Individual accountability will have the effect of concentrating minds to a greater extent even than the potential fines. The reputational damage to the organisation, not to mention the individual concerned, of having an executive suspended from duties for a breach of the directive could be incalculable. The message it would send to the market is that the organisation does not take cyber seriously and nor does its leadership.
Accountability regime likely to be far reaching
Senior leaders will need to deepen their understanding of cybersecurity and the risks it presents for the organisations. They will also need to familiarise themselves with the requirements of NIS2 Directive to ensure compliance on an ongoing basis. This in no way absolves CTOs and CISOs from responsibility for improving their case making ability when advocating for cyber investments.
The identity of the “responsible officer” to be held accountable is not clearly defined in the directive. It could in theory apply to everyone from the CTO to the CEO, the chair of the board risk committee and the chair of the board itself. For public sector organisations, it could apply to the CTO, the CEO, or the Secretary General of the Department.
We will likely have to await the publication of the legislation to transpose the directive into Irish law for clarity on this issue. In the meantime, senior leadership teams and boards will need to prepare for the prospect of a very far-reaching accountability regime.
The directive also expands quite significantly the number of sectors covered with health, digital infrastructure, public administration, ICT providers, and waste management among those now in scope. It also introduces new cybersecurity risk and incident management requirements as well as strict reporting requirements for cybersecurity incidents.
Five-step strategy to be NIS2 compliant
While that may complete the journey to NIS2 compliance, it marks the beginning of another one which leads to cyber risk quantification (CRQ). This is just beginning to be discussed in the market but will be front of mind for CTOs, CISOs and cyber professionals in the near future.
For the first time, it will offer a means of objectively quantifying cyber risk in terms that will be comparable across organisations and sectors and will enable the setting of baselines against which improvement or deterioration can be measured.
NIS2 is the present, CRQ is the future.
Summary
The transposition into Irish law of the NIS2 Directive will bring with it new cybersecurity and incident reporting requirements for organisations across a wide range of industries in the public and private sectors. For the first time, it introduces the concept of individual accountability. This will not only incentivise compliance but will have far-reaching consequences for how cyber investments are viewed at C-suite and boardroom levels.