CEO Unaware of Personal Liability for Cybersecurity

Too many companies continue to fall short on cybersecurity. European policy is tightening requirements significantly. Individual executives will feel the impact, warns the Cyber Security Council.

Company executives are insufficiently aware of the risks they face next year. European regulations taking effect will make them explicitly responsible for their organization's cyber policy. They can be held personally liable if they fail to fulfill this duty — and in extreme cases, temporarily removed from their position.

This warning comes from the Cyber Security Council (CSR), which advises the government on digital security. Until now, executives often delegated cyber policy to IT departments, limiting their role to approving budgets. Under the new European rules — applicable to a large number of companies and currently being transposed into Dutch law — they must do more.

The CSR observes that many companies have not realized this. Executives must approve measures against cyber risks and oversee their implementation. They must also help ensure cybersecurity at their direct suppliers.

Warnings and fines. Attorney and professor Lokke Moerel, a council member, calls the rules revolutionary. Negligence will more quickly constitute a serious personal reproach, putting personal liability on the table — extending even to supervisory board members. Non-compliant companies first face warnings and fines up to 2% of annual turnover. If improvement doesn't follow, individual executives face personal consequences.

Supply chains. A weak backdoor at a small supplier can affect the entire chain. The new rules force large companies to take more responsibility for their suppliers. An estimated 60% of larger and only 30% of smaller companies are aware of cyber risks. A Cisco survey found just 3% of all companies are prepared for current cyber threats.

Implementation. In the Netherlands, the rules take effect in 2025. The content is largely known and unlikely to change. Around 10,000 companies will be affected, up from roughly 1,000 today. Sectors like food production will fall under a cybersecurity regulator for the first time.

The threat landscape. Ransomware can halt operations; geopolitical tensions are escalating digital threats. Attack volumes are increasing, partly driven by AI. Cyber incidents rank in the top three of business risks. A cyberattack on logistics provider DP World in Australia paralyzed major ports — 30,000 containers couldn't be processed.

Who's affected. The rules apply to all companies in specified sectors with at least 50 employees and €10M+ revenue. Companies must determine for themselves whether the obligations apply to them. Employer organization VNO-NCW hopes regulators initially focus on learning rather than immediate fines.