Always nice, a mnemonic device. In this case, an ABC that captures the essence of the NIS2 well: Accountability, Business continuity and Corporate governance. In other words, A) responsibility for cyber resilience, B) a plan of action to secure business continuity, and C) oversight of (and compliance with) the measures.
Governing bodies or the boards of essential and important entities must approve the risk management measures taken. But they are also responsible for any non-compliance. For this reason, they must monitor compliance. For the latter, also consider the appropriate personnel who must be properly trained.
– Business Continuity
– Corporate Governance
In other words, executives no longer get away with being uninvolved in digitalization, and cyber has long since ceased to be the responsibility of IT alone. Indeed, in the cyber attack on Colonial Pipeline in the U.S. last year, that company was eventually sued for consequential damage in the chain, even though the organization itself was the initial victim.
There is no case law for that type of claim at this time, for now, but things are certainly going to change. Which brings us back to the A of accountability. That is about taking sufficient measures, and demonstrating that those measures have been taken. Article 18 (of the Dutch Wbni) contains the minimum measures as well as the general obligation to take appropriate/proportionate technical and organizational measures. Think of policies and procedures (tests and audits) to assess the effectiveness of measures.
Finally, business continuity is about all steps and measures that are taken in case of unforeseen circumstances to ensure continuity of services. There must be a plan for this; an inventory of vulnerabilities and possible consequences – and then an approach to deal with them in order to guarantee continuity.
EU member states will soon have the responsibility to ensure that these measures are in place or taken without delay. Which brings us to a very important addition to the ABC: the notification obligations.