board members, and legal representatives: Article 32(7).

Under Art.32(7), competent authorities can temporarily prohibit a named individual — the CEO, CISO, or legal representative — from exercising managerial functions at an essential entity. Not the company. The person. This transforms NIS2 from a corporate compliance requirement into a personal professional risk.

The mechanism activates when an essential entity breaches NIS2 following violations of Art.21 (security measures) or Art.23 (incident reporting). With NCA supervisory cycles ramping up from June 2026 onward, and German, Dutch, and Austrian national transpositions now in force, management teams at essential entities face a materially different risk environment in 2026 than in 2024.

This guide covers the Art.32(7) statutory framework, how Germany, the Netherlands, and Austria implement personal management liability, what this means for board governance and D&O insurance, and a Python implementation to assess your organisation's exposure.

1. NIS2 Art.32(7): The Statutory Framework

The Full Text

Article 32(7) of Directive 2022/2555 reads:

"Member States shall ensure that, in the event of a breach of this Directive resulting from a violation of Article 21 or 23 by an essential entity, the competent authorities may, without prejudice to the procedures and safeguards provided for in national law, temporarily prohibit any natural person who is responsible for discharging management-level responsibilities within that entity, or who acts as a legal representative of that entity, from exercising managerial functions in that entity."

This provision has several critical structural features:

Scope: Essential entities only. Important entities fall under Art.33, which does not include Art.32(7)'s personal management prohibition.

Trigger conditions: The prohibition requires both a breach of NIS2 and that the breach resulted from a violation of:

• Art.21 — cybersecurity risk management measures (the 10 mandatory controls)
• Art.23 — significant incident reporting (24h/72h/1-month timelines)

A single violation may be sufficient. The text says "violation" without requiring repeated breaches (unlike some national transpositions that require demonstrated pattern).

Persons covered: Two categories:

1. Natural persons responsible for discharging management-level responsibilities — this typically captures the CEO, COO, CISO, and potentially the CTO
2. Natural persons who act as legal representative — in most EU jurisdictions, this is the managing director or statutory representative

Temporary duration: The Directive specifies "temporarily" but does not define a maximum period. National law sets the duration — and member states vary significantly here.

Procedure: The prohibition is "without prejudice to procedures and safeguards provided for in national law." This means national administrative procedure law applies — due process, right to be heard, appeal rights. It is not a criminal sanction in most jurisdictions.

Art.32(7) in the NIS2 Enforcement Architecture

Art.32(7) sits at the apex of a graduated enforcement ladder for essential entities:

Art.32(7) is the only measure in NIS2 that pierces the corporate veil and imposes obligations on natural persons rather than legal entities. This distinguishes it from the €10M/2% fine, which falls on the organisation.

2. Germany: BSI-Gesetz 2024 and the NIS2 Umsetzungsgesetz

Germany transposed NIS2 through the NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG), amending the BSI-Gesetz (BSIG). The German transposition is notable for extending personal management liability beyond the minimum required by the Directive.

Personal Accountability Under German Law

The German NIS2 transposition introduces §38 BSIG n.F. (Management-Verantwortung), which requires:

1. Management body approval of cybersecurity risk management measures — these cannot be delegated out of the board entirely
2. Mandatory cybersecurity training for management body members
3. Personal liability exposure if the management body fails to approve, monitor, and enforce Art.21 measures

Under the German transposition, management members can face:

• Individual fines separate from fines on the entity
• Administrative prohibition from exercising management functions under Art.32(7)
• Liability for damages to the entity under general German corporate law (GmbH-Gesetz §43, AktG §93) if cybersecurity failures result in harm

BSI Supervisory Powers in Germany

The Bundesamt für Sicherheit in der Informationstechnik (BSI) is Germany's primary NCA for NIS2. Under the NIS2UmsuCG, the BSI can:

• Order on-site inspections of essential entities without incident triggers
• Issue binding instructions to management bodies (not just the entity)
• Temporarily prohibit named management persons under the Art.32(7) transposition
• Publish the names of persons subject to management prohibitions (public accountability)

The BSI's enforcement calendar is material: German NCAs have publicly committed to ramping supervisory activities from H1 2026, with the first proactive Art.32-style audits beginning in the June 2026 cycle.

Fine Structure for Management Persons

Under the German NIS2 transposition, personal fines applicable to management body members include:

• Failure to ensure Art.21 security measures are in place: up to €100,000 per named person
• Failure to undergo mandatory cybersecurity training: administrative infraction
• Obstruction of NCA supervisory activities: up to €500,000

These personal fines are in addition to entity-level fines (up to €10M or 2% global turnover for essential entities).

3. Netherlands: Wbni and Management Board Accountability

The Netherlands implemented NIS2 through revision of the Wet beveiliging netwerk- en informatiesystemen (Wbni), bringing Dutch law into full NIS2 alignment. The Dutch approach focuses heavily on bestuurders aansprakelijkheid (board liability) and supervisory authority powers.

Rijksinspectie Digitale Infrastructuur (RDI)

The Rijksinspectie Digitale Infrastructuur (RDI) — formerly OPTA's enforcement successor — serves as the primary NIS2 NCA for most essential entity sectors in the Netherlands, with sector-specific authorities for financial services (DNB, AFM) and healthcare (IGJ).

Dutch NIS2 enforcement includes:

Bestuurderverbod (management prohibition): The Wbni transposition explicitly includes the Art.32(7) prohibition mechanism. The RDI can apply to Dutch courts to prohibit named persons from serving in management roles at NIS2-covered entities for a defined period.

Duration: Dutch law sets a maximum prohibition period of two years for a first violation, extendable for repeat violations.

Scope extension: The Dutch transposition extends management accountability to supervisory board members (Raad van Commissarissen) in certain circumstances — going beyond the minimum required by Art.32(7).

Dutch Certification Expectations

The Netherlands has introduced supervisory guidance indicating that:

• Management body members at essential entities should demonstrate "adequate understanding" of cybersecurity risks
• Formal training records are expected during NCA audits (similar to DORA Art.5)
• The RDI has indicated it will assess management competence during Art.32-style supervisory visits in 2026

Fine Levels in the Netherlands

Under the Dutch NIS2 transposition:

• Essential entity entity-level fines: up to €10M or 2% global annual turnover (whichever is higher)
• Management prohibition: non-financial but professional-level impact
• Personal fines against board members for deliberate obstruction: up to €300,000

4. Austria: NIS-Gesetz 2024 and Persönliche Zertifizierung

Austria's NIS2 transposition — the NIS-Gesetz 2024 (NISG 2024) — introduces one of the most distinctive management accountability mechanisms in the EU: a personal certification expectation for CEOs and legal representatives of essential entities.

Bundesamt für Sicherheit im Behördenbereich (BSA)

The Bundesamt für Sicherheit im Behördenbereich (BSA) — part of the Federal Chancellery — serves as Austria's NIS2 supervisory authority for most essential entity sectors.

Austrian Management Accountability Framework

Under the NISG 2024:

Art.32(7) transposition: Austria implements the management prohibition mechanism. Named persons responsible for management functions at essential entities can be temporarily prohibited from those roles following violations of security or incident reporting obligations.

Persönliche Verantwortung: The Austrian transposition introduces a concept of personal responsibility for the legal representative — the Geschäftsführer (GmbH managing director) or Vorstand (AG board member) who is the statutory representative. This person is explicitly named in the entity's NIS2 registration and bears direct accountability to the BSA.

Cybersicherheitsschulung: Austrian law requires management body members to complete cybersecurity training. The BSA can verify training completion during supervisory visits. Failure to complete training constitutes a separate administrative infraction.

Prohibition duration: Austria sets the management prohibition at up to 18 months for an initial violation, with extensions possible for repeat violations.

Austrian-Specific Requirements

Austria's NISG 2024 introduces several requirements that go beyond the NIS2 minimum:

1. Named statutory representative in NIS2 registration — the BSA registry requires explicit identification of the natural person legally responsible
2. Annual management review — management bodies must document an annual review of cybersecurity risk management measures
3. Board-approved cybersecurity policy — required as documentary evidence during BSA audits

5. Three-Country Comparison

6. What "Management-Level Responsibility" Means in Practice

The Art.32(7) trigger — "responsible for discharging management-level responsibilities" — creates scope uncertainty that national law and supervisory guidance must resolve.

Who Is Typically in Scope

Based on transposition guidance across DE/NL/AT and analogous DORA Art.5 interpretations:

Clearly in scope:

• CEO (Geschäftsführer, CEO, Directeur-Generaal, Geschäftsführer)
• Legal/statutory representative named in company registry
• CISO if the CISO holds a board-level or C-suite appointment
• COO with explicit accountability for ICT operations

Likely in scope (jurisdiction-dependent):

• CTO with explicit board-level mandate for cybersecurity
• Managing directors with specific IT/security portfolio
• Chief Risk Officer with cybersecurity oversight responsibility

Generally outside scope:

• Technical leads and engineers without board/executive mandate
• Employees who implement security controls without management authority
• Non-executive supervisory board members (except Netherlands extension)
• External advisors and consultants

The CISO Question

One of the most practically significant interpretive questions is whether a CISO is "responsible for discharging management-level responsibilities" under Art.32(7). The answer depends on:

1. Position in corporate hierarchy: A CISO who reports directly to the CEO with board-level appointment is more likely in scope than one reporting to the CTO at VP level
2. Statutory authority: Does the CISO have authority to approve cybersecurity budgets, policies, and incident response actions?
3. National transposition text: German and Austrian law focus on the "Geschäftsführer" (managing director) concept; Dutch law extends to supervisory board members

Practical implication: In 2026, many essential entities are restructuring CISO roles to ensure Art.32(7) exposure is limited to the minimum number of named individuals, while ensuring adequate accountability remains in place.

7. Practical Implications for Essential Entities

D&O Insurance Coverage Review

Art.32(7) creates new personal liability exposure that standard Directors & Officers (D&O) insurance may not cover:

• Administrative prohibition: D&O typically covers financial losses from wrongful acts, not income loss during a regulatory prohibition period
• Personal fines: Many D&O policies exclude regulatory fines — especially "deliberate misconduct" carveouts that may apply to NIS2 violations
• Defence costs: D&O policies typically cover legal defence costs during regulatory proceedings — this is the most reliable coverage area

Action required: Essential entity boards should request a specific NIS2 Art.32(7) coverage review from their D&O insurer before June 2026.

Corporate Governance Changes

Essential entities responding to Art.32(7) risk are implementing:

1. Formal cybersecurity board agenda item — quarterly review of Art.21 compliance status with documented minutes
2. Written cybersecurity policy approved by the management body, with annual refresh
3. Training records for all management body members (certificates, dates, providers)
4. Clear RACI for cybersecurity — named accountability without unnecessary expansion of Art.32(7) exposure
5. Incident escalation protocol ensuring management is notified within Art.23 deadlines (so they cannot claim ignorance of reporting obligations)

The June 2026 Timeline

The supervisory cycle creates a specific time pressure:

• Now (April 2026): NCAs finalizing supervisory playbooks and essential entity registries
• Q2 2026 (April–June): First proactive notification letters to essential entities expected in DE/NL/AT
• June 2026: First on-site inspection waves expected; BSI Germany has confirmed H1 2026 Art.32 activation
• September 2026: CRA Art.16 vulnerability reporting deadline creates additional pressure point

For management teams at essential entities, June 2026 is effectively the hard deadline for Art.21 evidence packages and Art.23 runbooks to be board-approved and documented.

8. Python NIS2ManagementLiabilityAssessor

This implementation models the Art.32(7) exposure analysis for an essential entity's management structure.

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import json

class EntityType(Enum):
    ESSENTIAL = "essential"
    IMPORTANT = "important"
    NOT_COVERED = "not_covered"

class JurisdictionCountry(Enum):
    GERMANY = "DE"
    NETHERLANDS = "NL"
    AUSTRIA = "AT"
    OTHER_EU = "other_eu"

class ManagementRole(Enum):
    CEO = "ceo"
    LEGAL_REPRESENTATIVE = "legal_representative"
    CISO_BOARD_LEVEL = "ciso_board_level"
    COO = "coo"
    CTO_BOARD = "cto_board"
    OTHER_C_SUITE = "other_c_suite"
    NON_EXECUTIVE = "non_executive"

@dataclass
class ManagementPerson:
    name: str
    role: ManagementRole
    is_statutory_representative: bool = False
    has_explicit_cybersecurity_mandate: bool = False
    training_completed: bool = False
    training_date: Optional[str] = None

@dataclass
class Art21ComplianceStatus:
    risk_analysis_documented: bool = False
    incident_handling_runbook: bool = False
    bcp_dr_board_approved: bool = False
    supply_chain_assessment: bool = False
    secure_sdlc_policy: bool = False
    effectiveness_assessment_annual: bool = False
    cyber_hygiene_training_employees: bool = False
    cryptography_policy: bool = False
    access_control_mfa: bool = False
    mfa_implemented: bool = False

    def compliance_score(self) -> float:
        fields = [
            self.risk_analysis_documented,
            self.incident_handling_runbook,
            self.bcp_dr_board_approved,
            self.supply_chain_assessment,
            self.secure_sdlc_policy,
            self.effectiveness_assessment_annual,
            self.cyber_hygiene_training_employees,
            self.cryptography_policy,
            self.access_control_mfa,
            self.mfa_implemented,
        ]
        return sum(1 for f in fields if f) / len(fields)

    def gap_count(self) -> int:
        return 10 - int(self.compliance_score() * 10)

@dataclass
class Art23ComplianceStatus:
    early_warning_process_24h: bool = False
    intermediate_report_process_72h: bool = False
    final_report_process_1month: bool = False
    nca_contact_registered: bool = False
    incident_classification_criteria: bool = False
    awareness_timestamp_tracking: bool = False

    def compliance_score(self) -> float:
        fields = [
            self.early_warning_process_24h,
            self.intermediate_report_process_72h,
            self.final_report_process_1month,
            self.nca_contact_registered,
            self.incident_classification_criteria,
            self.awareness_timestamp_tracking,
        ]
        return sum(1 for f in fields if f) / len(fields)

@dataclass
class NIS2ManagementLiabilityReport:
    entity_type: EntityType
    jurisdiction: JurisdictionCountry
    art32_7_applicable: bool
    persons_in_scope: list[str]
    art21_score: float
    art23_score: float
    overall_liability_risk: str  # LOW / MEDIUM / HIGH / CRITICAL
    jurisdiction_specifics: dict
    immediate_actions: list[str]
    board_actions_30_days: list[str]
    board_actions_90_days: list[str]

class NIS2ManagementLiabilityAssessor:

    JURISDICTION_SPECIFICS = {
        JurisdictionCountry.GERMANY: {
            "nca": "BSI (Bundesamt für Sicherheit in der Informationstechnik)",
            "nca_url": "https://www.bsi.bund.de",
            "transposition_law": "NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG)",
            "personal_fine_max": "€500,000 (obstruction) / €100,000 (Art.21 failure)",
            "prohibition_duration": "Not specified in law — NCA discretion",
            "training_mandatory": True,
            "named_representative_required": True,
            "supervisory_cycle_start": "June 2026",
            "specific_risk": "BSI publishes named violations; D&O exposure highest in DE",
        },
        JurisdictionCountry.NETHERLANDS: {
            "nca": "RDI (Rijksinspectie Digitale Infrastructuur) + sector NCAs",
            "nca_url": "https://www.rdi.nl",
            "transposition_law": "Wet beveiliging netwerk- en informatiesystemen (Wbni) 2024",
            "personal_fine_max": "€300,000 (deliberate obstruction)",
            "prohibition_duration": "Up to 2 years (court-ordered, extendable)",
            "training_mandatory": True,
            "named_representative_required": True,
            "supervisory_cycle_start": "H1 2026",
            "specific_risk": "Supervisory board members may also be in scope (NL extension beyond NIS2 minimum)",
        },
        JurisdictionCountry.AUSTRIA: {
            "nca": "BSA (Bundesamt für Sicherheit im Behördenbereich)",
            "nca_url": "https://www.bsa.gv.at",
            "transposition_law": "NIS-Gesetz 2024 (NISG 2024)",
            "personal_fine_max": "€500,000",
            "prohibition_duration": "Up to 18 months (extendable for repeat violations)",
            "training_mandatory": True,
            "named_representative_required": True,  # Explicit in NIS2 registry
            "supervisory_cycle_start": "H1 2026",
            "specific_risk": "Statutory representative named in BSA registry — direct accountability link",
        },
    }

    ROLES_IN_SCOPE = {
        ManagementRole.CEO,
        ManagementRole.LEGAL_REPRESENTATIVE,
        ManagementRole.CISO_BOARD_LEVEL,
        ManagementRole.COO,
        ManagementRole.CTO_BOARD,
    }

    def assess(
        self,
        entity_type: EntityType,
        jurisdiction: JurisdictionCountry,
        management_team: list[ManagementPerson],
        art21_status: Art21ComplianceStatus,
        art23_status: Art23ComplianceStatus,
    ) -> NIS2ManagementLiabilityReport:

        # Art.32(7) only applies to essential entities
        art32_7_applicable = entity_type == EntityType.ESSENTIAL

        # Identify persons in scope for Art.32(7)
        persons_in_scope = []
        for person in management_team:
            if person.role in self.ROLES_IN_SCOPE or person.is_statutory_representative:
                persons_in_scope.append(f"{person.name} ({person.role.value})")

        art21_score = art21_status.compliance_score()
        art23_score = art23_status.compliance_score()

        # Overall liability risk calculation
        if not art32_7_applicable:
            overall_risk = "LOW"  # Important entities not subject to Art.32(7)
        elif art21_score >= 0.9 and art23_score >= 0.9:
            overall_risk = "LOW"
        elif art21_score >= 0.7 and art23_score >= 0.7:
            overall_risk = "MEDIUM"
        elif art21_score >= 0.5 or art23_score >= 0.5:
            overall_risk = "HIGH"
        else:
            overall_risk = "CRITICAL"

        jurisdiction_specifics = self.JURISDICTION_SPECIFICS.get(
            jurisdiction, {"note": "Jurisdiction-specific details not available — consult local NIS2 transposition"}
        )

        immediate_actions = self._immediate_actions(art21_status, art23_status, management_team, jurisdiction)
        board_actions_30 = self._board_actions_30_days(art21_status, art23_status, jurisdiction)
        board_actions_90 = self._board_actions_90_days(art21_status)

        return NIS2ManagementLiabilityReport(
            entity_type=entity_type,
            jurisdiction=jurisdiction,
            art32_7_applicable=art32_7_applicable,
            persons_in_scope=persons_in_scope,
            art21_score=art21_score,
            art23_score=art23_score,
            overall_liability_risk=overall_risk,
            jurisdiction_specifics=jurisdiction_specifics,
            immediate_actions=immediate_actions,
            board_actions_30_days=board_actions_30,
            board_actions_90_days=board_actions_90,
        )

    def _immediate_actions(
        self,
        art21: Art21ComplianceStatus,
        art23: Art23ComplianceStatus,
        team: list[ManagementPerson],
        jurisdiction: JurisdictionCountry,
    ) -> list[str]:
        actions = []
        if not art23.nca_contact_registered:
            actions.append("Register NCA contact details — immediate (pre-condition for Art.23 compliance)")
        if not art23.early_warning_process_24h:
            actions.append("Implement 24h early warning process — Art.23 required, cannot wait")
        untrained = [p.name for p in team if not p.training_completed and p.role in self.ROLES_IN_SCOPE]
        if untrained:
            actions.append(f"Schedule cybersecurity training for: {', '.join(untrained)} — required by national law")
        if jurisdiction == JurisdictionCountry.GERMANY and not art21.risk_analysis_documented:
            actions.append("Document risk analysis — BSI §38 BSIG management accountability requires board approval")
        return actions if actions else ["No immediate actions — maintain current compliance posture"]

    def _board_actions_30_days(
        self,
        art21: Art21ComplianceStatus,
        art23: Art23ComplianceStatus,
        jurisdiction: JurisdictionCountry,
    ) -> list[str]:
        actions = []
        if not art21.bcp_dr_board_approved:
            actions.append("Table BCP/DR plan for board approval — board must formally adopt (Art.21(2)(c))")
        if not art21.risk_analysis_documented:
            actions.append("Present risk analysis to board for formal approval — documented in board minutes")
        if not art23.incident_classification_criteria:
            actions.append("Adopt incident classification criteria — board approval of significant incident thresholds")
        if not art21.supply_chain_assessment:
            actions.append("Commission supply chain security assessment — Art.21(2)(d) required")
        if jurisdiction in (JurisdictionCountry.GERMANY, JurisdictionCountry.AUSTRIA):
            actions.append("Confirm D&O insurance covers Art.32(7) regulatory proceedings — request legal review")
        return actions if actions else ["30-day actions complete — schedule quarterly review"]

    def _board_actions_90_days(self, art21: Art21ComplianceStatus) -> list[str]:
        actions = []
        if not art21.effectiveness_assessment_annual:
            actions.append("Commission annual security effectiveness assessment — Art.21(2)(f) requirement")
        if not art21.secure_sdlc_policy:
            actions.append("Implement secure development lifecycle policy — Art.21(2)(e)")
        if not art21.cryptography_policy:
            actions.append("Adopt cryptography and encryption policy — Art.21(2)(h) required")
        if not art21.mfa_implemented:
            actions.append("Deploy MFA across all privileged and remote access — Art.21(2)(j)")
        return actions if actions else ["90-day actions complete — prepare NCA audit evidence package"]

    def print_report(self, report: NIS2ManagementLiabilityReport) -> None:
        print(f"\n{'='*60}")
        print(f"NIS2 Art.32(7) Management Liability Assessment")
        print(f"{'='*60}")
        print(f"Entity Type: {report.entity_type.value}")
        print(f"Jurisdiction: {report.jurisdiction.value}")
        print(f"Art.32(7) Applicable: {report.art32_7_applicable}")
        print(f"\nPersons in Scope for Art.32(7) Prohibition:")
        for person in report.persons_in_scope:
            print(f"  - {person}")
        print(f"\nCompliance Scores:")
        print(f"  Art.21 (Security Measures): {report.art21_score:.0%}")
        print(f"  Art.23 (Incident Reporting): {report.art23_score:.0%}")
        print(f"\nOverall Liability Risk: {report.overall_liability_risk}")
        print(f"\nJurisdiction Specifics ({report.jurisdiction.value}):")
        for k, v in report.jurisdiction_specifics.items():
            print(f"  {k}: {v}")
        print(f"\nImmediate Actions:")
        for action in report.immediate_actions:
            print(f"  - {action}")
        print(f"\n30-Day Board Actions:")
        for action in report.board_actions_30_days:
            print(f"  - {action}")
        print(f"\n90-Day Board Actions:")
        for action in report.board_actions_90_days:
            print(f"  - {action}")
        print(f"{'='*60}\n")


# Example: German essential entity with partial compliance
assessor = NIS2ManagementLiabilityAssessor()

management_team = [
    ManagementPerson(
        name="Anna Schmidt",
        role=ManagementRole.CEO,
        is_statutory_representative=True,
        has_explicit_cybersecurity_mandate=True,
        training_completed=False,  # Not yet trained — risk factor
    ),
    ManagementPerson(
        name="Peter Müller",
        role=ManagementRole.CISO_BOARD_LEVEL,
        is_statutory_representative=False,
        has_explicit_cybersecurity_mandate=True,
        training_completed=True,
        training_date="2026-02-15",
    ),
]

art21 = Art21ComplianceStatus(
    risk_analysis_documented=True,
    incident_handling_runbook=True,
    bcp_dr_board_approved=False,  # Gap
    supply_chain_assessment=False,  # Gap
    secure_sdlc_policy=True,
    effectiveness_assessment_annual=False,  # Gap
    cyber_hygiene_training_employees=True,
    cryptography_policy=True,
    access_control_mfa=True,
    mfa_implemented=True,
)

art23 = Art23ComplianceStatus(
    early_warning_process_24h=True,
    intermediate_report_process_72h=True,
    final_report_process_1month=False,  # Gap
    nca_contact_registered=True,
    incident_classification_criteria=True,
    awareness_timestamp_tracking=False,  # Gap
)

report = assessor.assess(
    entity_type=EntityType.ESSENTIAL,
    jurisdiction=JurisdictionCountry.GERMANY,
    management_team=management_team,
    art21_status=art21,
    art23_status=art23,
)
assessor.print_report(report)

This produces an assessment identifying that Anna Schmidt (CEO, untrained) is the highest-risk named individual under Art.32(7), with a MEDIUM overall risk rating and specific board actions for the June 2026 deadline.

9. 25-Item Board Checklist: NIS2 Art.32(7) Readiness

Management Accountability (Items 1–8)

• 1. Entity classification confirmed: Essential entity status documented (Annex I/II sector + size threshold or automatic qualification)
• 2. Named statutory representative identified: Person legally responsible confirmed and listed in NIS2 registration
• 3. Management scope mapping: Written list of persons in Art.32(7) scope (CEO, legal rep, board-level CISO/COO)
• 4. Art.21 responsibility assignment: Formal RACI or responsibility matrix linking each Art.21(2) measure to a named person
• 5. Cybersecurity training completed: All management body members with training certificates on file (date, provider, scope)
• 6. Board agenda item established: Cybersecurity risk management on quarterly board agenda with documented minutes
• 7. D&O insurance reviewed: Coverage confirmed (or gaps identified) for Art.32(7) proceedings and personal fines
• 8. Legal representative update: NIS2 registry/NCA notification updated if management board membership has changed

Art.21 Security Measures — Board Evidence (Items 9–16)

• 9. Risk analysis board-approved: Formal board resolution approving cybersecurity risk analysis with review date
• 10. Cybersecurity policy adopted: Written policy approved by management body, annually refreshed
• 11. BCP/DR board resolution: Business continuity and disaster recovery plan formally adopted by board
• 12. Supply chain assessment documented: Third-party ICT supplier assessment completed with board awareness
• 13. Annual penetration test commissioned: Independent security effectiveness assessment (Art.21(2)(f))
• 14. MFA deployed: Multi-factor authentication across all privileged and remote access pathways
• 15. Cryptography policy approved: Encryption standards and key management policy formally adopted
• 16. CVD policy published: Coordinated vulnerability disclosure policy in place (Art.21(2)(e))

Art.23 Incident Reporting — Board Evidence (Items 17–21)

• 17. NCA contact registered: National competent authority contact details pre-registered with team
• 18. 24h early warning process: Documented process for initial notification within 24 hours of awareness
• 19. 72h notification process: Intermediate report process documented and tested
• 20. 1-month final report process: Final report template and process in place
• 21. Incident classification criteria adopted: Documented criteria for "significant incident" determination aligned with Art.23(3)

Jurisdiction-Specific (Items 22–25)

• 22. DE only — BSI notification: BSI entity registration completed and management contact nominated
• 23. NL only — RDI notification: RDI registration completed; supervisory board liability exposure assessed
• 24. AT only — BSA registry: BSA NIS2 registry includes named statutory representative; NISG 2024 training documented
• 25. Multi-jurisdiction: If operating across DE/NL/AT, lead NCA identified under Art.32(7) for cross-border entities

10. CLOUD Act Intersection: Management Liability Meets Jurisdiction Risk

For essential entities using US-incorporated cloud providers, Art.32(7) creates an indirect risk pathway that is rarely discussed:

The chain: If a NIS2 Art.21(2)(d) supply chain audit reveals that the entity's primary cloud provider is subject to US CLOUD Act compulsion — and the NCA concludes that management failed to conduct adequate third-party risk assessment — the Art.21 gap can form the predicate breach for an Art.32(7) proceeding.

This is not theoretical. Germany's BSI has published guidance specifically identifying US-parent cloud providers as elevated supply chain risk factors under NIS2 Art.21(2)(d). An essential entity whose management body approved a US-parent cloud provider without documented jurisdiction risk assessment faces an argument that Art.21(2)(d) was violated — creating Art.32(7) exposure for the management body.

Essential entities using EU-native infrastructure — without US parent entities subject to CLOUD Act compulsion — eliminate this specific liability vector. When the supply chain audit arrives, the jurisdiction risk section reads clean.

Conclusion

NIS2 Art.32(7) is the provision that makes cybersecurity compliance a matter of personal professional risk for CEOs and legal representatives at essential entities. Germany, the Netherlands, and Austria each implement it with different fine levels, prohibition durations, and training requirements — but all three NCAs are activating supervisory cycles from H1 2026.

The path to minimizing Art.32(7) exposure is straightforward: board-approved Art.21 controls, documented Art.23 processes, trained management bodies, and clean supply chain audit trails. With June 2026 approaching, the window for "we're working on it" closes and the window for "here is our evidence package" opens.

The Python NIS2ManagementLiabilityAssessor above gives management teams a structured starting point for understanding their personal exposure before the NCA audit letter arrives.

Part of the sota.io EU Compliance Developer Series. See also: NIS2 Art.32 Proactive Supervision: Essential Entity Audit Preparation Guide · NIS2 Art.23 Incident Reporting · NIS2 Art.21 Cybersecurity Risk Management 10 Mandatory Measures · NIS2 Essential vs Important Entity Classification