The failure to ensure cybersecurity can lead to criminal liability in the future

Still today, from the perspective of company management, cybersecurity failure is mainly a risk to the business. With future regulation, business leaders need to take cybersecurity seriously, as the liability and consequences are significant.

In a year’s time, the European Union’s NIS2 Directive will come into force, bringing criminal liability for negligence to the management of companies that count as critical actors in national cybersecurity.

In 2025, a set of regulations known as the CRA will come into force for services and devices connected to cyber networks.

Board members and CEOs of companies that are critical to society can therefore also face personal liability if cybersecurity is not up to scratch.

It is good that regulation is harmonizing the cybersecurity field. The concern is however whether companies are ready.

Read more about these topics from the following pages:

Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)

EU Cyber Resilience Act (CRA)