Abstract
This Comment examines the implications of the European Union’s Network and Information Security 2 Directive (“NIS2”) on corporate cybersecurity governance, with a particular focus on the fiduciary duties of directors in multinational corporations operating in the United States. The NIS2 Directive, adopted in 2023 and currently being transposed into national law by EU member states, mandates that boards of directors must directly approve and oversee—and can be liable for—the cybersecurity risk management measures taken by their companies.
This Comment delves into the intersection of NIS2 with Delaware corporate law and examines how NIS2 influences the fiduciary duty of oversight for cybersecurity, particularly in light of the Caremark standard, which holds directors liable for failing to implement and monitor adequate reporting systems. The analysis highlights the potential for increased Caremark claims against directors for noncompliance with NIS2 in the wake of a significant cyber trauma. By integrating cybersecurity risk management into corporate governance, NIS2 expands the fiduciary duty of oversight for cybersecurity from a simple good faith attempt to implement monitoring systems, to a direct obligation to proactively oversee such systems.
Included in
Banking and Finance Law Commons, Business Organizations Law Commons, Computer Law Commons, International Law Commons, Science and Technology Law Commons, Securities Law Commons