Those who have been concerned about the cyber resilience of Operational Technologies (OT) will have celebrated the inception of the EU Network and Information Systems Directive (NIS), which seeks to protect critical national infrastructure assets. The breach reporting and penalty mechanisms are the same as for GDPR, so that CNI organisations that experience Business Interruption will suffer fines of up to £17m. Fines will be tiered in consideration of the level of breach or business interruption suffered and the level of cyberattack protections that were in place. However, there are still some hurdles to early NIS implementation.
But NIS obligations are increasing, albeit from an unexpected direction. The NIS Directive applies personal liabilities to CNI Board level directors. Previously these liabilities have been covered by insurance premiums, but insurance companies are becoming more inclined to understand how organisations are managing their cyber risks and less inclined to simply pay out on demand. Watch out for the Insurance Industry, who may soon become champions of the EU NIS Directive implementation.