News + Resources

The agreement on 13 May 2022 by European Member States to enhance the Network and Information Systems Regulations is another important step in the war to upgrade the cyber security of critical national infrastructure across the EU.

There are a couple of aspects of the new regulations that should be ringing alarm bells across corporate Europe. As well as the increased reach of the regulations, for example into healthcare and medical devices, the regulations now seek to hold accountable the management of companies that are found wanting, as well as promising more enforcement.

Whether national authorities have sufficient numbers of skilled people to hold major corporates to account in this area is an issue that needs urgent addressing. In general, this is an initiative worth supporting. But does it go far enough?

Change only successfully occurs if it REALLY matters to the individuals affected by that change. Making companies that run elements of critical national infrastructure accountable for the management of cyber risks is a good thing (it will require significant contractual changes, but let’s not do that now).

The implication of NISR 2 is clear: ultimately directors will become personally accountable, as an officer of that company for the decisions a company takes around the protection – and profitable exploitation of its information assets base.  Good plan. If applied properly it could make a big difference to how management and corporate leadership view cyber risk management.  But get it wrong, and the regulations just look, well, silly.

We have long argued that data and information form a valuable part of a company’s asset base, and that those data assets – whether in the form of intellectual property, know how, experience and customer data, and as with all other physical or financial assets – must be protected by directors for the benefit of the shareholders. Directors of companies already have a fiduciary duty to their shareholders (and one might argue bond holders) – damage shareholder value and you can be sued, fired or both. But these regulations go further and seek to do something similar around information assets.

This poses some interesting questions/dilemmas:

• The original NIS regulations allow organisations to be fined up to €20m in the UK for egregious breaches leading to the failure of elements of critical infrastructure. In our experience, this was not taken as seriously as potential fines and penalties under GDPR (up to 4% of turnover). Making boards and directors accountable for the protection of their information assets is a big step

• In the UK, a director’s responsibilities are enshrined in the Companies Act. If the UK government decided to adopt a similar approach to that enshrined in NISR 2, would it need to amend the Companies Act as well as updating the Law enshrining NISR 2 if it wants boards of directors to take this as seriously as they should? Would the same apply in EU countries?

• If EU member states fail to change the statutory responsibilities of company directors, will NISR 2 effectively be stymied (i.e. these regulations do not trump existing rules about roles and responsibilities)?

• Being a director starts to look a lot more like personal risk – would a failure under NISR 2 be covered under D&O insurance?

• If a company was hit by a cyber attack, could it now be sued by shareholders for impairment of company value?

• It remains to be seen whether these regulations might drive perverse outcomes (e.g. being a ‘director’ starts to look very unattractive, and companies might find it harder to retain talent at that level.

Countries have 21 months to get NISR 2 onto their statute books. It remains to be seen if corporate Europe will seek to water down the ‘accountability’ element. The Commission should resist this. Likewise, silence by corporate Europe to this directive will also be significant: it means the NISR 2 regulations have struck a nerve. Let’s see.