What is New in the EU?
The old saying that it is not a question of whether you would be subject to cyberattack but when has never been truer. The risk of suffering cyberattacks and the losses from them have increased dramatically, individual sectors are loosing billions and services across Europe and disrupted constantly.
European Union has in recent years been in the process of overhauling its cybersecurity legislation to address these challanges. NIS2 Directive had replaced the original NIS Directive. Its main task is to impose additional cybersecurity measures on vital sectors of the economy such as networked industries, banking, parts of the public sector, etc. The proposed Cyber Resilience Act aims to protect businesses and consumers buying products with a digital component by obliging producers to introduce a number of cybersecurity standards. Laws like the proposed Cybersolidarity Act aim to increase the EU’s capacity to respond to cyberthreats, an effort already commenced with the strengthening of the EU’s ENISA agency (see Cybersecurity Act). Sector-specific cybersecurity in the form of laws such as Digital Operations Resilience Act (DORA) in finance are adopted or are in the process of being so. The rules are in addition to the general EU rules on platforms such as GDPR, the AI Act or the Digital Service Act.
The EU effort creates new rules of the game for modern companies. Boards need to listen or perish. There are four main reasons why things are different today:
First, the multitude of rules bring increased compliance obligations and with them the duty to strategically manage risk-based compliance.
Second, cybersecurity can no longer be dealt in an isolated IT context but must instead be implemented across the life cycle of a product, demanding different organisational and strategic approaches.
Third, new cybersecurity rules such as NIS2 demand a new form of compliance: risk-based compliance. Rather than providing the companies pre-made guidelines, this requires them to engage in risk-assessment and risk-mitigation across a number of parameters such as policies, incident handling, business continuity, supply chains etc. Companies have no experience in risk-based compliance and feel vulnerable where few official guidance or industrial standards exist. This creates the incentive to outsource the problem to individual departments in the company or external counsel and/or to buy software solutions.
Finally, new rules such as NIS2 demand new role from the management, putting the Board in charge and making them liable for infringements of risk-based compliance measures. This is a new development for the EU legislator but also a huge challenge for the firms. It is no longer possible to push responsibility to CIOs of in-house counsel – doing so not only breaks the law but leads to strategically negative consequences as competitors surge forward with their compliant offers.
Cyberrisk from the Board’s Perspective
New EU rules should not be understood as a burden but as a valuable tool that can help companies remain safe but also create value. What are then the main demands that these rules pose that management needs to have in mind in order to deal with cybersecurity challenges?
First, Boards must not view cybersecurity as optional. It is an essential part of a company’s risk management portfolio and NIS2 demands (Article 20) that management bodies of affected entities approve the cybersecurity risk-management measures. This is because a) cyber security is a major risk indicator for a company that Boards need to understand and b) cybersecurity is part of the entire life cycle of a product and therefore essential for keeping the company healthy and afloat.
Second, organizational roles are set up completely differenly now than they were just 5 years ago. While IT problems tended to be the domain of chief information officers (CIOs), a whole selection of officers are now involved in keeping a company cyberrisk-free: CIOs, chief risk officers, data protection officers, compliance function, in-house counsel, external counsel, finance and others. Not only do these need to know how to cooperate with each other on cybersecurity matters but they all need to be part of the senior management working on cyber risk.
Third, Boards and top management are held accountable for breaches (Art. 20 NIS2). This is as close a demand to take direct interest as it comes. This means that directors should have access to expertise and take cyber risk as enterprise-wide risk and not just an IT issue.
Fourth, while companies still tend to view cybersecurity as technical in nature, NIS2 is clear in demanding technical, operational and organisational measures to manage cybersecurity risk. The absence of any of the three can lend company top management team in trouble.
Fifth, company tone is set at the top. Management should establish a company-wide cyber risk management framework and provide adequate resources and training. Management should initiate discussions on organizational, technical and other issues but also on which risks are worth taking and which can be transferred through insurance (at present, the market for cyber risk insurance is still nascent)
Sixth, various cybersecurity frameworks such as ISO27001 or D-Mærket in Denmark can be valuable tools on the way to achieving better cybersecurity and boards should seriously consider them but they are not replacements for sound cyber risk compliance strategies. Risk-based compliance is a dynamic and ongoing process and not a one-off leading to certification. Nor can such frameworks take the role of strategic compliance management. At best, these frameworks can help companies on the way. At worst, they can seriously mislead management into thinking they are compliant.
Companies that incorporate cyber risk compliance in their strategy formulation process have a strategic edge over their competitors
Companies should accept that cyber events are inevitable. They should also embrace the opportunities that the EU gives them. Demand for cyber secure products and services is growing and there is space for new opportunities. Companies that incorporate cyber risk compliance in their strategy formulation process have a strategic edge over competitors.
EU Internet Law & Policy Blog 