NIS2 Executive Liability: Why Email Security Is Now a C-Level Matter

Since December 6, 2025, a new era of cybersecurity has been in effect in Germany. Under the NIS2 Implementation Act, management is for the first time personally liable for the implementation of cybersecurity measures. Email security is at the very top of the agenda – because over 90% of all cyberattacks begin with an email.

§38 BSIG: Personal Liability of Management

The revised BSI Act is unambiguous on this point:

Management must approve the risk management measures under §30 and oversee their implementation. If management fails to fulfill this duty, it is personally liable.

This specifically means:

• Approval: Management must be aware of the measures and formally approve them
• Oversight: It is not sufficient to simply task the IT department – implementation must be demonstrably monitored
• Personal liability: In case of breach of duty, executives are liable with their personal assets

What Happens in the Event of an Email Security Incident?

Consider the following scenario: An employee opens a phishing email, ransomware encrypts critical systems, and customer data is exfiltrated.

Without NIS2-compliant measures, the consequences include:

1. Reporting obligation: 24-hour early warning to the BSI, 72 hours for the full report
2. Fine: Up to EUR 10 million or 2% of global annual revenue
3. Personal liability: Management is held accountable
4. Reputational damage: Public disclosure of the incident

The Fine Structure Under NIS2

Calculation basis is whichever amount is higher. For a company with EUR 600 million in revenue, this could amount to up to EUR 12 million in fines.

The Most Common Email Risks for Executives

1. Business Email Compromise (BEC)

Attackers impersonate the CEO or CFO and authorize wire transfers. Average damage: EUR 130,000 per incident.

2. Phishing & Spear Phishing

Targeted fraudulent emails with malware attachments or credential harvesting links. AI is making these attacks harder to detect than ever in 2026.