The new wave of European cybersecurity laws means CISOs are now personally liable for failures—sometimes facing criminal charges, job bans, or huge fines. Yet many lack the authority or resources to truly protect their organizations, making them the legal scapegoats in a shifting regulatory landscape.