Reinier adviseert nationale en internationale bedrijven
reinier.russell@russell.nl +31 20 301 55 55
We are frequently startled by international cyberattacks. Hackers steal confidential information and ransomware shuts down companies, hospitals and governments. What concrete preventive legal measures can you, as a director or supervisor, take to guarantee the safety of the company to the greatest extent possible, and thereby comply with your duty of care? Reinier W.L. Russell, Esq., managing partner at Russell Advocaten, explains in his contribution to the Fall Issue of Paradigm, the Primerus magazine. This article is a follow-up to our previous publications on legal risk management and management of digital risks for companies.
We are frequently startled by international cyberattacks. Hackers steal confidential information and ransomware shuts down companies, hospitals and governments. Since company computer systems are increasingly connected to the Internet (online stores) and also rely on Information Communication Technology (ICT) for internal processes, they are not just more vulnerable to attacks, but the impact of such attacks is higher. Orders cannot be processed, documents cannot be accessed, (manufacturing) processes are interrupted, and client data are made public with the risk of high regulatory fines. Obviously, you can prevent that by taking IT measures. Less obvious, but still as important, is that you can take preventive legal measures to reduce the risk of an attack, limit the potential consequences of a hack and invest in your cybersecurity.
This article deals with concrete preventive legal measures you, as a director or supervisor, can take to guarantee the safety of the company to the greatest extent possible, and thereby comply with your duty of care. A breach of the duty of care may lead to directors’ liability.
Cybersecurity must be dealt with at the highest level. In addition, there has to be the required expertise. It has to be discussed at management level what kind of systems will be used and what the risks involved in using them are. This has consequences for the structure of the organization, the management and the company:
Chief information officer
Appointing a chief information officer (CIO) is a good way to acquire digital knowledge, centralize it and use it effectively. Many large and medium-sized companies have CIOs as the ICT has no longer only a supportive role but is leading in all company processes. The CIO is a member of the management and has the ultimate responsibility for the ICT policy of the entire organization. This is necessary for the company and will reduce the risk that the company and director are liable in the event of infringements relating to cyber security.
Maybe your company is too small to employ a CIO. This does not change anything regarding the distribution of responsibility. The management or board of directors will be ultimately responsible for cybersecurity and the application of privacy regulations and will therefore have to make sure to possess the competence required in this field.
Supervisors
In appointing supervisors and non-executive directors, make sure to consider people who are familiar with digital risks so that they will be able to exercise their supervisory and advisory role sufficiently. After all, it is their task to advise the management board on digital security and to control the processes within the company in this respect too. In addition, the supervisors can benefit from this knowledge as they could be liable in case of insufficient supervision.
Corporate structure
Risks can be reduced by incorporating the development of a new product or service, such as a new app, in a separate legal entity, whether or not with a separate ICT network. If matters turn out to be undesirable, the consequences for the remaining company will be limited.
Most problems in the area of ICT arise accidentally, by human errors. All people involved in the company, employees but also contractors and agency workers, therefore have to be aware of the importance of cybersecurity. This is called security awareness. Security awareness exceeds merely reacting to incidents: it has to be guaranteed via a continuous process in which an organization can reduce risks to an acceptable level. This could be, among other things, by drafting a personnel handbook including guidelines on internet usage, emails and passwords. Further, it should be clearly defined that employers have to report abuses, how they have to be reported and what the time limit is. Otherwise, companies would have to depend on the reasonable conduct of their employees instead of being able to require such conduct.
When concluding all contracts, not just ICT contracts, it is important to distribute responsibility and limit liability. After all, your company is responsible for the ICT you use. This does not change if your ICT only has a supporting function or if you have not developed the ICT yourself.
Check for instance your General Terms and Conditions, where liability can be excluded, limited or transferred to a third party but also concrete arrangements such as Service Level Agreements (SLAs). The scope for agreements will be more limited if the counterparty is a “consumer”. A provision in the General Terms and Conditions of an agreement has no legal consequences (it is “voidable”) if it is extremely disadvantageous (“unreasonably onerous”) for the consumer. A provision stipulating that your company has no or limited obligations in the area of cybersecurity will probably be unreasonably onerous. Besides, arrangements agreed upon only apply with regard to the party you concluded the agreement with.
It is crucial to phrase agreements clearly. Vague agreements bear the genuine risk that a court will interpret provisions, at least in the event of a conflict, to the detriment of the company. Suppose that your company determines in an agreement that it shall not be liable if a cyberattack causes its being too late in fulfilling its obligations. Without a more detailed description of this term, a conflict could arise on the question as to whether a certain kind of malware would constitute a cyberattack.
Your company can lastly not exclude all liability. Obviously, hardware and software, apps and web-based tools must comply with the latest requirements in the fields of security. Therefore, despite exoneration clauses the company remains liable regarding, for instance, if it uses, with the knowledge of the management, ICT whose cybersecurity falls short. A company using obsolete software to save costs and not taking measures to protect its computers and networks will probably not be able to invoke a stipulation excluding liability if a lack of security causes damage.
If legal means are not sufficient to limit the liability of a company and directors, the financial consequences can be limited by cyber insurance and directors’ liability insurance.
The importance of cybersecurity is underlined by the privacy laws and high penalties for infringement on privacy.
Personal data is usually processed by means of ICT. In Europe, strict rules apply to this that can affect companies worldwide. The basic principle of the regulations is that they apply to the processing of personal data from Europeans even if the processing takes place outside Europe.
A breach of the security obligations has severe financial consequences. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens; AP) can currently impose a maximum fine of EUR 820,000 per breach or 10 percent of the annual turnover.
As of May 25, 2018, the AP can impose a maximum fine of 20 million euros or a fine of 4 percent of the worldwide annual turnover should this amount be higher.
The board of a company has the ultimate responsibility for cyber security and can be held personally liable in the event of breaches. The board has to examine the organization and (ICT) company processes for compatibility with the existing regulations. In addition, the board has to make sure that both managers and supervisors have expertise in this area, for instance by appointing a chief information officer to the board. Employees must be familiar with the cybersecurity policy, for instance via the staff handbook or internal training. In contracts, liability for cybersecurity problems can be limited to the greatest extent possible. Should this not be enough, insurance can also be a solution.
Banken kunnen op grond van de Wet ter voorkoming van witwassen en financieren van terrorisme (Wwft) verplicht zijn een klant te weigeren of de relatie met de klant te beëindigen. Ook goede doelen kan dit overkomen. Wanneer mag een bank de relatie beëindigen? En moet een klant meewerken aan het onderzoek van een bank?
De Wet transparantie en tegengaan ondermijning door maatschappelijke organisaties (Wtmo) legde enkele nieuwe verplichtingen op aan goede doelen. Het wetsvoorstel is echter op 24 maart 2026 door de Eerste Kamer verworpen.
De statutair bestuurder heeft minder ontslagbescherming, maar er moet wel een redelijke grond voor het ontslag aanwezig zijn. Anders moet de werkgever een billijke vergoeding betalen. Die kan hoog zijn, zo blijkt uit een recente uitspraak. Waarom moest de werkgever deze vergoeding betalen?
De Europese AI Act verplicht werkgevers om te zorgen dat werknemers voldoende kennis hebben van de AI-systemen. Dat kan door middel van trainingen, maar ook door een op het bedrijf toegesneden AI-beleid. Wat moet u in een dergelijk beleid opnemen? Welke rol speelt de ondernemingsraad bij de invoering van het AI-beleid?
Wilt u weten of u uw onderneming op een bepaald perceel kunt vestigen en aan welke voorwaarden de bebouwing dient te voldoen? Dan is het bestemmingsplan het eerste document dat u moet raadplegen.
De Tweede Kamer heeft op 16 december 2025 de Wet digitale algemene vergadering privaatrechtelijke rechtspersonen aangenomen. Deze wet maakt het mogelijk om algemene vergaderingen volledig digitaal te houden. Wat betekent dit voor bestuurders en aandeelhouders van bv’s, nv’s en andere rechtspersonen?
