Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
For years, organisations responding to cyber incidents could rely on the familiar defence that they had “followed best practice”. Patch management was in place, staff had completed awareness training, and policies existed. That position is becoming increasingly weak. Regulators and courts are no longer treating cybersecurity as a matter of discretion or professional judgement. Across the UK and Europe, it is now embedded in law, regulation, and binding operational frameworks.
The question for boards and executives is no longer simply, “Are we following best practice?” It is, “Can we demonstrate that we are meeting our legal obligations, and can we prove it?”
That distinction matters. Best practice implies choice. Legal obligation implies accountability, enforcement and, in some jurisdictions, personal liability. Organisations that have not recognised this shift may be carrying a level of risk they have not fully understood or priced.
The most significant change is happening in boardrooms. Cybersecurity is no longer a purely technical function that can be delegated entirely to IT teams or managed service providers. Under emerging regulatory frameworks, including NIS2 in Europe and evolving UK governance expectations, directors are increasingly expected to understand and oversee their organisation’s cyber posture.
This does not mean every board member must become a technical specialist. It does mean they must be informed, engaged and able to evidence effective governance. Boards are expected to understand material cyber risks, ensure those risks are formally assessed and managed, and assign clear ownership at senior level. Cyber risk now sits alongside financial and operational risk as a standing board agenda item.
Organisations therefore need to close the gap between technical security operations and executive decision-making. Where that gap remains wide, it creates both governance weakness and legal exposure.
Incident reporting obligations have also tightened significantly. Under NIS2, in-scope organisations across Europe must notify relevant authorities of significant incidents within 24 hours of becoming aware of them, with a fuller report due within 72 hours. The Digital Operational Resilience Act, or DORA, imposes similarly strict requirements on financial sector entities, with additional expectations around resilience testing and third-party risk.
In the UK, the ICO has shown a willingness to take enforcement action where organisations fail to report personal data breaches within the 72-hour window required under UK GDPR. While NCSC guidance is not itself regulation, it increasingly sets the standard against which organisations may be judged after an incident. The consequences of non-compliance go beyond fines. Regulatory investigations are disruptive, time-consuming and public. They affect client confidence, procurement decisions and commercial relationships. They may also create a record that can be used in later civil litigation. The era of the quiet, internally managed breach is effectively over.
Supply chain security has also moved from a risk management preference to a compliance requirement. NIS2 Article 21 requires in-scope entities to address supply chain security, including relationships with direct suppliers and service providers. ISO27001 has long included supplier controls, and the 2022 revision strengthened expectations around supplier agreements and ongoing monitoring.
The shift is significant. Organisations can no longer satisfy due diligence by collecting a questionnaire and filing it away. They must demonstrate active oversight: understanding supplier access, embedding contractual security obligations, monitoring compliance and managing supplier incidents that could affect their own environment.
Managed service providers and other critical suppliers are particularly affected. For years, many assumed that their clients’ compliance obligations were the clients’ problem. That assumption is no longer sustainable. Under NIS2, MSPs providing services to in-scope organisations may themselves be brought into scope. They face obligations around incident notification, security measures and supply chain management. DORA creates similar expectations for ICT service providers supporting financial services. MSPs now need their own documented, tested and auditable information security management systems, incident response plans, access controls, continuity arrangements and supplier management processes.
The message for MSPs and critical suppliers is clear: clients’ auditors, regulators and procurement teams will increasingly examine you directly. Your role in the supply chain makes you a risk vector, and you will be treated accordingly.
The appropriate response is not panic or a costly technology purchase. It is a structured, evidence-based approach to governance.
Start with a gap analysis against the frameworks that apply to your organisation. For many UK businesses, ISO27001 provides a useful baseline. NIS2 may apply if you operate in or supply to the EU, while DORA is relevant if you serve the financial sector. A gap analysis shows where controls are weak and where documentation does not support the claims being made about security posture.
Appoint or engage a qualified governance lead, whether an internal hire, virtual CISO or external consultant. This person should translate regulatory requirements into practical controls and represent the organisation during audits, procurement reviews, or regulatory inquiries.
Map your supply chain. Identify critical suppliers, understand their access and ensure contracts contain adequate security obligations. Document and test incident response plans through tabletop exercises, simulated incidents and recorded lessons learned.
Finally, treat certification not as a one-off project, but as part of an ongoing management system. ISO27001 certification can demonstrate continuous improvement, support procurement, and provide assurance to clients and regulators.
Organisations that treat cybersecurity as a governance obligation, rather than a technical cost, will be better placed to meet legal duties, retain client trust and respond effectively when incidents occur. Those that do not are carrying a risk that is growing, not diminishing.
