Compliance is becoming personal — personal in the sense that cybersecurity compliance regulations increasingly include provisions that make it possible to hold individuals personally liable for oversights that lead to issues like cybersecurity breaches.
This means that the stakes of noncompliance are becoming steeper. Although charges or fines directed at individuals have not yet become a common occurrence, regulators in certain jurisdictions have the power to impose this type of penalty against CIOs, CISOs, and other IT and business leaders.
Here’s a look at which compliance laws include personal liability provisions, why they matter, and what leaders can do to help protect themselves, along with the companies they represent, from fines and other penalties.
The rise of personal liability compliance penalties
Historically, the penalty for violating compliance regulations in the IT space boiled down to fines against companies. This is the primary mechanism that regulations like the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) use to punish businesses for failure to uphold adequate security and data privacy standards.
Yet, newer compliance regulations are coupling penalties for businesses with provisions that allow regulators to hold individuals personally liable. The individuals can face personal fines and, in some cases, criminal charges.
To date, two prominent compliance laws have emerged that give regulators the option of penalizing individuals:
- Version 2 of the Network and Information Security Directive, more commonly known as NIS 2. NIS 2 is a European Union regulation designed to enforce high cybersecurity standards.
- The Digital Operational Resilience Act, or DORA. DORA is also an EU regulation designed to strengthen cybersecurity, although it focuses on the finance industry.
While the details vary somewhat, the general premise in both of these regulations is that leaders whom regulators deem grossly negligent in overseeing functions related to cybersecurity can be held personally liable.
On balance, it’s important to note that the regulations are not written in a way that suggests that personal penalties will be commonplace. Instead, it is likely that regulators will exercise this option only in cases of extreme or willful negligence. These are also, of course, EU regulations; so far, there is no indication that regulators in other parts of the world are working to introduce personal liability provisions to their laws.
Nonetheless, the simple fact that personal penalties have become an option for enforcing compliance regulations in a limited context sets a precedent that is interesting, to say the least. Other regulations have occasionally allowed regulators to fine compliance officers for gross failure to enforce compliance standards within their organizations. And in rare cases, individuals who have carried out malicious activities using their employers’ IT systems or data have faced criminal charges. But never before have regulations opened the door to personal liability for any leader or manager deemed guilty of playing a hand in cybersecurity failures, including in cases when there is no evidence of criminal or deliberately malicious intent.
It is worth noting, too, that these regulations don’t include provisions for penalties against individuals who are not in managerial or executive roles. In other words, individual contributors who are responsible for cybersecurity failures cannot be held personally responsible, even if their companies are fined. This suggests that IT and business leaders may be found liable even in situations where they do not personally make mistakes that lead to cybersecurity breaches, but where employees they supervise do.
How steep are personal compliance penalties?
NIS 2 and DORA are quite new. Regulators began fully enforcing NIS 2 in October 2024, and DORA does not take full effect until January 2025.
Because of this timeline, there have so far been no reported cases of personal penalties for executives or managers based on NIS 2 or DORA violations, and no precedents currently exist for determining which types of fines or other penalties regulators might impose on individuals. But in theory, the consequences could be steep. DORA allows for fines against individuals of up to 1 million euros. The NIS 2 penalty structure is more complex because the law gives individual countries latitude to determine exactly how to punish violations, but it appears that personal fines are a possibility, as are potential bans against individuals from continuing to hold managerial positions.
Avoiding personal liability
The lack of precedent surrounding NIS 2 and DORA enforcement makes it hard to say what, exactly, executives and other business leaders can do to avoid personal liabilities. For now, the best that businesses can do is ensure they are prepared for these new regulations, if they operate in jurisdictions and industries where they apply.
Many companies, however, appear not yet fully prepared. As of late 2023, IDC found that a minority of organizations across the EU were actively preparing to meet NIS 2 requirements (Countdown to NIS 2: What’s the State of Play in Europe? IDC, December 2023). Readiness efforts varied widely between countries, but in states like Belgium and Poland, fewer than 20% of businesses said they had begun exploring the impact of NIS 2 on their operations.
IDC research also shows that in more than a few cases, IT leaders may simply be fabricating or exaggerating claims about preparing to meet new compliance mandates. For instance, according to a February 2024 report, 10% of companies based in Poland said they had already completed a gap analysis as part of NIS 2 preparedness efforts (IDC CISO Hub, February 2024: Security Predictions, AI Research, and Risk Management Concerns, March 2024). But at that time, Poland had yet to publish draft legislation related to enforcement of NIS 2 within its borders, so no meaningful gap analysis could have occurred.
If findings like these are any indication, the typical business has a long way to go to ensure that the organization as a whole, as well as its executives and managers, won’t end up on the wrong side of new compliance mandates. The consequences of noncompliance are higher than ever, which means enforcing excellent cyber hygiene standards in response to regulations like NIS 2 and DORA has become more important than ever.
Learn more about IDC’s research for technology leaders OR subscribe today to receive industry-leading research directly to your inbox.
International Data Corporation (IDC) is the premier global provider of market intelligence, advisory services, and events for the technology markets. IDC is a wholly owned subsidiary of International Data Group (IDG Inc.), the world’s leading tech media, data, and marketing services company. Recently voted Analyst Firm of the Year for the third consecutive time, IDC’s Technology Leader Solutions provide you with expert guidance backed by our industry-leading research and advisory services, robust leadership and development programs, and best-in-class benchmarking and sourcing intelligence data from the industry’s most experienced advisors. Contact us today to learn more.
Christopher Tozzi, an adjunct research advisor for IDC, is senior lecturer in IT and society at Rensselaer Polytechnic Institute. He is also the author of thousands of blog posts and articles for a variety of technology media sites, as well as a number of scholarly publications. Prior to pivoting to his current focus on researching and writing about technology, Christopher worked full-time as a tenured history professor and as an analyst for a San Francisco Bay area technology startup. He is also a longtime Linux geek, and he has held roles in Linux system administration. This unusual combination of “hard” technical skills with a focus on social and political matters helps Christopher think in unique ways about how technology impacts business and society.
Read More from This Article: Personal liability: A new trend in cybersecurity compliance?
Source: News