The trigger for all of this of course is NIS2, the EU directive that raises the bar on cybersecurity risk management and incident reporting for operators of critical infrastructure.
It’s worth being clear about where the pressure originates. It’s mostly driven from the top down. Boards and management are acutely aware of the personal liability attached to non-compliance, including fines and, in some cases, suspension of board members.
“Boards and management are acutely aware of the personal liability attached to non-compliance.”
That pressure then flows down the chain. Asset owners push their legal or compliance teams to get organised, and those teams push it further down to the O&Ms managing individual sites, asking a straightforward question: have you got this in place, and if not, what’s the plan?”
NIS2 has now been transposed into national law in 23 of the 27 EU member states. Ireland, along with Spain, France and the Netherlands, is still working through the draft stage. The UK’s equivalent, the Cyber Security and Resilience Bill, looks broadly similar in scope and, in some areas, slightly more stringent.