Information security at the heart of risk assessment of D&O liability in Denmark
After some delay, the 2022 National Information Security Directive, better known as the NIS 2 directive (Directive No. 2022/2555), will likely be implemented into Danish law by 1 July 2025 via the NIS 2 Act. Here, we assess the potential impact of the Directive and its implementation in Danish Law on D&O liability and on D&O insurers.
NIS 2 is basically a risk management tool; Its purpose is to increase focus on how to - in a uniform way - map, assess and manage the risks associated with a company’s IT infrastructure. To also report on incidents/breaches, authorise audits from relevant authorities and impose sanctions. Once implemented, NIS 2 will override NIS 1.
The NIS 2 Act will apply across a number of industries and to both public and private entities, but does not apply directly to smaller companies under a threshold of 50 employees or a yearly turnover of EUR 10m and a yearly balance of EUR 10m. In March 2025, the section of the Act on improved resilience in the energy sector was implemented. Industries which are party to sector specific regulation need to comply with such regulation, such as the DORA, the Digital Operational Resilience Act, which regulates the financial Industry.
Essential industries affected by the Act include utility providers, the transport & physical infrastructures industry, wastewater management industries and digital infrastructure providers. A number of other industries are deemed of great importance such as, but not limited to postal services, water management, chemical industries, food production and distribution industries. Most of the requirements of the NIS 2 Act are the same regardless of whether an entity is deemed essential or (only) important, but inspections and audits from regulators and sanctions may vary.
The said industries are subject to the NIS 2 Act if they are established in Denmark and/or subject to Danish jurisdiction.
The obligations of executive management according to NIS 2
Section 6 of the NIS 2 Act requires the executive management of essential and important entities to ensure oversight and audit of measures taken to manage IT security risks.
Section 6 states that the management shall ”take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems”
Entities regulated by NIS 2 need to assess whether the organisation and its technical and operational set-up is sufficiently resilient to meet and mitigate potential threats to the entity’s network and information system. If not, appropriate actions shall be taken to improve resilience.
It is clear from the wording that proportionality is key, when deciding which measures are appropriate: “due account shall be taken of the degree of the entity’s exposure to risks, the entity’s size and the likelihood of occurrence of incidents and their severity, including their societal and economic impact.”
Accordingly, there is a direct instruction to the management of essential and important entities, namely, a demand to implement, approve and audit measures that ensure resilience.
Section 6(1) lists a number of fairly specific measures to be taken by management. Such measures shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents. The list includes risk analysis, incident handling, supply-chain security, network acquisition and development security, cyber security risk-management and multifactor authentication to name a few. The list specifies what to deal with, but not how, only that implementation should be proportionate.
Having established that the NIS 2 Act imposes a number of duties on management, the question is
- whether this is an increase in the obligations and duties otherwise imposed on management of corporate entities and
- whether non-compliance with the duties may lead to liability and a duty to pay damages to an entity’s shareholders, creditors or other third parties that suffer a loss, as a result of non-compliance.
D&O liability under Danish law
The management of a Danish limited liability company - an “A/S” - is separated into two entities: the Board of Directors (BoD) and the executive level. The BoD of an A/S usually consists of external members chosen by the General Assembly (the owners) of the company and the CEO and/or the CFO. The executive level includes the top management of the corporation, such as the CEO, the CFO or other and/or chief executives.
Whereas the BoD has a duty to develop and monitor the company’s strategic, organisational and financial position in the market including overseeing risk management procedures, the executive level has the day to day responsibility for running the company as per the guidelines decided by the BoD. First and foremost, the executive shall ensure stable finances and proper bookkeeping in order for the company to be able to meet its responsibilities at all times.
The BoD members and executives may be held liable for the mismanagement of a company where mismanagement leads to a causal loss for the company, its owners or third parties. In Denmark, we usually only see such liability claims against the BoD or an executive when a company is declared bankrupt and the trustee investigates the events leading up to the bankruptcy. Claims against a BoD and/or executive of an active company are rare, though there have been a couple of security claim cases in recent years.
A successful claim against a BoD or the executive requires the claimant to prove negligence and causal loss. The courts will apply the business judgment rule to assess whether or not an act or omission was negligent and usually leave quite a fair margin for management decisions. Based on D&O case law, in the wake of the financial crises from 2008 onwards, management will not usually be liable for misrunning the company if they can show that (a) they had procedures in place to conduct the business in an orderly way, (b) complied with those procedures, and (c) to the best of their abilities, based their decisions on relevant information. A set of guidelines on corporate governance for listed companies sets out further suggestions on how to manage various corporate risks and implement good governance structures to ensure growth and prevent financial instability. In addition, the Association for Corporate Governance has published a set of guidelines on cybersecurity for board members and executives to enhance their understanding of a better corporate strategy on cybersecurity.
Consequently, there is existing Danish regulation and soft law in place, to which BoDs and executives have to comply. Section 6, NIS 2 Act now adds to this list of obligations and therefore increases the potential pitfalls which may lead to liability. Clearly, management has to make sure the company has a cyber security strategy and relevant policies in place to map, handle and mitigate cyber risks. However, a potential claimant must still prove that the lack of relevant strategies or policies have led to a loss. The NIS 2 Act does not change that. Neither does the NIS 2 Act specify the extent or content of cybersecurity policies or mitigation actions. Hence, there is room for the BoD to decide the most suitable cyber risk strategy for the company and for the executives to implement. As long as management works with cybersecurity in a serious manner and takes relevant action to protect the company’s IT infrastructure and network, and is able to document and support any decisions taken on cybersecurity, they will most likely not be held liable for losses sustained due to a cyber breach. On the other hand, where cybersecurity is not taken seriously by management and mitigation policies are not in place or monitored which then leads to a loss, both the BoD and executive level may be held liable.
With increasing global digitalisation, the complexity of IT-infrastructure, the rise in cyber threats and growing frequency in cyber-attacks, cyber security should be on the forefront of every BoD and executives’ minds, no matter the size of the company or public entity. The risk of facing potential liability claims and lawsuits that drag on forever - not to mention fines – should be sufficient to encourage compliance with NIS 2.
Comment
The NIS 2 requirements add to the responsibilities that BoDs and executives have to contend with. NIS 2 makes it very clear that it is the responsibility of top management to deal with cyber security issues and not something that can be left to management further down the corporate ladder.
New regulatory demands may not lead to an increase in liability claims, but the increase in cyber threats in combination with potentially insufficient cyber security measures increases the risk of a financial loss.
The combination of the rise in cyber threats and attacks as well as increased regulatory demands may create an environment to point fingers at top management and claim damages. This may put extra pressure on D&O insurers to defend BoDs and executives against such claims, leading to an increase in defence costs.
The underwriting process for D&O policies should take into account the new NIS 2 demands and underwriters should consider adding cyber resilience to the list of questions to potential policy holders, such as whether the policy holder has taken out relevant cyber and /or commercial crime insurance.
On the positive side, NIS 2 requirements may help policy innovation such as developing products tailored to the unique risks proposed by cyber threats and regulatory demands. Insurers may also see an increase in demand for higher policy limits.
Related item: Understanding reporting requirements under EU data protection and cybersecurity laws – a practical perspective