Cybersecurity and contractual liability encompass the legal framework surrounding the security of information systems and the resulting obligations between contractual parties. At Musch Legal, we foresee that cyber incidents will be the norm by 2026 — not the exception. NIS2, CRA, and GDPR impose heavy obligations on directors, contracting parties, and suppliers. Those who do not regulate liability contractually often bear millions in damages alone.

What is the legal problem? (What cyber liability looms?)

Cyber ​​incidents lead to data breaches, operational downtime, and ransomware claims. Liability can arise via GDPR (data breach), breach of contract (downtime), product liability (defective software), and tort (tort). NIS2 requires cybersecurity measures for essential and important entities with personal director liability. For suppliers of digital products, CRA applies with a security-by-design requirement.

What does the law say? (Which frameworks apply?)

NIS2 (Directive (EU) 2022/2555, implementation until 17 October 2024) mandates cybersecurity measures, incident reporting within 24/72 hours, and directors' liability for essential and significant entities. The Cyber ​​Resilience Act (Regulation (EU) 2024/2847, phased in from 2027) mandates security-by-design and vulnerability disclosure. GDPR Articles 33-34 require data breach notification within 72 hours. DORA for the financial sector (Regulation 2022/2554 since 17 January 2025).

Under Dutch law, supplemented by the Network and Information Systems Security Act (Wbni).

Regulations

Applicability

Main obligation

NIS2 2022/2555

Essential + significant entities

Risk management + incident reporting

CRA 2024/2847

Products with digital elements

Security-by-design + CE marking

Article 2024/2847

Products with digital elements

Security-by-design + CE marking

Article 2024 GDPR 33-34

Personal data processors

Data breach notification 72 hours

DORA 2022/2554

Financial sector

Operational resilience

Wbni (NL)

National implementation of NIS2

Supervision via NCSC

Regulations

Applicability

Main obligation

NIS2 2022/2555

Essential + significant entities

Risk management + incident reporting

CRA 2024/2847

Products with digital elements

Security-by-design + CE marking

GDPR Article 33-34

Personal data processors

Data breach notification within 72 hours

DORA 2022/2554

Financial sector

Operational resilience

Wbni (NL)

National implementation of NIS2

Supervision via NCSC

What risks do companies face? (What risks in the event of a cyber incident?)

GDPR fines of up to 4 percent of global turnover. NIS2 fines of up to 10 million euros or 2 percent of turnover for essential entities. Directors' liability under Section 2:9 of the Dutch Civil Code and NIS2 Section 20. Operational damage due to downtime and data recovery. Reputational damage resulting from public disclosure. Civil claims by affected parties and customers. Insurers exclude coverage in the event of inadequate basic measures.

Practical example from our practice (How did we handle a ransomware claim?)

Musch Legal represented a Dutch SaaS company following a ransomware attack that exposed customer data. We coordinated the GDPR data breach notification to the Dutch Data Protection Authority (AP) within 72 hours, communication with data subjects, contractual claims against affected customers (limitation of liability in the terms and conditions held up for 18 of 22 customers), recourse against a cyber supplier who had missed a critical patch, plus a cyber insurance claim. Total recovery of 1.4 million euros on estimated 3.2 million euros in damages.

What can you do? (Which cybersecurity framework are you building?)

Implement a cybersecurity baseline (ISO 27001 or NIS2 compliant). Build an incident response plan with a GDPR notification obligation within 72 hours. Take out cyber liability insurance with Side A and cyber extortion. Contractually: limitation of liability under Section 6:248 of the Dutch Civil Code with cyber exclusion for indirect damage. For suppliers: cyber due diligence and SLA with security requirements. Engage Musch Legal for a cyber-readiness audit.

GDPR and international data transfers

AI usage within international enterprises

International privacy rules for companies