Governance

LEGAL BASIS

§38(1) BSIG – Management of essential and important entities is obligated to approve the risk management measures taken by these entities per §30 and to supervise their implementation.

§38(3) BSIG – Management must regularly participate in training to acquire sufficient knowledge and skills for identifying and assessing risks and risk management practices.

Management Duties

The German NIS2 implementation establishes personal obligations of management for cybersecurity:

Duty	Description	Evidence
Approval	Formal approval of risk management measures	Documented sign-off
Supervision	Ongoing control of implementation	Regular reports
Training	Personal participation in cybersecurity training	Attendance record
Liability	Personal liability for breach of duty (§38(2) BSIG)	—

LIABILITY

Under §38(2) BSIG, management is personally liable for damages resulting from breach of their approval and supervision duties. Waiver agreements and settlements are void.

Governance Structure

Role	Responsibility
Management	Approval of measures, resource allocation, personal training
Information Security Officer (ISO)	Operational control, risk analysis, incident coordination, BSI contact
IT Lead	Technical implementation, system security, patch management
Department Heads	Compliance with security policies in their area

Reporting

Report	Recipient	Interval
Security status	Management	Quarterly
Incident reports	Management	Event-driven (high/critical immediately)
Annual security report	Management	Annually
KPI report	ISO / Management	Monthly

Management Training Obligation

Management participates at least annually in cybersecurity training covering:

• Current threat landscape and relevant incidents
• NIS2/BSIG obligations and liability
• Risk management and measure assessment
• Incident response process and escalation

AI Act Synergy

The AI Act governance framework complements NIS2 governance requirements for AI-powered systems. Details in the AI Act Governance Documentation.