Can a manager, today, be sanctioned for not having sufficiently anticipated a cyber risk? In 2026, the answer is yes. And this risk does not only concern the executive director.
The CNIL’s 2025 annual report, published on May 19, is eloquent: 6,167 personal data violations recorded in France last year, an increase of 9.5% compared to 2024, a record. The trend will accelerate further in 2026. According to the president of the CNIL, “the development of artificial intelligence automates, industrializes and democratizes attacks”. Leaders are no longer simple potential victims: they have become direct targets. Fraud against the president, deepfake attacks, targeted compromises of the Comex, cyber risk is now embodied.
What is the NIS 2 directive?
It is a European text whose objective is to strengthen the cybersecurity of companies and organizations across the European Union. Its central principle is simple: cybersecurity is no longer a technical subject that can be delegated to the CISO. It is a governance obligation, which engages collective responsibility at the highest level of the company, general management, executive committee and board of directors.
In France, the Resilience bill was adopted and its promulgation is expected this summer. The European Commission has officially sanctioned the French delay. But waiting for the law would be an analytical error: ANSSI published its operational framework in March 2026, the requirements are known, and audits for large companies will begin this year.
Who is affected?
The NIS 2 directive covers 18 sectors of activity (energy, transport, health, banking, digital infrastructure, agri-food, chemicals, postal services, among others) and distinguishes two categories of organizations.
Large companies in critical sectors with more than 250 employees or 50 million euros in turnover are subject to regular audits by Anssi. Medium-sized companies in the sectors covered, from 50 employees or 10 million euros in turnover, are subject to control triggered in the event of an incident. In France, between 15,000 and 18,000 organizations are concerned.
What obligations?
The obligations are the same for all the entities concerned: annual assessment of cyber risks, mandatory notification of significant incidents to Anssi within 24 hours, securing service providers and suppliers, continuity and business recovery plans. The directive also imposes mandatory cybersecurity training for all managers, not a recommendation, an obligation.
What sanctions?
This is where things get real. Administrative sanctions can reach 10 million euros or 2% of global turnover for large entities, 7 million euros or 1.4% for medium-sized companies. But the real break lies elsewhere: the NIS 2 directive now allows managers to be held personally liable in the event of a breach, where until now only the company was exposed. For entities in repeated breach, a temporary ban on exercising management functions is explicitly provided for.
This development brings cybersecurity closer to the logic already known in the fight against corruption or the duty of vigilance: what matters is what management has put in place, and what it can prove.
Concretely, what should a Comex do?
NIS 2 does not expect leaders to become technical experts. She expects them to govern. In practice, this translates into four non-delegable projects.
Put cybersecurity on the agenda. Not once a year. Regularly, with dedicated reporting: status of identified risks, incidents occurring, progress of measures. The Comex approves, arbitrates, decides and this must be traced.
Form. This is not technical training, but acculturation to the issues: knowing how to read a risk map, understanding what a significant incident is, knowing the notification obligations. Short formats suitable for managers exist.
Document decisions. This is the heart of the obligation of proof. Each decision taken in terms of cybersecurity (budget allocated, service provider selected, measure validated or postponed) must be formalized and preserved. In the event of an inspection or incident, it is this documentation that distinguishes the diligent manager from the one who failed.
Check your providers. Responsibility extends throughout the supply chain. An incident involving a negligent service provider may result in the liability of the ordering company. Contracts must include cyber clauses and their compliance must be monitored.
What about the AI Act?
The NIS 2 directive is not the only constraint to be integrated. European regulations on artificial intelligence are also gradually being applied. Certain practices have already been prohibited since February 2025. For the most sensitive uses (HR, credit, health, justice), full obligations are postponed until the end of 2027, following a European agreement of May 2026. This deadline does not justify inaction: companies that use or deploy AI have an interest in mapping their systems now — and in regulating shadow AI, this uncontrolled use of AI tools by teams, which often generates risks underestimated.
2026 is already a year of truth
The pressures on managers are multiple and convergent: insurers who condition their guarantees on demonstrable security levels, commercial partners who demand contractual guarantees, investors attentive to cyber risks, immediate reputational exposure in the event of an incident.
The question is no longer whether the NIS 2 directive will apply. It already applies in its concrete requirements. The real question is this: When the time comes, what will management be able to prove, individually and collectively?
In this area, inaction is no longer neutral. It becomes, in itself, a risk taken, capable of incurring the liability of managers on administrative, civil and, where applicable, criminal levels.
