Your Board Is Now Personally Accountable for OT Cybersecurity. Is It Ready?

The regulatory landscape governing industrial automation in oil and gas has fundamentally shifted — and the accountability now reaches the boardroom.

Most oil and gas executives have heard of NIS2, but many do not realize it holds them personally accountable for compliance, not just their IT or OT teams.

This is not a simple compliance checkbox. In several EU jurisdictions, non-compliance may result in temporary suspension from management roles and significant fines. This is only one regulation among many that have expanded significantly in the past 18 months.

Here is what oil and gas boards and senior executives need to know, along with the steps they should take.

The Regulatory Stack Has Changed Significantly

Oil and gas operations that use SCADA systems, distributed control systems (DCS), programmable logic controllers (PLCs), and pipeline automation now face several overlapping regulations. Many of these rules are new or have been recently updated:

ISA/IEC 62443-2-1 (Updated 2024)

The leading global standard for industrial automation and control system (IACS) cybersecurity was updated in 2024. The new version now clearly includes operators as 'asset owners,' not just IT departments. It also establishes stricter rules for patch management, remote access controls, and risk assessment methods that align with ISO/IEC 27001 and NIST SP 800-82. Organizations have between 12 and 36 months to fully comply, depending on their current level of readiness.

EU NIS2 Directive (Enforced October 2024)

This regulation has major implications for leaders. NIS2 designates energy as an 'essential' sector across the EU, so oil and gas operators with EU operations or customers must comply, regardless of their headquarters location.

NIS2 is unique in how it handles accountability. The directive requires member states to hold senior management personally responsible for compliance failures. This covers anyone who represents the company, makes decisions, or has control. While each country sets its own penalties, the main requirements are the same: management must approve and oversee cybersecurity risk measures, complete cybersecurity training, and could be temporarily suspended from management roles for serious non-compliance.

In practice, 'approve and oversee' means reviewing and formally signing off on OT security policies, requiring regular briefings from the CISO or OT security lead on key risks and incidents, and ensuring that cybersecurity is a standing item at board or committee meetings. Boards should expect to receive and challenge reports on major vulnerabilities, track OT remediation progress, and request independent assessments when needed. Assigning responsibility to a specific board committee and having clear documentation of these decision points are now regulatory expectations.

Organizations can be fined up to €10 million or 2% of their global annual turnover, whichever is higher. Board-level cybersecurity training is required and cannot be handed off to a CISO. Not following these rules can lead to personal liability, including suspension from management duties in serious cases.

EU Cyber Resilience Act (Effective December 2024, Full Obligations 2027)

The CRA says that any ICT product with digital features, including automation hardware and software used in the oil and gas industry, must have built-in security before it can enter the EU market. If you do not comply, your products could be banned in the EU, affecting your ability to operate or sell there. This rule affects every vendor in your OT supply chain and changes how you manage procurement and third-party risks. The main requirements start in December 2027, so operators have a limited time to review their technology.

EU Cybersecurity Act 2 (Proposed January 2026)

The European Commission proposed the Cybersecurity Act 2 on January 20, 2026. This law would give ENISA greater authority, require mandatory cybersecurity certification for ICT products and services used in critical infrastructure, and establish new rules for ICT supply chain security. For oil and gas operators, this means future automation technology will need verified conformity assessments. Boards should keep an eye on this now rather than wait for it to become law.

TSA Pipeline Security Directives (U.S.)

U.S. pipeline operators must follow TSA Security Directive Pipeline-2021-02 and later versions. These rules require reporting cybersecurity incidents, planning responses, and reviewing the architecture of critical OT systems in the pipeline. Not following these rules can lead to penalties, increased scrutiny, and possible operational limitations. These directives have become stricter since the Colonial Pipeline attack and now set the basic federal standard.

Regional Regimes: Saudi Arabia, UK, Australia

Global operators also need to follow Saudi Arabia’s NCA OTCC-1:2022, which requires OT cybersecurity controls across Aramco’s entire supply chain; the UK’s Cyber Assessment Framework v4.0; and Australia’s Security of Critical Infrastructure Act, with its 2022 to 2024 updates. Each country sets its own rules for operator accountability.

The Governance Gap That Regulators Are Targeting

For a long time, OT cybersecurity was seen as just an engineering problem. Security teams handled SCADA environments, IT and OT worked separately, and boards rarely got updates that connected OT risk to overall business risk.

Regulators in all major regions now see this gap as a serious weakness. They have responded by making accountability a governance issue, not just a technical one.

The reasoning is simple: if boards control budgets, set risk levels, and approve strategy, they must also take responsibility for cybersecurity risk.

A CISO cannot shift budget to fix OT issues without board approval. Large-scale incident response also needs executive authority. Those who can solve the problem must also be held accountable.

NIS2 and the updated ISA/IEC 62443 now make this responsibility a legal requirement. The question is not if boards are responsible for OT cybersecurity governance, but whether they are ready to take on that responsibility.

What Boards and Senior Executives Must Do Now

Meeting these regulatory requirements is not a quick task. Large programs usually take 18 to 36 months. However, the fastest way to reduce personal and organizational risk is through governance actions, not technical fixes.

• Ask for a formal briefing on your OT risk status. NIS2 and ISA/IEC 62443 require boards to approve and oversee cybersecurity risk management. You cannot approve what you have not seen. Request a structured OT security briefing that shows how your current status compares to the relevant frameworks.

• Complete cybersecurity governance training. NIS2 requires it, and ISA/IEC 62443-2-1-2024 supports this need. The training covers risk frameworks, regulatory duties, board accountability, and the specific threats facing industrial control systems in oil and gas. This is not just an IT awareness course. A typical board training program should include key topics such as roles and legal obligations under NIS2 and ISA/IEC 62443, understanding OT cyber risk scenarios specific to oil and gas, exercises on crisis decision-making and regulatory reporting, and best practices for ongoing cybersecurity oversight at the board level. Formats may range from focused workshops to tabletop scenario exercises and regular briefing sessions involving both internal and external subject matter experts. Boards should look for training that tests practical understanding and prepares them to respond effectively to incidents or regulatory inquiries.

• Understand which regulations apply to you. If you operate in the EU, you are likely covered by NIS2 and the CRA. If you run U.S. pipelines, TSA rules apply. Match your OT environments to the regulations that govern them.

• Check your OT supply chain. The CRA and ISA/IEC 62443 require you to manage cybersecurity risks with suppliers and vendors. If a third-party part in your SCADA or DCS system is compromised, your board could be held responsible for not providing enough oversight. Boards should request regular reports from management on critical supplier cybersecurity posture, including results of vendor risk assessments, supply chain incident reviews, and remediation status. Ask management to maintain an up-to-date list of key OT vendors, verify that vendor contracts include cybersecurity obligations aligned with regulatory requirements, and require periodic independent third-party assessments for high-risk suppliers. These actions help demonstrate board-level oversight of supply chain risk and reduce potential liability under the new regulations.

• Make sure there is clear board-level ownership. OT cybersecurity governance should be a regular agenda item, not just discussed once a year. Assign a board committee or give the audit committee a specific OT focus. Make sure ownership is clear and documented.

  
  

The Insurance and Audit Dimension

This change in regulations does not stand alone. Cyber insurers now often require proof of OT-specific controls before they will insure industrial operations. Increasingly, your ability to obtain or renew cyber insurance depends on demonstrating compliance with evolving regulations like NIS2 and ISA/IEC 62443. Boards should be aware that non-compliance may result in higher premiums, reduced coverage, or even denial of insurance.

By showing board-level ownership, documented risk management, and alignment with recognized frameworks, organizations not only satisfy auditor requirements but can also lower insurance costs and improve claims outcomes during an incident. Auditors are also starting to treat OT cybersecurity governance as an important internal control.

Organizations that show board-level ownership, have documented risk management, and follow recognized frameworks like ISA/IEC 62443 will be in a stronger position during insurance and audit reviews.

On the other hand, organizations that treat OT security as just a technical issue for engineering or IT teams will find this approach harder to maintain. Regulators, insurers, auditors, and investors may impose penalties, raise premiums, or limit investments if board-level accountability is missing.

The Bottom Line

The rules for industrial automation in oil and gas have changed a lot in the last two years. The main idea behind the new framework is simple: accountability is essential.

Boards that stay informed, get trained, and take an active role in OT cybersecurity governance are not just compliant—they are also better prepared to handle the threats that led to these regulations. Boards that do not will face risks on many fronts.

The question is not if this is your responsibility—regulators have already decided that. The real question is whether you are ready to meet it.

About 327 Solutions

Contact us now to schedule a board governance training or OT compliance session. Equip your leadership with practical steps to address regulatory, audit, and insurance requirements. Secure your organization’s future—take action today.