The EU NIS2 Directive fundamentally changes the responsibility for cybersecurity: It is no longer a purely IT task, but a strategic management and governance obligation of company leadership – with clearly defined personal liability risks for board members and executives.
Against this background, the event “Cyber im Dialog” took place in Munich on November 20, 2025 – a joint event by the eHealth and Insurance Hub. The focus was on the immediate impact of NIS2 on decision-makers, as well as concrete practical experiences from the business and insurance sectors.
In the following, we summarize the most important findings and the practical lessons learned:
Central finding of the event
Cybersecurity is definitively a management priority. The responsibility for appropriate protective measures, functioning emergency processes, and their monitoring is non-delegable.
Impulses and Practical Experiences
Following the welcome by Hans-Wilhelm Dünn, Jan Arfwedson and Maximilian Mäder shed light on the new NIS2 requirements and the associated liability risks for corporate management.
Other experts provided valuable insights from practice:
Dirk Enders pointed out the role that Cyber and D&O insurance play – and where significant coverage gaps threaten in cases of gross negligence.
Alexander von Bernadotte gave an impressive report from the practice of Emergency and Business Continuity Management and shared Lessons Learned from dealing with his own massive cyberattack.
Consequences for Decision-Makers: What Matters Now
Clear areas for action can be derived from the discussions and practical experiences:
- Implement Technical Quick Wins: Comprehensive Multi-Factor Authentication (MFA) for remote access as well as immutable, geo-redundant backups are indispensable today.
- Train Crisis Capability: Emergency and reporting processes (24/72-hour deadlines) must be regularly tested in realistic tabletop exercises involving corporate management.
- Actively Manage Liability Risks: D&O and Cyber insurance policies should be specifically reviewed for exclusions related to lack of compliance – prevention is the most effective protection.
NIS2 is not just a cost factor – but a strategic investment in resilience, stability, and trust.
Outlook: Actionable Guidance for Decision-Makers
During the event, it became clear how high the demand is for a compact, clearly structured NIS2 action guide for decision-makers. The Cyber-Sicherheitsrat Deutschland e.V. has taken up this suggestion and is now providing a practice-oriented guide that clearly summarizes the central obligations, risks, and fields of action. Many thanks to Jan Arfwedson for the editorial development.
We cordially invite you to use and share the content and to continue the dialogue.