Section 38 BSIG
Management obligations and personal internal liability under the NIS2UmsuCG
TL;DR
Section 38 BSIG (in force since 6 December 2025) obliges the management of essential and important entities to approve the risk management measures under Section 30, monitor their implementation, and attend training. In the event of culpable breaches of duty, Section 38(5) provides for personal internal liability vis-a-vis the entity — waiver or settlement is only permitted after three years.
What is Section 38 BSIG?
Section 38 BSIG is the most stringent provision for NIS2 compliance: it places personal responsibility on the management. The obligations:
- Subsection 1: Approval of the risk management measures under Section 30 — not delegable to IT or the compliance department
- Subsection 2: Monitoring of implementation
- Subsection 3: Obligation to attend training — to identify and assess cybersecurity risks
- Subsection 5: Personal internal liability vis-a-vis the entity in case of a culpable breach of duty; waiver / settlement is only permitted after three years (comparable to Section 93(4) AktG)
Practical example
A managing director of an insurance company (important entity) declines to approve an MFA solution despite an explicit recommendation from the CISO — for cost reasons. Six months later, the company falls victim to a ransomware attack carried out via compromised admin accounts. Damage: 2.5 million EUR. Possible consequences: a BSI fine of up to 7 million EUR or 1.4% of turnover; personal liability of the managing director under Section 38(5) for the 2.5 million EUR damage vis-a-vis the entity; in the case of a stock corporation (AG), additional management-board internal liability under Section 93 AktG. D&O insurance does not necessarily provide cover where gross negligence is demonstrable.