The Arnhem-Leeuwarden Court of Appeal has ruled that a Dutch car company is 50% liable for damages following an email hack in which payment instructions were manipulated. The reason: basic security measures were not in order. Weak and shared passwords, the absence of 2FA, and no demonstrable password policy made the email account vulnerable. Relying solely on standard antivirus software was deemed insufficient.
Crucially, the company could not rely on outsourcing to an IT provider. The court made it clear that organisations always remain personally responsible for elementary security measures, including procedures and training.
The ruling confirms a broader trend: a lack of basic cyber hygiene not only leads to incidents but also to legal risks. The car company must compensate €13,500 plus additional costs.
Current context: A serious vulnerability in SmarterMail once again shows that negligent update policies can have major consequences. Despite available patches, dozens of Dutch mail servers remain vulnerable.
Relevance for NIS2:
Executive boards must take the lead, ensure basic measures are in place, and actively assess suppliers. NIS2 does not call for blind outsourcing but for demonstrable control. Working towards NIS2 compliance is therefore not a burden, but essential risk management across the entire supply chain.
