Introduction
In October 2025, SonicWall revealed the full scope of a September breach: attackers had stolen ALL cloud-stored security configuration backups, not the initially reported figure of under 5%. The stolen data contained AES-256-encrypted credentials and complete IT infrastructure “blueprints” for thousands of organisations worldwide.
The critical question facing executives at affected companies: Who is personally responsible when a third-party vendor suffers a breach that exposes your organisation’s security architecture?
Under the EU’s NIS-2 Directive, the answer is clear: management. Not the IT department. Not the CISO. You.
Is Your Organisation Subject to NIS-2?
NIS-2 is an EU directive requiring medium and large entities in critical sectors to implement cybersecurity measures. It does not apply to UK-only companies. The UK maintains separate regulations under the NIS Regulations 2018 and the upcoming Cyber Security and Resilience Bill.
You are subject to NIS-2 if you have EU establishments (subsidiaries, offices, operations) or if you actively provide services in the EU in covered sectors. Covered sectors include energy, transport, banking, health, digital infrastructure, cloud services, data centres, and managed service providers.
Cross-border operations create specific obligations. UK companies with EU subsidiaries must comply in each Member State where they operate. Digital service providers serving EU customers must appoint an EU representative. Size thresholds generally apply: 50 or more employees and €10 million or more in revenue. However, certain digital service providers fall under NIS-2 regardless of size.
If you’re in scope, management liability applies. The registration deadline is April 17, 2025.
Personal Management Liability Under NIS-2
Previous cybersecurity regulations focused on organisational compliance. NIS-2 shifts responsibility directly to individual executives.
Management must approve and actively monitor cybersecurity measures. This obligation cannot be delegated to the IT department. You can assign technical implementation to your team, but accountability remains at board level.
Penalties are substantial. Essential entities face fines up to €10 million or 2% of global turnover, whichever is higher. Important entities face up to €7 million or 1.4% of global turnover. These financial penalties apply to individuals, not just organisations.
Beyond fines, Member States can impose additional sanctions: bans from managerial functions, forced discharge from positions, and public naming. German implementation under Section 38 BSIG-E sets a precedent for how Member States may enforce personal liability.
The burden of proof falls on management. You must demonstrate that you understood the risks, approved mitigation measures, and actively monitored implementation. “I delegated this to IT” is not a defence under NIS-2.
The SonicWall Case
The SonicWall breach timeline illustrates why NIS-2’s management liability provisions matter. On September 17, 2025, SonicWall disclosed a security incident affecting its cloud-based systems. On October 8, the company revealed the full scope: 100% of cloud backup users were affected, not the initially stated figure of under 5%.
Attackers stole security configuration backups containing infrastructure “blueprints”, encrypted credentials, vulnerability maps, and complete network architecture details. Even though credentials were AES-256-encrypted, the stolen data provides a roadmap of where those credentials are used and how systems connect.
Under NIS-2, affected organisations’ management faces specific questions. Can you prove the risk of storing security configurations in a third-party cloud was documented and formally accepted? Were alternative backup arrangements evaluated? Did management review and approve the vendor’s security practices? Was there active monitoring of the vendor relationship?
Taylor Wessing’s analysis of the breach notes that management cannot claim ignorance. The decision to use cloud-based backup for security configurations is a strategic choice that requires board-level awareness. If that awareness and approval cannot be documented, management liability is triggered.
The burden of proof is on executives. You must show you fulfilled your monitoring obligations. “We trusted our vendor” does not satisfy NIS-2’s requirements.
What Management Must Do Now
If your organisation falls under NIS-2, take these immediate actions:
- Determine your NIS-2 status and register by April 17, 2025. Identify which Member States apply. Confirm whether you’re classified as an essential or important entity.
- Document everything. Establish a governance framework that records management’s cybersecurity decisions. Conduct formal risk assessments. Require written approval from management for critical security measures, especially third-party arrangements.
- Review third-party arrangements. Audit all critical services, particularly cloud providers, managed service providers, and backup solutions. Assess security configurations and data storage locations. Document management’s review and approval of these relationships.
- Establish active monitoring. Create a management dashboard showing key security metrics. Schedule regular reviews at board level. Define incident escalation procedures that bring critical issues to management immediately.
- Review insurance coverage. Many directors and officers (D&O) policies exclude regulatory fines. Check whether your policy covers NIS-2 penalties. Consider whether additional cyber liability coverage is needed.
Beyond these immediate steps, NIS-2 imposes ongoing obligations. Incident reporting follows strict timelines: initial notification within 24 hours, detailed reporting within 72 hours, and final reports within one month. Management must ensure these reporting mechanisms function and that they receive immediate notification of incidents.
Regular audits and training requirements apply. Management must participate in, not simply approve, cybersecurity training programmes. External audits should assess not just technical controls but management’s oversight processes.
Conclusion
The SonicWall breach demonstrates why NIS-2 makes management personally liable. A vendor security failure doesn’t absolve executives of responsibility. Instead, it tests whether management understood the risk of using that vendor, approved that risk consciously, and monitored the arrangement properly.
Under NIS-2, executives must answer three questions: Did we understand this risk? Did we accept it consciously through documented approval? Can we prove we monitored it properly?
If you cannot answer “yes” with supporting evidence to all three questions, you face personal liability. The question is no longer “Is our organisation compliant?” but “Am I personally protected?”
NIS-2’s April 17, 2025 registration deadline approaches. The time to establish documented management oversight is now, before an incident tests whether your governance framework can protect you from personal liability.
