Liability of members of management bodies: Will the new cybersecurity framework change the rules?

Among the others, the NIS 2 Decree introduced specific obligations and liabilities for members of management bodies, as well as for other natural persons involved in the decision-making process of the entity and/or having control over it. However, the impact of these rules is not entirely clear.

1. Articles 23 and 38 provide direct obligations upon management bodies

Articles 23 and 38 set forth the regime applicable to individuals having representation and management powers over the in-scope entities for violations of the NIS 2 Decree. However, a combined reading of these two provisions raises some doubts as to their scope of application under multiple perspectives.

Article 23 imposes specific duties on management bodies of in-scope entities. Specifically, management bodies must approve and oversee the correct implementation of cybersecurity risk management measures, oversee compliance with the NIS 2 Decree (including the registration obligation). They must also attend and promote attendance at cybersecurity training sessions. Furthermore, Article 23 states that management bodies are “responsible for the violations pursuant to [the NIS 2 Decree]”.

In addition, Article 38, para. 5 provides that “any natural person who is responsible for an essential entity or acts as its legal representative, having the power to act or take decisions on its behalf or to exercise control over the same, could be held liable for non-compliance in case the entity infringes the NIS 2 Decree”.

First, it is difficult to identify the individuals who could be personally held liable under the NIS 2 Decree. In fact, while Article 38 refers to individuals who are “responsible for”, act as “legal representatives”, “act or take decisions” on the entity’s behalf or can “exercise control” over the same, Article 23 refers to “management bodies”. In other words, the concept of “natural persons” referred to under Article 38 seems to have a broader scope than the concept of “management bodies” under Article 23. This seems to be confirmed by Article 38, para 6 provides that National Cybersecurity Authority (“ACN”) may impose disqualifications upon “natural persons referred to in para 5 [of Article 38], including management bodies under Article 23”. Following this line of reasoning, Article 38 reference to “individuals that exercise control” might be interpreted also as individuals holding controlling interests in in-scope entities can be held liable under the NIS 2 Decree, even if Article 23 does not expressly provide obligations upon them.

However, ACN seems to interpret these provisions as meaning that there is no material difference between the “natural persons” mentioned in Article 38, para 5 and the “management bodies” under Article 23. In fact, both the user manual and the FAQspublished by ACN state that “the natural persons to be listed under Article 7, para 4, lit. c of the NIS 2 Decree are the natural persons responsible under Article 38, para 5 of the NIS 2 Decree. In other words, these are the natural persons who are part of the management bodies […] referred to in Article 23 of the NIS 2 Decree”.

Although, as illustrated above, this seems to be in contrast with a literal interpretation of the NIS 2 Decree, given the context and considering ACN’s view, we therefore conclude that the most likely interpretation is that the obligations under the NIS 2 Decree are surely upon members of board, legal representatives and upper management bodies.

2. Can management bodies be sanctioned for the violation of their duties under Article 23?

Given that the NIS 2 Decree establishes specific responsibilities for management bodies, the question arises as to whether and how members of management bodies could be sanctioned for failing to comply with their obligations under Article 23.

The wording of the law (specifically, Article 38, para 5 of the NIS 2 Decree) leaves room for uncertainty: in fact, when setting forth the applicable sanctions, the NIS 2 Decree uses the following – unfortunate – wording: “the following infringements are sanctioned with the administrative fines under para 9 [of Article 38]: a) non-compliance with the obligations set forth under article 23 upon management bodies […].” and then: “infringements under para 8 [of Article 38] are sanctioned: a) for essential entities […], with administrative fines up to a maximum of EUR 10,000,000 or 2 % of the total annual worldwide turnover for the entity’s previous fiscal year […], b) for important entities […] with fines administrative fines of up to a maximum of EUR 7,000,000 or 1,4 % of the total annual worldwide turnover for the entity’s previous fiscal year […]”.

Since the wording does not refer to the subjects of the administrative fines but just mentions the articles providing duties on the management bodies, it could be argued that the fines apply directly to the members of the board of directors.

However, there are several arguments supporting the view that the pecuniary fines provided under the NIS 2 Decree should apply only to the in-scope entities, also for non-compliance of the obligations upon the related management bodies. Clarity on the perimeter of management bodies’ liability under the NIS 2 Decree should come at a later stage of its implementation.  First, Article 38, para 9 expressly refers to in-scope entities, while it does not expressly mention that the fine can be also applied to management bodies.

Secondly, the NIS 2 Decree states that, in the event of non-compliance with an ACN order within the prescribed deadline, two distinct sanctions may be imposed: on one hand, management bodies may be personally banned from holding management roles within the entity, on the other hand a pecuniary sanction may be issued. The fact that the NIS 2 Decree makes explicit that in that case managing bodies can be subject to a specific sanction supports the reading that, when the NIS 2 Decree does not clarify it, the addressee of the sanction should only be the in-scope entity.

Lastly, the amount of the fine is calculated on the basis of the entity’s turnover. Fines calculated on the turnover of an entity, if applied against an individual, would likely be disproportionate, with the risk of being qualified as a hidden criminal sanction^[2].

3. Further to the sanctions provided by the NIS 2 Decree, non-compliance may trigger civil and criminal liability under the Italian framework

The NIS 2 Decree does not provide criminal offenses nor any kind of violations from a civil law standpoint. However, the general rules on liability of individuals (namely members of management bodies) pursuant to civil and criminal law may apply, should a violation occur.

a. Civil liability

Failure to implement appropriate technical and organizational measures in compliance with the NIS 2 Decree, may expose directors and officers to civil liability for mala gestio, under Articles 2392 et seq. and 2476 of the Italian Civil Code. This liability is grounded on a breach of the duties of diligence, professional care, and oversight that govern the conduct of corporate management.

Depending on the harm caused, liability of directors may arise vis-à-vis the company, its shareholders and/or company’s creditors based on the general rules provided by the above-mentioned Articles of the Italian civil code.

By way of example, the management body of a company could be held liable in case of damage suffered by the company due to a hacker attack or a major IT incident resulting in the disruption of services and a financial loss if said attack or incident has occurred as a consequence of not having properly monitored the implementation of the cyber security system.

Directors may delegate operational roles regarding the implementation of NIS 2 Decree obligations to competent professionals, such as IT managers or cybersecurity officers. However, this will not relieve them of their obligation to oversee such an implementation. Therefore, having one or more delegated functions does not release directors from their duties under the NIS 2 Decree.

b. Criminal liability

Pursuant to Italian criminal law, management bodies hold a guarantee position within the companies, meaning that they (i) hold the legal duty to manage the company properly and prevent harmful events, and (ii) can be held criminally liable, should an offense occur as a consequence of their failure to comply with such duty. Specific powers may also be delegated to other individuals: however, the delegation of powers does not exclude the responsibility of the directors: indeed, they are responsible for delegating competent individuals and must supervise their delegated functions as well as take measures to ensure compliance, if they become aware of any unlawful situation.

In light of the above, management bodies may be considered criminally liable whether due to the failure to comply with their duties pursuant to NIS 2 Decree a cyber incident determines consequences entailing that are criminally relevant.

For instance, the management body of a private healthcare clinic may be held criminally liable in case of death or injuries of patients resulting from a ransomware attack blocking the medical equipment, whether the incident occurred as a consequence of the failure to oversee on the correct implementation of the cyber risk management system. The same could apply in case of death or injuries of employees in the workplaces, due to a malfunctioning of a machinery caused by a cyber incident in the central system.

c. Corporate criminal liability

The NIS 2 Decree does not mention corporate criminal liability pursuant to Legislative Decree No 231/2001 (“Law 231”). Nevertheless, this does not exclude the risk for companies to be considered criminally liable when cybercrimes falling within the purview of the NIS 2 Decree: (i) are committed by company’s associates in the interest or to the benefit of the company, and (ii) the company has not adopted suitable compliance programs able to prevent / mitigate the possibility of commission of the relevant offenses (the so called “Model 231”).

Recent case law has shown how cyberattacks can originate not only from ransomware launched by external hackers, but also from companies’ associates (employees, directors, etc.).  In these cases, it cannot be excluded that a criminal investigation starts also against the company, as the Public Prosecutor may allege that the company has not adopted suitable Model 231 able to prevent cybercrimes – e.g., in case the employee unlawfully accesses the system of the company to exfiltrate sensitive data of the clients, and the unlawful access is not timely detected by the company, thus helping the employee to perpetrate the criminal conduct, or in case of a cyber-attack by an employee, with the purpose to ensure that the company unlawfully obtains the relevant insurance indemnity.

The combination of Model 231 and NIS 2 security measures would in any case be advisable: indeed, the NIS 2 Decree establishes the obligation to implement a proper cybersecurity system including a system risk assessment, security analysis, incident management policies, supply chain security measures, etc. In this respect, the NIS 2 security measures are certainly further safeguards to be taken into consideration for Law 231 purposes for the prevention/mitigation of the commission of cybercrimes.

On the other hand, in the implementation of the NIS 2 measures, companies may certainly take into account the features of Models 231, including the conduction of a risk assessment / gap analysis and the cooperation – in terms of exchange of information concerning red flags in cyber-security – between the Supervisory Board, internal and external auditors and corporate bodies.

[1] Legislative Decree no. 138/2024 implementing Directive 2555/2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.

[2] See amongst others Decision of the EU Court of Human Rights “Franzo GRANDE STEVENS vs Italia” of March 4, 2014.