Section 38 BSIG Management Liability: D&O Insurance and Protection Plan

April 27, 2026· Category: NIS2· As of: 2026-05-02· Reading time: ~6 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

Section 38 BSIG (German Cybersecurity Act) creates personal liability for management on grossly negligent NIS2 breaches
Personal cap: up to EUR 2 million per executive, plus fines under Section 60 BSIG
D&O insurance typically covers EUR 1-5M; annual premium EUR 1,500-15,000 for SMEs
D&O does NOT cover willful intent, gross negligence, criminal fines, or regulatory fines
The strongest defense is documented compliance, not insurance

1. The Section 38 BSIG offense

Section 38 BSIG holds management of essential and important entities personally liable when grossly negligent breaches of NIS2 obligations cause damage. Liability extends to the personal assets of the managing director, with damages up to EUR 2 million plus regulatory fines under Section 60 BSIG (up to EUR 10M or 2% of global revenue).

2. D&O insurance baseline

Standard market: EUR 1-5 million coverage, annual premium EUR 1,500-15,000 depending on revenue, sector, and prior loss history. Industry-typical for managing directors and executive boards in NIS2-regulated sectors.

3. What D&O DOES cover

Defense costs (attorney, court fees, expert witnesses)
Civil damages awarded to the company (internal liability)
Limited civil damages to third parties
PR and crisis-communication costs (if endorsed)

4. What D&O does NOT cover

Willful intent and (in most policies) gross negligence
Regulatory fines under Section 60 BSIG, GDPR Art. 83, etc.
Criminal proceedings and criminal penalties
Claims that pre-date the policy (run-off / retro)

Conclusion: a D&O policy is a complement, not a substitute, for compliance.

5. Mandatory protection measures for management

Maintain NIS2 documentation (the 22 mandatory templates)
Appoint a CISO or information security officer
Keep training records for management and staff
Run regular internal audits and management reviews
Provide a quarterly compliance report to the supervisory board

6. Special case: supervisory board

Members of a supervisory board (Aufsichtsrat) are personally liable when they breach their oversight duties. A separate supervisory-board endorsement on the D&O policy is recommended; the standard managing-director policy does not always extend to board members.

Summary

Section 38 BSIG turns NIS2 from an IT problem into a personal-finance problem for executives. D&O insurance helps with defense costs and civil claims, but not with fines or grossly negligent conduct. The strongest defense is documented compliance: keep the 22 templates current, evidence training, and run audits.

View NIS2 Kit →

Frequently Asked Questions

Is D&O insurance mandatory?

No, it is voluntary. However, it is best practice for SMEs with 50 or more employees.

What does a damage claim cost?

Defence EUR 50,000-200,000, damages often EUR 250,000-2,000,000.

Sources

BSIG 2025 (Section 38 management liability) (As of: 2026-05-02)
Section 43 GmbHG — Managing Director Liability (as of: ongoing)
Section 76 AktG — Vorstand (as of: ongoing)