The agreement on 13 May 2022 by European Member States to enhance the Network and Information Systems Regulations is another important step in the war to upgrade the cyber security of critical national infrastructure across the EU.
There are a couple of aspects of the new regulations that should be ringing alarm bells across corporate Europe. As well as the increased reach of the regulations, for example into healthcare and medical devices, the regulations now seek to hold accountable the management of companies that are found wanting, as well as promising more enforcement.
Whether national authorities have sufficient numbers of skilled people to hold major corporates to account in this area is an issue that needs urgent addressing. In general, this is an initiative worth supporting. But does it go far enough?
Change only successfully occurs if it REALLY matters to the individuals affected by that change. Making companies that run elements of critical national infrastructure accountable for the management of cyber risks is a good thing (it will require significant contractual changes, but let’s not do that now).
The implication of NISR 2 is clear: ultimately directors will become personally accountable, as an officer of that company for the decisions a company takes around the protection – and profitable exploitation of its information assets base. Good plan. If applied properly it could make a big difference to how management and corporate leadership view cyber risk management. But get it wrong, and the regulations just look, well, silly.
We have long argued that data and information form a valuable part of a company’s asset base, and that those data assets – whether in the form of intellectual property, know how, experience and customer data, and as with all other physical or financial assets – must be protected by directors for the benefit of the shareholders. Directors of companies already have a fiduciary duty to their shareholders (and one might argue bond holders) – damage shareholder value and you can be sued, fired or both. But these regulations go further and seek to do something similar around information assets.
This poses some interesting questions/dilemmas:
Countries have 21 months to get NISR 2 onto their statute books. It remains to be seen if corporate Europe will seek to water down the ‘accountability’ element. The Commission should resist this. Likewise, silence by corporate Europe to this directive will also be significant: it means the NISR 2 regulations have struck a nerve. Let’s see.