SME Compliance Liability of the Managing Director 2026: 6 Risks
TL;DR
- Section 38 BSIG (NIS2): personal liability up to 2 million EUR for grossly negligent breaches of Section 30 BSIG (German Cybersecurity Act)
- Section 43 GmbHG: the managing director must exercise the diligence of a prudent businessperson; liable to company and third parties
- Art. 83 GDPR + Section 41 BDSG: intentional violations can lead to personal fines of 5-50k EUR
- Art. 99 EU AI Act: systemic AI violations can reach the managing director personally; up to 35 million EUR or 7% of turnover
- D&O insurance: 1.5-15k EUR/year covers most compliance breaches but not gross negligence or intent
1. Section 38 BSIG (NIS2): up to 2 million EUR personal liability
Managing directors are personally liable for grossly negligent breaches of NIS2 Section 30 (the German Cybersecurity Act, BSIG). Insurable only with limits via D&O policies. The most material new exposure for managing directors of NIS2-scoped SMEs (small and medium enterprise).
2. Section 43 GmbHG: duty of care
The managing director must exercise "the diligence of a prudent businessperson" under Section 43 GmbHG (German Limited Liability Company Act). For compliance failures: personal liability toward the company and third parties. Settled jurisprudence; the bar for "should have known" is comparatively low.
3. Art. 83 GDPR + Section 41 BDSG: personal fines
For intentional violations the managing director can be held personally liable. Practice: in cases of systemic GDPR breaches, personal fines of 5-50k EUR are not unusual under Section 41 BDSG (German Federal Data Protection Act).
4. Section 14 StGB: criminal liability
Under Section 14 StGB (German Criminal Code), data breaches with negligent disregard can trigger criminal complaints, in particular under Section 203 StGB (violation of private secrets). Risk especially material in healthcare, legal, and financial services contexts.
5. Art. 99 EU AI Act: up to 35 million EUR or 7%
For systemic AI violations the supervisory authority can target the managing director directly, although enforcement practice is still nascent. The fine ceiling of 35 million EUR or 7% of worldwide turnover applies to corporate sanctions; personal exposure typically rides on national rules around imputed liability.
6. D&O insurance as protection
Standard 1-5 million EUR cover. Compliance breaches usually covered — gross negligence and intent are typically excluded. Cost: 1,500-15,000 EUR/year depending on size and sector. Protective measures (compliance officer, training, documentation) tend to reduce premiums.
7. Four protective measures for the managing director
(1) Comprehensive compliance documentation (templates plus periodic refresh). (2) Appoint a compliance officer (internal or external). (3) D&O insurance with appropriate coverage. (4) Document training and management decisions in board minutes — these create the paper trail that demonstrates diligent oversight.
Summary
Personal liability for managing directors has materially expanded with NIS2 and EU AI Act. The combination of Section 38 BSIG, Section 43 GmbHG, and the GDPR/AI Act regimes means an SME managing director can face direct exposure in the millions. Documentation, a named compliance officer, and D&O coverage form the standard mitigation package.
View Compliance-Kit overview →
Frequently Asked Questions
How do I protect myself as managing director?
What does D&O insurance cost?
Sources
- Section 43 GmbHG — Managing Director Liability (as of: ongoing)
- Section 76 AktG — Vorstand (as of: ongoing)
- BSIG 2025 (Section 38 management liability) (As of: 2026-05-02)