More information

If the new Cybersecurity Act and its implementing decrees classify you as a regulated service provider, this does not just mean an increase in the requirements for your IT department. It is a fundamental change in the accountability framework of the entire organisation - especially its senior management. Whether you fall under the higher or lower duty regime, the law explicitly places personal and legal responsibility on you to adopt, set up and oversee security measures. It is no longer sufficient to say “we delegated it” because the duty of leadership cannot be delegated in the sense of “the CIO or CISO is in charge”.

The responsibility for ensuring that security measures are in place, that they are adequate, and that they work in practice remains with the statutory body, the board of directors, the managing director or the CEO.

Ignorance of the law or its implementing decree is no excuse. On the contrary, it may be interpreted as negligence and, in some cases, as a breach of the duty of care. In practice, this means that in the event of an incident, inspection or audit, it is not only IT systems that are evaluated, but also the decision-making processes and accountability structures of the company's management.

Underestimating these obligations can have real legal consequences for members of management:

• Sanctions from the NCIB, including orderly fines and corrective measures,

• Removal of responsible persons in the organisation on the basis of inadequate risk management,

• Sanctions by shareholders or the founder for neglect of duties,

• personal liability to the company or third parties (e.g. customers, partners) as a result of damage caused by security failures.