NIS-2 management liability tested in practice using the example of the SonicWall data leak

The management is personally responsible for ensuring that risk management measures are implemented and monitored (Section 38 (1) BSIG-E). The fact that sensitive firewall configuration data was entrusted to an external cloud service provider indicates a primary breach of the obligation to ensure the security of the supply chain (Section 30 para. 2 no. 4 BSIG-E).

Required behaviour would have been:

• Cyber competence and training: the management required by law to provide training (section 38(3) BSIG-E) should first have had the ability to assess both the choice of firewall provider and the impact of an attack and ask the right questions, rather than viewing this as purely an IT task.
• Vendor risk assessment: A firewall vendor acts as a cloud service provider and possibly as an MSP (Managed Security Provider), both of which are explicitly included in the scope of the NIS 2 Directive and therefore always relevant to the cybersecurity of an organisation covered by the NIS 2 Directive. Management should have ensured that the vulnerabilities and cybersecurity practices of the firewall provider (as a direct provider) were adequately assessed.
• Risk acceptance of data storage: The decision to store "crown jewels" in the form of the network's firewall configuration data externally should have been formally approved and logged. A decisive protective measure would have been the consistent use of client-side (i.e. customer-side) managed encryption (Section 30 para. 2 no. 8 BSIG-E), which would have rendered the theft worthless.
• Proactive monitoring: Instead of reactive measures, investments in External Attack Surface Management (EASM) scans for the continuous monitoring of critical service providers would have been proof of effectiveness.
• Contractual safeguards: The contracts with the firewall provider should have contained clear security clauses, audit and control rights and detailed reporting obligations on the part of the provider in order to fulfil its own NIS 2 reporting obligations.

The management's monitoring obligation is an active control obligation. The breach of the training and monitoring obligations (Section 38 BSIG-E) becomes tangible here. The required behaviour would have been

• Verifiable supervision: regular reports from the CISO/IT manager should have been used to check the effectiveness of the supply chain security measures.
• Defence against consequential damage: As the firewall configuration data is actively used, the management should have ensured the immediate implementation of incident response and cyber hygiene (Section 30 para. 2 no. 2 BSIG-E), including changing passwords and applying the principle of least privilege (PoLP).

The theft of the firewall configuration data fulfils the criteria of a significant security incident. The management is responsible for the correct handling - and may be liable for failures.

• Fulfilment of reporting obligations (Section 32 BSIG-E): Ensuring the staged reporting process to the BSI (24-hour early warning, 72-hour assessment, 1-month final report).
• Crisis management and notification of third parties: Activation of crisis management and potential notification of own customers on the instruction of the BSI in order to avoid cascading effects (Section 35 BSIG-E).
• Liability risks (Section 38 (2) BSIG-E): The incident creates a direct liability risk. Exculpation is only possible if the management can prove that it has fulfilled its monitoring obligations. The question of whether the residual risk was consciously accepted and documented would be decisive here.