GERMANY Trends and Developments Contributed by: Stephan Waldhausen, Moritz Pellmann, Justus Anacker and Cristina Hajek Gross, Freshfields PartG mbB
which overwhelm systems with excessive traffic and disrupt operations, have more than doubled against European businesses. These risks are amplified by the geopolitical dynamics outlined above. Hybrid warfare, including state-sponsored cyber-attacks, espionage and sabotage, has become a defining feature of the current security environment. As audit and risk com - mittees increasingly integrate geopolitical scenarios into their agendas, boards must treat cyber resilience as inseparable from geopolitical risk management. At EU level, this evolving threat landscape has prompted a substantially enhanced regulatory frame - work under Directive (EU) 2022/2555 on measures for a high common level of cybersecurity (the NIS2 Directive). NIS2 significantly expands the scope of regulated entities across 18 critical sectors and intro - duces stricter reporting obligations, as well as direct accountability at board level. After a delay of more than two years, Germany adopted its NIS2 Implementation Law, which entered into force on 6 December 2025. The law expands the number of regulated entities from approximately 4,500 to around 30,000 organisations. Core obligations include man - datory registration with the Federal Office for Informa - tion Security (BSI), a three-stage incident reporting regime and comprehensive cybersecurity risk man - agement measures covering all IT systems operated by the entity. Responsibility is expressly placed on management bodies, with breaches subject to fines of up to EUR10 million or 2% of total worldwide annual turnover for so-called particularly important entities. Boards should ensure that they: • enhance IT literacy among their members to ensure informed oversight of digital risks; • integrate redundancy and back-up protocols to maintain operational continuity; • implement and regularly test incident response plans to ensure preparedness; and • facilitate close co-ordination between IT, legal, compliance and risk functions to enable a unified response. At the same time, the EU’s broader simplification agenda also extends to cybersecurity regulation. The
“Digital Omnibus” proposed by the EU Commission in November 2025 includes targeted adjustments to the NIS2 Directive and the Cyber Resilience Act, aimed at streamlining incident reporting and reducing adminis - trative burdens. Boards should actively monitor these developments in order to anticipate and appropriately leverage potential compliance relief. Cybersecurity must be a standing board agenda item, supported by regular reporting, sustained investment and clear accountability. Failure to act entails sig - nificant legal, financial and reputational risks. Boards must therefore clearly allocate responsibilities across both management and supervisory levels. Complex Business Judgements The accelerating complexity of global markets, regu - latory frameworks and technological disruption has elevated the stakes of board-level decision-making. Strategic decisions are increasingly made in contexts where information is incomplete, risks are multilay - ered and interdependent, and outcomes are difficult to predict. Complexity, however, does not mitigate responsibility; on the contrary, it demands a more structured and disciplined approach to decision-making and com - pliance oversight. In such an environment, personal liability risks may arise not only from business judge - ments made on an insufficient information basis or without adequate preparation for plausible alterna - tive scenarios but also from deficiencies in compli - ance systems and from inadequate investigation and response where there are indications of compliance incidents or mismanagement. Over the past decade, there has been a significant increase in cases where both compliance incidents and board-level business judgements have been ret - rospectively investigated following (significant) losses to the company. In parallel, the expectations regarding engagement and supervision by supervisory boards have increased, effectively tightening the duties of their members. Against this backdrop, board members must address both business judgement and compliance-relat - ed risks. In relation to business decisions, the BJR
275 CHAMBERS.COM
Powered by FlippingBook