Why is board-level accountability for cybersecurity becoming increasingly important?
In October last year, NIS2 replaced the EU's original NIS1 rules, signaling a fresh chapter for cybersecurity obligations across European nations. The UK's Cyber Resilience Act (CRA) is also expected to arrive on British soil in 2025.
Although the overlap initially caused some confusion, it presents an opportunity for business leaders to compare the two approaches and adapt accordingly. But what do these much-needed cohesive security strategies with real consequences mean for the future of cyber resilience?
Although the cybersecurity community broadly welcomed the UK's CRA bill, many felt it was vague. NIS2, in contrast, demands that member states follow clear standards around supply chain security, incident response, and accountability measures.
Potential outcomes for the UK's cyber resilience act
The UK Bill could become more than minimal box-ticking legislation if its authors dare to see the bigger picture. Highlighting the growing urgency around API-driven cyber threats, Chris Darvill, Vice President of Solutions Engineering - EMEA, Kong, explains why proactive API security strategies now require a sharper focus on resilience and adaptation:
"75% of IT leaders are seriously concerned about AI-enhanced API attacks. And they should be. The threat landscape is changing, so how organizations protect their APIs from cyberattacks must also change. In the future, cyber resilience will include having AI-specific security policies and adopting AI infrastructure that can handle observability, security, and traffic control. We are in the AI era, and resilient companies will be the ones with strong API and AI security built into their foundation."
If the UK Bill hopes to match that focus, lawmakers must clarify guidelines and outline the consequences organizations could face if they fail to meet those requirements. These sentiments were echoed by Ricardo Ferreira, EMEA Field CISO at Fortinet, who criticized the UK Bill for referencing supply chain security without explaining how organizations should evaluate third parties or what reporting structures will be in place.
Ricardo hoped the final Bill would specify methods for gauging third-party providers and help businesses define recovery steps.
"It doesn't tell you what the organizations need to do or how big the stick will be from fines. So that's where I felt that it fell short."
Some observers see room for optimism. Freed from the need to match NIS2 exactly, the UK might bring in elements that suit its markets while avoiding rules that feel overly rigid. Ricardo agreed with that perspective, adding that the government could reflect on how NIS2 handles supply chain oversight, post-breach requirements, and accountability.
This might let businesses adopt frameworks that align with their operations rather than fitting themselves to rules designed for all of Europe.
Referring to the possibility that the UK might pick choice elements from NIS2, Ricardo noted:
"Once the EU started, created, and drafted GDPR, you now see a lot of emerging economies picking specific provisions. For example, South Africa, Mexico, it's the Middle East, and so on. They are cherry-picking parts of GDPR that make sense and then coming up with their own data privacy regulatory frameworks, which is amazing."
It's hoped that British lawmakers will have identified the most compelling aspects of the EU approach, particularly in relation to supply chain responsibilities, post-breach strategy, and accountability. However, many worry that the vague draft could leave businesses with no clear route to compliance.
Board-level accountability and post-breach planning
Ricardo also spoke of the more profound importance of accountability in the boardroom. He believes security must shift from a backroom concept to an executive-level discussion.
"This would change things because they now understand that it's a business risk and it's not the IT guys trying to derail the project. So I think it drives better resource allocation for security, it creates a new dynamic."
Although many executives may view cybersecurity as a specialized issue, holding the C-suite responsible helps embed it into everyday strategy. If penalties exist for board members who ignore or minimize security, the message resonates across the organization. This is precisely what NIS2 attempts to do by specifying that top-level decision-makers must be aware of and accountable for security matters.
Adding to that, Ricardo highlighted why post-breach procedures deserve more attention. EU regulators have increasingly pointed out that no organization can ensure absolute protection. Instead, the real test becomes how quickly a firm recovers and prevents further harm.
"Business continuity should also be at the top of mind. This is something that NIS2 places a big focus on. We should also focus on that response and recovery category post-breach for this upcoming Bill."
Everyone can agree that incident planning must go beyond theoretical compliance checklists and annual compliance training where users repeatedly click next.
A proactive approach to cyber resilience requires teams to run response drills, prepare backup systems, and train their teams to contain breaches. Whether the UK Bill will mandate or encourage such a mindset is debatable. Some question whether the final text will create robust penalties or adopt a "best practices" approach that might be more suggestive than obligatory.
Building adaptive legislation for a rapidly changing threat environment
Any new Cyber Resilience legislation must continuously evolve and keep up with the pace of threats. The cybersecurity threat environment changes rapidly, with AI and new forms of intrusion emerging each year. Ricardo pointed out that legislation should be drafted in a way that includes a process for updates:
"One of the challenges when developing a framework is that sometimes they get out of the drift, and there's no clear process to review that. So having those mechanisms to review the drift and how far away they drifted from that original goal, there must be something like that."
Advisory committees, composed of diverse stakeholders, could guide these reviews. They might monitor global threats, coordinate with research organizations, and monitor developments such as software supply chain vulnerabilities.
Open-source software is another area that deserves attention since a small open-source library can be part of countless commercial products. Ricardo also reflected on how real collaboration looks in practice.
The future of cyber resilience
Businesses, policymakers, and analysts will be watching how the UK shapes its legislation. The most successful regulations often emerge when governments welcome insights from those on the ground. If decision-makers are open to a two-way dialogue, the Bill can grow into something that outperforms the skepticism swirling around its initial drafts.
No matter where the UK Bill lands, it sparks valuable discussion about the next phase in digital security. If the UK government refines its approach and draws on lessons from NIS2, it may encourage a more proactive attitude toward security.
The Cyber Resilience Act (CRA) must be more than a threat to punish those who lag behind. To succeed, it must help everyone prepare for an unpredictable future. We will be following the story very closely at CyberNews and will report back on whether the final shape of the Bill will realize the potential of its big promises.
Your email address will not be published. Required fields are markedmarked