From Policy to Practice: The Metro Company's Adaptation to the NIS2 Directive PDF

From Policy to Practice: The Metro Company’s Adaptation to the NIS2 Directive Khaawla Hush – 68829 Project-oriented Internship 1 Abstract This project examines the implementation of the NIS2 Directive in the Metro Company, a critical infrastructure organisation, regarding challenges and strategies to achieve regulatory compliance. The research applies the three modes of governance developed by Knill and Lenschow and the bottom-up implementation theory by Sabatier to explore how structural governance pressures interact with local decision-making processes. These further come out as key challenges: reporting redundancies, resource constraints, and sector-specific complexities in aligning with the requirements set by the directive. Therefore, the adoption of the ISO 27001 standard will be a core strategy that might reduce complexity in compliance while allowing the maintenance of cybersecurity maturity. Empirical data is underlined by the role of advocacy coalitions, policy brokers, and collaborative efforts in optimising reporting structures. The findings show how organisations balance regulatory imperatives with operational realities and yield insights into adaptive strategies for enhancing cybersecurity governance in the EU's evolving policy landscape. 2 Table of Contents Introduction.................................................................................................................... 5 Problem area................................................................................................................... 6 Literature review.............................................................................................................. 7 Policy Implementation and EU Cybersecurity........................................................................... 7 Regulatory Frameworks and Challenges................................................................................... 7 Economic Implications and Regulatory Risks............................................................................ 8 Problem formulation:.............................................................................................................. 9 Theory............................................................................................................................ 9 Knill and Lenschow’s Three Modes of Governance...................................................................10 Coercion.................................................................................................................................................. 10 Competition............................................................................................................................................ 10 Communication...................................................................................................................................... 10 Sabatier’s Bottom-Up Approach.............................................................................................11 Policy Networks and Advocacy Coalitions............................................................................................. 11 Adaptation and Learning......................................................................................................................... 12 Implications for Institutional Change..................................................................................................... 12 Theory Integration and Relevance to Analysis....................................................................................... 12 Methodology................................................................................................................... 13 Case Study............................................................................................................................13 Overview of Key Actors..........................................................................................................14 Digitalisation and Information Technology Unit (DIT):........................................................................... 14 Finance Unit:........................................................................................................................................... 14 Secretariat and Risk Unit (My Unit):........................................................................................................ 14 The Board as an Invisible Actor and Executive Directors:...................................................................... 14 Data Collection Methods........................................................................................................15 Field Notes:............................................................................................................................................. 15 Company Reports:.................................................................................................................................. 16 Document Analysis Methods:................................................................................................................. 16 Limitations of the Methodology...............................................................................................16 Sub-Conclusion.....................................................................................................................16 Operationalisation.................................................................................................................17 Analysis......................................................................................................................... 18 The NIS2 Directive’s Relation to the Metro Company...............................................................18 Mode of Governance and Institutional Rationalities..................................................................20 Challenges in Reporting and Internal Governance....................................................................21 Implementing Actors and Advocacy Coalitions: A Bottom-Up Perspective..................................22 Core Beliefs Shaping Implementation Dynamics.......................................................................22 Challenges in Navigating Overlapping Responsibilities..............................................................23 3 Adaptive Strategies and Overcoming Challenges......................................................................23 Sub-Conclusion.....................................................................................................................23 Conclusion and discussion............................................................................................... 24 Bibliography................................................................................................................... 26 4 Introduction The quickly developing landscape of cybersecurity raises significant challenges for organisations and policymakers. In response to escalating threats, the European Union has introduced Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, i.e. NIS2, to enhance cybersecurity resilience across member states and sectors. The definition of cybersecurity is to look at a set of measures, standards, and processes that will ensure a high level of reliability when using products and services connected to the digital ecosystem i.e. cyberspace (Boban, 2024). NIS2 is now, like the ‘General Data Protection Regulation’ (GDPR) components of the EU regulatory framework. More specifically refers Art. 23 in this directive to the notification of GPR breaches (Boban, 2024) This means that companies must integrate NIS2 and GDPR to manage risks. Building on its predecessor, the original NIS (1) Directive, NIS2 seeks to address gaps in coverage, impose stricter requirements, and harmonise standards to ensure a more coordinated and robust approach to cybersecurity across the EU (Official Journal of the European Union). However, while the directive sets ambitious goals, its practical implementation reveals critical complexities, particularly in how organisations interpret and apply its provisions (Kianpour and Raza, 2024). A key challenge lies in the directive’s sector-specific implementation, which requires organisations across diverse industries to tailor their compliance strategies to meet the directive’s criteria. The variability in institutional capabilities, economic resources, and organisational structures across sectors can lead to inconsistencies in compliance outcomes (Kianpour and Raza, 2024). Moreover, regulatory uncertainty surrounding the directive’s application further complicates the decision- making process for organisations, creating delays and increasing costs. These challenges underscore the importance of examining how organisations operationalise NIS2 within specific contexts, shedding light on the factors that facilitate or hinder effective implementation (Kianpour and Raza, 2024). This project focuses on the Metro Company, a critical infrastructure organisation, as a case study to explore the practical implications of NIS2. The Metro Company’s position as a vital service provider offers a unique lens through which to examine the directive’s intersection with policy design and organisational capacity. By analysing how the Metro Company interprets the directive’s criteria, identifies and addresses challenges, and develops strategies for compliance, this study provides valuable insights into the broader dynamics of NIS2 implementation. 5 Grounded in policy implementation theory, this research seeks to contribute to the understanding of how specifically the EU cybersecurity directive NIS2 functions in practice. It aims to provide insight into sector-specific challenges that are addressed, as well as to ensure that the directive’s objectives are met efficiently. By situating the discussion within the broader trajectory of EU cybersecurity initiatives, this project highlights the need for adaptive and collaborative approaches to cybersecurity governance in an increasingly interconnected and vulnerable digital ecosystem. Problem area Cybersecurity has since COVID-19 become a critical policy topic worldwide, particularly, in the European Union, driven by the increasing reliance on digital technologies and the escalating risks that emerged from cyber threats. Initially, cybersecurity was framed as an economic concern to safeguard the Single Market but has now become a distinct policy domain addressing various issues, e.g., protecting critical infrastructure to combating cybercrime and disinformation (Charrapico and Farrand, 2020). The transformation seen here reflects a shift in priorities as the EU grapples with the dual challenges of fostering digital innovation and ensuring its digital ecosystem's security (Charrapico and Farrand, 2020). The phenomenon of changing cybersecurity legislation reflects a changing world climate, such as geopolitical conflicts, pandemics, technological vulnerabilities, and increasing cyber threats. All these shifts create a changing landscape in which legislation must keep up and adapt to address emerging risks. The NIS2 directive illustrates this evolution. It represents a significant update to its predecessor, NIS1, by broadening the scope of requirements and growing accountability for organisations handling critical infrastructure. Despite the directive’s ambitious goals, its practical implementation can become a pressing challenge. Organisations must navigate complex compliance requirements, including risk management, incident reporting, and employee training. This can be a hurdle for some organisations that are already battling resource constraints, and member states may face varying national enforcement capacities. The NIS2 directive represents a significant step forward in strengthening cybersecurity across the EU, with its stricter requirements and efforts to harmonise standards across member states. However, its implementation has highlighted key challenges, particularly the discrepancies in institutional capabilities among member states and sectors (Singh, 2023). While the directive builds on established 6 EU cybersecurity policies that emphasise public-private partnerships and resilience, it often reinforces existing practices rather than introducing transformative changes. This became especially evident during the COVID-19 pandemic, which exposed vulnerabilities in the alignment of policy and practice (Charrapico and Farrand, 2020). Additionally, regulatory uncertainty surrounding NIS2 has introduced economic challenges, complicating investment decisions and delaying compliance efforts for many organisations (Kianpour and Raza, 2024). Against this backdrop, sector-specific implementation of NIS2 presents unique complexities that call for closer examination. Sector-specific refers to which critical infrastructure the organisation is part of and in this case, the sector here is the transportation sector. Using the Metro Company as a case study, this project explores how a critical infrastructure organisation navigates the directive’s requirements, focusing on the interpretation of criteria, the practical challenges of compliance, and the strategies adopted to address these obstacles. By utilising a policy implementation framework, the analysis investigates the factors that facilitate or hinder effective implementation, shining light on the interplay between policy design and operational realities. This study aims to contribute to a deeper understanding of NIS2’s practical implications, offering insights for both policymakers and businesses. Situating the analysis within the broader trajectory of EU cybersecurity initiatives highlights the need for more nuanced and adaptable approaches to ensure that sector-specific challenges are adequately addressed. Literature review Policy Implementation and EU Cybersecurity Implementing the NIS2 directive within the European Union has provided a path for analysing how regulatory frameworks influence organisational strategies and economic decisions. This literature review focuses on three key areas: regulatory challenges, the evolution of EU cybersecurity policies, and the economic implications of compliance. Regulatory Frameworks and Challenges Singh’s (2023) research paper on ‘The European Approach to Cybersecurity in 2023: A Review of the Changes Brought in By the Network and Information Security 2 (NIS2) Directive 2022/2555’ 7 emphasises the transformative nature of the NIS2 directive by highlighting its broader scope compared to NIS1, which also includes stricter requirements for risk management, incident reporting, and penalties if essential and important entities are non-compliant (Singh, 2023). This literature shows that the directive aligns with other EU regulations, particularly GDPR, aiming to harmonise cybersecurity standards across member states. However, Singh has identified challenges in national transposition, such as discrepancies in institutional capacities and enforcement mechanisms (Singh, 2023). These gaps mark the complexity of policy implementation in a multilevel governance framework like the EU. Carrapico and Farrand (2020) give a complementary perspective by situating EU cybersecurity policies within a broader institutional and historical context. Drawing on discursive and historical institutionalism, they argue that the trajectory of EU cybersecurity is shaped by path dependencies rooted in economic and security rationales (Carrapico and Farrand, 2020). While the COVID-19 pandemic contributed to the acceleration of certain trends, such as reliance on digital solutions and heightened cybersecurity risks, it primarily reinforced pre-existing institutional philosophies rather than introducing significant changes (Carrapico and Farrand, 2020). Their analysis underscores the EU’s reliance on public-private partnerships and the central role of resilience in policy design (Carrapico and Farrand, 2020). Economic Implications and Regulatory Risks Kianpour and Raza (2024) dive into the economic challenges posed by regulatory changes, emphasising the uncertainty and risks associated with changing and evolving cybersecurity policies (Kianpour and Raza, 2024). Their stochastic econometric model unveils the regulatory uncertainty often leading businesses to a “wait-and-see” approach, delaying investments and potentially weakening compliance efforts (Kianpour and Raza,). This dynamic highlights the importance of stable and predictable regulatory environments for fostering effective cybersecurity practices. Based on the existing literature, a multifaceted comprehension of EU cybersecurity policy emerges. Singh (2023) gives a detailed analysis of NIS2’s transformative potential, while Carrapico and Farrand (2020) take another approach by situating these developments within a broader institutional trajectory. Furthermore, Kianpour and Raza (2024) add an economic dimension, highlighting practical challenges organisations face when navigating regulatory uncertainty. These perspectives mark the interplay between policy design, institutional continuity, and economic feasibility. 8 Furthermore, while the literature offers valuable insight, it also reveals some gaps. The strengths highlighted in the literature are seen in the integration of historical and discursive institutionalism by Carrapico and Farrand, who offer a robust framework for understanding continuity and change in EU cybersecurity policy. Additionally, Kianpour and Raza’s quantitative approach enriches the discussion on the economic implications of regulatory risks by providing actionable knowledge for policymakers and businesses. However, the existing literature shows limitations as well. Mainly, the empirical evidence on the sector-specific implementation of NIS2 remains limited. While Singh outlines the directive’s transformative scope, the analysis lacks a deeper engagement with how institutional variability across member states affects implementation. This review marks the need for sector-specific studies to bridge the gap between practical challenges and theoretical insight. Therefore, this project will examine how the Metro Company will implement the NIS2 directive. Problem formulation: Therefore, I now come to my main research question: How is the NIS2 directive operationalised by implementing actors at the Metro Company, and what challenges and strategies emerge as they navigate the directive’s requirements? Theory This project’s analysis will be based on the theoretical framework of Knill and Lenschow’s (2005) three modes of governance alongside Sabatier’s (1986) policy implementation theory. By combining these theories, I seek to bridge the gap between the policy implementation of cybersecurity policy (NIS2) and its sector-specific application. Together, these theories help me to understand the systemic and localised factors influencing how policies are operationalised, particularly within a multilevel governance structure such as the EU. These theories provide a complementary perspective. Knill and Lenschow’s governance patterns provide a macro-level picture by focusing on modes of governance. They go into depth about different approaches to European governance and their impact on national institutions (Knill and Lenschow, 2005). Knill and Lenschow identify three rationales behind national bureaucracies’ reactions to EU regulations: keep existing structures, optimise results, and obtain legitimacy (Knill and Lenschow, 2005). In contrast, Sabatier provides a micro-level perspective by looking at his bottom-up approach 9 to policy implementation. By shifting the focus, the different dynamics are uncovered, emphasising the role of local actors and their core beliefs in understanding, interpreting, and enacting policy. By investigating the interplay between modes of governance and the beliefs, as well as actions, of ground-level implementers, this project seeks to uncover and understand how both structural pressures and individual agency form policy implementation. Knill and Lenschow’s Three Modes of Governance The three modes of governance Knill and Lenschow have identified in their theory are coercion, competition, and communication – these factors, depending on how they are used, will often provoke institutional responses to new directives. Coercion: This mode of governance is the strictest, due to it having a binding legal mandate that rarely leaves any wiggle room for national bureaucrats. Coercion often leads to incremental adjustments more focused on compliance rather than fully transforming structures in society (Knill and Lenschow, 2005). Institutions seek to meet the minimum requirements of a directive to minimise disruption to existing structures. Although coercion aims at harmonisation, it often encounters reluctance from policy-implementing actors not wanting to deviate from existing processes (Knill and Lenschow, 2005). Hence, coercion has a persistence-driven rationality, because of its focus on sustaining stability while obtaining basic compliance requirements. Competition: This introduces a less direct approach to EU regulatory policy on national institutions (Knill and Lenschow, 2005). Using this approach implies limited legally binding criteria. It instead offers more flexibility by allowing member states to decide how they want to meet overarching goals in a performance-driven framework. Competition leverages comparative benchmarks and incentives, essentially motivating institutions to become more innovative and optimise their practices while maintaining compliance (Knill and Lenschow, 2005). Thus, competition promotes convergence by having a performance-driven rationality. Communication: This mode relies on voluntary information exchange and sharing best practices, rather than mandating specific actions. It encourages learning and legitimacy-driven change through the collaboration of transnational networks (Knill and Lenschow, 2005). By using communication, institutions might adopt policies to align with widely recognised practices and norms to enhance their 10 legitimacy within an EU framework (Knill and Lenschow, 2005). Therefore, this mode has a legitimacy-driven rationality. Sabatier’s Bottom-Up Approach Sabatier’s bottom-up approach redirects the focus from centralised policy design to localised processes of interpretation and implementation, i.e. the people that turn the policies into reality. A key factor of this approach is the emphasis on core beliefs held by the implementing actors and how their choices, interactions, strategies, actions, and understanding of these policies shape the outcome (Sabatier, 1986; Hann, 1995). Policy Networks and Advocacy Coalitions Sabatier emphasises that implementing actors frequently operate within networks of stakeholders such as industry representatives, regulators, and advocacy coalitions. The framework of advocacy coalitions Sabatier proposed emphasises what he calls sub-systems. These are networks with common core beliefs that influence how policies are understood and applied (Sabatier, 1986; Hann, 1995). Furthermore, within these subsystems, at some point, each coalition adopts a strategy (or strategies) to align their objectives to a policy issue. If one or more policy strategies conflict, different coalitions are mediated by ‘policy brokers’ (Sabatier, 1995). The policy broker’s main objective is to find compromises to obtain equilibrium between the coalitions (Sabatier, 1995). However, for this project, I will use this theory slightly differently, given that the company I am working with is a large organisation and has several actors that shape the implementation of this policy. Therefore, when I mention advocacy coalitions, I am referring to the different actors within the organisation that have different views or opinions on the implementation process. Sabatier furthermore adds another level of complexity to advocacy coalitions through what he calls ‘core beliefs’ and ‘secondary aspects’ of policy (Sabatier, 1995). Sabatier identifies three beliefs that can influence policy implementation: 1. Deep core beliefs: This entails fundamental values and principles that are not easily influenced to change, e.g., beliefs about the role of government or market dynamics (Hann, 1995). 2. Policy core beliefs: Here, there is a specific, yet resilient, belief about the methods or strategies you believe to be the best to achieve substantial policy goals (Hann, 1995). 11 3. Secondary aspects: This belief entails operational beliefs that are more flexible depending on new information or experiences, which can then be subject to modification during implementation (Hann, 1995). Sabatier’s belief systems act as a lens through which implementers interpret and apply directives. For example, implementers who prioritise efficiency might emphasise cost-effectiveness in policy application, while other actors who focus on equity beliefs might favour strategies that promote wider inclusivity. Adaptation and Learning Sabatier highlights that policy implementers refine their approaches based on a combination of experiences, feedback, and changing conditions, such as new information—an iterative process that the actors go through. This leads to a process called policy-oriented learning (Hann, 1995). During this process, policy implementers rearrange their approaches to align with emerging evidence or shifting priorities while anchored in their core beliefs (Hann, 1995). Implications for Institutional Change Unlike Sabatier’s top-down model, which emphasises oversight and compliance, his bottom-up approach underscores the dynamic interplay between agency and structure. While core beliefs give stability, secondary aspects provide flexibility by enabling actors to adapt policies to fit their local frameworks (Hann, 1995). Theory Integration and Relevance to Analysis The integration of Knill and Lenschow’s governance patterns and Sabatier’s bottom-up approach allows for a more comprehensive framework for analysing policy implementation. Knill and Lenschow’s theory offers a more structural aspect imposed by EU governance. Thus, it can potentially be said that by using coercive elements, the NIS2 directive will lead the Metro Company to adopt minimalist changes to meet the minimum compliance requirements. Meanwhile, communicative elements may encourage the company to embrace innovative practices, depending on its ability to engage with national networks. Sabatier’s bottom-up approach’s focus on core beliefs and local discretion emphasises the agency of local actors in shaping policy outcomes. Nonetheless, the effectiveness of NIS2 implementation may depend on the clarity and enforceability of the directive. Furthermore, local adaptation by the company significantly influences compliance outcomes, driven by internal capacities and contextual factors. By balancing localised and structural perspectives, this theoretical framework will help me 12 provide a more nuanced comprehension of the dynamics underlying policy implementation, which can be intricate to navigate within complex governance systems. Methodology In this study, I employ a qualitative case study approach to explore the Metro Company’s preparation and implementation of the NIS2 directive. Qualitative methods were in this case suited to investigate complex governance and regulatory processes, as this method allows for a detailed understanding of interactions and decision-making within their real-life organisational context (Bowen, 2009). The Metro Company as a case allowed me to analyse the interplay between compliance requirements and internal governance dynamics. As the owner of critical infrastructure, the company faces significant responsibility in aligning with the strict cybersecurity and reporting obligations mandated by the directive (field notes). Thus, this methodology section outlines the approach I have taken, including the reason for the case study, data collection methods, and limitations. Case Study Based on my internship at the Metro Company, I chose a case study approach. My time there and being directly involved in the implementation process of the NIS2 directive—particularly the governance aspect—allowed me a deep dive into a specific bounded system within its real-world context. Namely, the phenomenon of how the company navigates changing legislation in a shifting global climate. Investigating phenomena where the boundaries between phenomena and context are not immediately apparent is particularly valuable (Yin, 2018). My internship thus guided me to this case study due to its ownership of critical infrastructure and its obligation to comply with the NIS2 directive’s requirements. The directive introduces comprehensive cybersecurity governance measures, hence providing an ideal framework to explore the practicalities of regulatory compliance. By focusing on this single case, the project aims to understand how the Metro Company navigates regulatory pressures, adapts governance structures, and balances compliance with operational realities. This in-depth investigation allows for the identification of patterns and insights into a critical infrastructure organisation. 13 Overview of Key Actors Digitalisation and Information Technology Unit (DIT): The Cyber and Information team under the DIT Unit serves as the primary actor responsible for implementing the NIS2 directive. Their key roles involve managing the company’s cybersecurity risks, conducting maturity assessments aligned with the ISO 27001 standards, and fulfilling the directive’s strict reporting requirements. This team interacts with governance bodies such as the Risk Committee, and the Cyber team is the main actor in ensuring NIS2 and GDPR compliance measures are met and integrated into the company’s operational framework (field notes). Finance Unit: The Finance Unit plays a supportive role in the NIS2 directive implementation. They primarily focus on compliance with regulatory obligations, such as GDPR, to avoid financial repercussions for the company. While open to optimising reporting processes, they remain protective of their compliance oversight responsibilities. Their cautious approach ensures accountability while supporting broader governance efficiency, making the Finance Unit a secondary but important actor (field notes). Secretariat and Risk Unit (My Unit): The Secretariat and Risk Unit operates as a policy broker by facilitating cross-departmental collaboration and alignment of priorities. My unit oversees governance processes and contributes to optimising reporting structures, ensuring that both the directive’s requirements and the company’s internal objectives are met. This entails mediating between the Cyber team and other actors, such as the Finance Unit and the board committees’ representatives, to help optimise reporting flows and compliance strategies (field notes). The Board as an Invisible Actor and Executive Directors: Although not directly involved in day-to-day operations, the Board plays a vital role in shaping decision-making processes and approving key governance measures. The Executive Directors approve initiatives before they reach the Board and also have the final say in the company’s day-to- day operations and decision-making processes (field notes). Furthermore, the Risk and Revisions Committees, subunits of the Board, are particularly influential in this context. Their oversight ensures that the company complies with standards, while their approval processes create an additional layer of accountability. 14 Figure 1: Flowchart overview of reporting flows (Illustrated by me) Figure 1 illustrates a visual representation of the reporting flows between the different actors. Each actor is represented by a different colour to highlight the extent of their reporting responsibilities. As the figure shows, the DIT Unit currently faces an extensive reporting burden, with the directive not yet accounted for in the reporting flow. The Cyber team seeks to optimise their reporting flow by consolidating existing cyber reporting with NIS2 requirements to the Risk Committee (Field notes). Meanwhile, the DIT Unit has GDPR-related obligations that must be reported to the Revisions Committee (Field notes). The lines between the committees, executive directors, and the Board represent orientations rather than formal reports after reviewing inputs from the three key units discussed. Data Collection Methods Field Notes: Field notes were collected during meetings, discussions, and through the writing of policy briefs. These notes document my real-time observations of interactions and opinions among key actors and provide insights into the decision-making processes that shaped the company’s approach to the NIS2 directive. I paid specific attention to discussions on reporting redundancies, compliance challenges, and collaborative strategies. 15 Company Reports: My study draws on internal reports containing strategies for the preparation of the NIS2 directive and a maturity level evaluation. These internal reports offer empirical evidence of the company’s efforts to align with the directive’s requirements. For example, reports on the implementation of ISO 27001 standards provided valuable data on the company’s cybersecurity maturity and risk management strategies (field notes). Document Analysis Methods: A document analysis method was employed to investigate the NIS2 directive and company policies. This method required systematically reviewing and evaluating textual data to identify patterns, themes, and gaps. Moreover, a comparative analysis was conducted to align the directive’s requirements with the company’s existing practices. Document analysis is particularly useful in qualitative research for contextualising findings within broader regulatory frameworks (Bowen, 2009). Limitations of the Methodology During my research, I encountered some limitations that hindered the process. Firstly, access restrictions due to organisational confidentiality limited my access to specific internal documents, which may affect the comprehensiveness of the analysis. Secondly, observer bias—the dual role I played as both a researcher and an intern—introduced potential bias. While this provided insider access and knowledge, it may have influenced interpretations of the data. Furthermore, the study faces scope limitations because focusing on the Metro Company as a single case study restricts the generalisability of the findings to other organisations. However, the insights gained are valuable for understanding similar contexts within critical infrastructure sectors. Lastly, the study’s timeframe limited the ability to capture long-term effects of the NIS2 directive’s implementation, particularly as full compliance is still in progress. Sub-Conclusion This methodology section outlines the use of a qualitative case study approach to investigate the Metro Company’s implementation of the NIS2 directive. By integrating field notes, company reports, and document analysis, the study provides a comprehensive view of how actors interact within governance structures to navigate regulatory compliance. Despite uncontrollable limitations, this approach has offered meaningful insights into the organisational dynamics and adaptive strategies supporting the practical application of the directive. 16 Operationalisation Operationalisation helps illustrate how theoretical concepts are translated into measurable indicators and linked to empirical material used in the analysis. The study uses Knill and Lenschow’s three modes of governance and Sabatier’s bottom-up approach to understand the Metro Company’s implementation processes. Outlining my operationalisation table in this way will better illustrate the connection between theoretical definitions, indicators, and the empirical material used in the analysis. Concepts Definition Indicator Empirical material Coercion A binding legal mandate Evidence of mandatory NIS2 directive, field emphasising compliance compliance measures (e.g., notes on reporting with minimum requirements reporting requirements), challenges, and often leads to incremental resistance to structural change, compliance adjustments rather than and persistence-driven discussions. transformative changes adaptations to meet legal (Knill & Lenschow, 2005). obligations. Communication Governance is based on Instances of knowledge- Field notes, and voluntary information sharing meetings, such as internal governance exchange, fostering collaboration with external documents. legitimacy-driven changes entities (e.g., Copenhagen through shared best Airport), and the adoption of practices and collaboration ISO 27001 to enhance (Knill & Lenschow, 2005). legitimacy. Advocacy Networks of actors within a Presence of coalitions with Field notes coalitions system share core beliefs distinct goals, such as documenting and work toward aligned reducing reporting burdens meetings, and policy objectives, (Cyber team) or retaining discussions between sometimes mediated by compliance obligations units. policy brokers (Sabatier, (Financial Unit), and instances 1986). of policy-brokering by the Secretariat and Risk Unit. Core beliefs Fundamental values shape Alignment of actor objectives Field notes, team actors’ decisions and with beliefs, such as the Cyber discussions, and strategies, including deep, team prioritising efficiency internal documents policy core, and secondary and the Financial Unit outlining reporting beliefs (Sabatier, 1986). focusing on compliance. preferences. Secondary Flexible beliefs are Instances of operational Field notes and aspects influenced by new decision-making, such as meeting summaries information or operational proposing consolidated on reporting needs, allowing for policy reporting formats and proposals and adjustments during reassigning reporting changes. 17 implementation (Sabatier, responsibilities to specific 1986). committees (e.g., Risk Committee). Policy-oriented An iterative process where Evidence of changes in Internal reports on learning actors refine approaches strategies, such as early ISO 27001 based on feedback, adoption of NIS2 implementation, field experiences, and shifting requirements, and optimising notes on iterative priorities (Sabatier, 1986). reporting to reduce learning efforts. redundancy. Persistent-driven Resistance to altering Actions aimed at maintaining Governance rationality existing structures, focusing current reporting flows and documents, terms of on meeting minimum minimising disruption, such as reference for board requirements to ensure retaining GDPR reporting committees, and field stability (Knill & Lenschow, under the Revision notes. 2005). Committee. Legitimacy- Actions taken to enhance Adoption of recognised Internal governance driven organisational credibility standards like ISO 27001 and reports, and field within EU governance emphasis on aligning with notes. rationality frameworks through best EU-wide norms and practices. practices and compliance (Knill & Lenschow, 2005). Analysis This analysis aims to showcase how the Metro Company has navigated, interpreted, and implemented the NIS2 directive in preparation for the directive’s full implementation into Danish law next year. The directive introduces stringent requirements for cybersecurity risk management and reporting obligations. Therefore, this analysis will examine how the Metro Company’s Cyber team and other key implementing actors navigate these demands, highlighting the interplay between ground-level decision-making influenced by core beliefs and structural governance pressures. The NIS2 Directive’s Relation to the Metro Company The NIS2 directive aims to strengthen cybersecurity across the EU by increasing cyber threat measures for essential infrastructure (Official Journal of the European Union). As mentioned earlier, it builds on its predecessor by mandating standardised measures, such as risk assessments, timely incident reporting, and enhanced governance obligations (Official Journal of the European Union). The table below showcases the specific requirements and consequences of non-compliance. 18 More specifically, Article 20 highlights governance by ensuring that the governing body of a company is made responsible for approving measures for effective cybersecurity governance (Official Journal of the European Union). The purpose of NIS2 is to make organisations aware of the interplay between governance, risk management, and compliance, ensuring ownership and highlighting responsibility (Official Journal of the European Union). Category Requirements/Obligations Consequences of Non- Compliance Cybersecurity Management bodies must approve Management bodies may face Governance cybersecurity risk-management measures, liability for infringements, oversee their implementation, and ensure staff warnings, mandatory orders, training for compliance with NIS2 (Official or fines (Official Journal of Journal of the European Union). the European Union). Risk- Companies must implement risk-management Non-compliance may lead to Management measures, including business continuity plans, significant penalties, legal Measures supply chain security, vulnerability liabilities, and temporary management, and encryption (Official Journal suspension of operations of the European Union). (Official Journal of the European Union). Reporting - Within 24 hours: Submit an early warning to Delayed or incomplete Obligations the CSIRT or competent authority for any reporting may lead to significant incident. increased scrutiny, financial - Within 72 hours: Provide an incident penalties, or stricter oversight notification with severity details. measures (Official Journal of - 1 month: Submit a final report summarizing the European Union). mitigation and impact (Official Journal of the European Union). Supervisory Competent authorities can conduct audits, Supervisory actions may Powers inspections, and demand reports to ensure include corrective measures, compliance. Cooperation between Member certifications suspension, or States is required for cross-border incidents management role prohibitions (Official Journal of the European Union). (Official Journal of the European Union). 19 Penalties for Significant violations can result in Here the consequence is the Infringements administrative fines of up to 10 million EUR or same as in the second 2% of global turnover, whichever is higher column. (Official Journal of the European Union). For the Metro Company, a critical infrastructure organisation, NIS2 holds particular significance. Its focus on cybersecurity directly impacts the Metro Company’s ability to maintain safe and reliable capabilities to carry out the creation of new lines and other projects connected to urban planning. The Metro Company does not operate the Copenhagen Metro, but they own it and its infrastructure. Therefore, the company does not yet know if they will be subject to the directive in the same way as their operator, Metro Service, which is directly responsible for daily operations (Field notes). This makes Metro Service automatically subject to the directive’s requirements and penalties if not followed. Compliance presents challenges, such as adapting extensive risk-management practices and ensuring timely incident reporting (24- and 72-hour deadlines) (Official Journal of the European Union). These requirements call for tailored strategies to meet both regulatory demands and operational realities. During multiple meetings with the Cyber team’s leader, a pressing issue emerged: how could their work be optimised to avoid overburdening them with redundant reports to the Board while ensuring compliance? (Field notes). This analysis will, therefore, investigate the practical application of the NIS2 directive at the Metro Company using Knill and Lenschow’s governance patterns and Sabatier’s bottom-up approach. These theories will help explore the balance between regulatory control and organisational adaptation, highlighting how the Metro Company addresses NIS2 challenges in its implementation efforts. Mode of Governance and Institutional Rationalities The NIS2 directive exemplifies coercive governance due to its legally binding mandate, requiring member states to incorporate its provisions into national law. Companies must adhere to specific requirements, such as reporting significant incidents within set timeframes, to avoid penalties, as mentioned earlier Official Journal of the European Union).. These measures demonstrate the EU’s reliance on coercion to ensure compliance across sectors. However, the directive also incorporates 20 elements of communicative governance by encouraging collaboration among member states to share strategies, best practices, and lessons learned (Official Journal of the European Union). For the Metro Company, this dual-mode governance has influenced their engagement in strategic discussions, such as a knowledge-sharing meeting with Copenhagen Airport to explore implementation strategies. During these discussions, adopting the ISO 27001 standard emerged as a key approach (Company report). ISO 27001 is an internationally recognised standard for managing information security and ensuring systematic risk assessments and controls. Metro adopted this standard as recommended by the Danish Agency for Digitisation (Digitaliseringsstyrelsen), reflecting a balance between external coercion and internal strategic adaptation. The Cyber Unit decided to annually report on ISO 27001 maturity assessments. If the company achieves a score of 4 in all categories, it will meet the ISO standard, ensuring a necessary focus on information security at the management level (Company reports, Digitaliseringsstyrelsen). There has only been one report on the maturity level assessment so far, in the first quarter of 2023. According to the Cyber team’s leader, the 2024 assessment has not yet been fully conducted (Field notes). Challenges in Reporting and Internal Governance The Metro Company operates within a persistence-driven performance model, striving to maintain existing processes with minimal disruption (Field notes). However, compliance with the NIS2 directive has necessitated innovations in reporting structures to meet coercive requirements effectively. The primary challenge lies in optimising the Cyber team’s reporting obligations to avoid redundancy. My responsibility included investigating whether the directive referenced the management body’s role, to ensure the Board was not overburdened with overly complex cybersecurity information. Delegating responsibilities to the Risk Committee was identified as a practical solution. Optimising governance by consolidating cyber-related and GDPR reports under the Risk Committee—more knowledgeable in risk management—proved foundational to NIS2 compliance (Field notes). 21 The Risk Committee, outlined in its terms of reference, prepares the Board’s discussions on risk management by assessing and reporting risk size, probability, and mitigation measures (Risikokomité kommissorium). Meanwhile, the Revision Committee focuses on compliance with financial and regulatory obligations, overseeing financial statements, internal controls, and corporate governance (Revisionskomité kommissorium). Despite consolidating reporting, GDPR issues remain under the Revision Committee due to their financial implications. This balancing act reflects Knill and Lenschow’s interplay between coercive governance pressures and the company’s strategic, persistence-driven responses. Implementing Actors and Advocacy Coalitions: A Bottom-Up Perspective The implementation highlights the interplay between distinct advocacy coalitions among key actors. The Cyber team are the primary actors, tasked with ensuring compliance when the directive takes effect. Their goal is to reduce reporting redundancies by consolidating processes to the Risk and Revision Committees (Field notes). The Finance Unit, a supporting actor, focuses on GDPR and cyber incidents that affect financial accountability (Field notes). My unit, Secretariat and Risk, operates as a policy broker, mediating between coalitions. This includes facilitating discussions, navigating committee responsibilities, and aligning priorities to optimise reporting flows (Field notes). For instance, during meetings, we uncovered complexities in reporting structures, which required approvals at multiple organisational levels. The Finance Unit showed surprising willingness to support reducing reporting burdens for the Cyber team (Field notes). Core Beliefs Shaping Implementation Dynamics Sabatier’s framework reveals that core beliefs influence implementation dynamics: The Cyber team prioritises minimising inefficiencies by optimising reporting. The Finance Unit emphasises protecting existing structures to safeguard financial accountability. As policy brokers, my unit facilitated collaborative discussions, aligning priorities and optimising reporting processes. This included a proposal to centralise cyber-related reporting under the Risk 22 Committee and an annual cybersecurity report to the Board, while GDPR compliance remained under the Revision Committee (Field notes, PowerPoint presentation). Challenges in Navigating Overlapping Responsibilities During the implementation process it uncovered overlapping responsibilities between the Risk and Revision Committees, leading to inefficiencies and resource constraints for the Cyber team (Field notes). Additionally, aligning NIS2 requirements with ISO standards exacerbated these challenges. However, the directive’s ambiguity – referring to a ‘management body’ (Official Journal of the European Union), rather than explicitly the Board, allowed flexibility. Delegating reporting responsibilities to the Risk Committee was justified by their risk management expertise and Board representation, more specifically the fact that they consist of the Chair and Deputy Chairmen of the Board (Field notes). Adaptive Strategies and Overcoming Challenges Despite these challenges, the Cyber team demonstrated adaptability, seeking support for governance- related knowledge gaps. Facilitated cross-departmental collaboration enabled process optimisation, such as consolidating reporting into a single annual format. Cyber-related reporting will now be directed to the Risk Committee, GDPR incidents to the Revision Committee, and ISO updates delivered annually to the Board (Field notes). Proactive learning was also evident, as the company began implementing NIS2 requirements a year ahead of enforcement to refine processes and prepare for compliance. Sub-Conclusion The Metro Company’s preparation for the NIS2 directive reflects a thoughtful balance between regulatory compliance and organisational adaptation. Using Sabatier’s bottom-up approach, the analysis illustrates how distinct actors, particularly the Cyber team and Finance Unit navigate reporting demands, with my unit serving as a policy broker. 23 The interplay between coercive governance and adaptive strategies highlights efforts to optimise reporting structures, allocate resources efficiently, and proactively adopt ISO 27001 standards. While challenges remain, including overlapping responsibilities, the company’s collaborative approach demonstrates the critical role of localised decision-making in shaping policy outcomes under EU directives. Conclusion and discussion Implementing the NIS2 directive at the Metro Company demonstrates the challenges of operationalising EU cybersecurity policy in a sector-specific context. This research will uncover the interaction between systemic pressures, local adaptations, and sector-specific complexities; all combined to show the blurred boundaries between policy design and practical application. There are three reasons for the blurred boundaries. First, if one considers external phenomena such as cyberattacks, pandemics, and geopolitical conflicts as driving coercive legislative pressures demanding organisational adaptation, which often does not align with existing structures. Second, the sector-specific application creates ambiguity. The EU Commission could more clearly distinguish between the compliance obligations of infrastructure owners and operators to avoid misalignment of efforts. As an infrastructure owner, Metro Company has different compliance obligations than its operator counterpart, Metro Service, creating role uncertainty under NIS2. Lastly, the relation between policy and practice points out that implementation depends upon localised decision-making and advocacy coalitions, bringing about governance adaptations that turn the broad goals of the directive into being dependent on internal organisational realities. Operationalising NIS2: The Metro Company operationalises NIS2 through coordinated efforts by key actors. With the Cyber team as key implementer, they work on minimising redundant reporting while ensuring compliance. The Finance Unit, though open to optimisation, was rather protective of its oversight competencies, especially GDPR. My unit, the Secretariat and Risk Unit acted as a policy broker and helped coordinate these coalitions, brokering priorities and optimising report flows. Together, these actors respond to the directive's requirements while juggling overlapping responsibilities and resource constraints. 24 NIS2's coercive governance ensures compliance but often encourages minimalistic, stability-focused adaptations rather than transformative changes. In the case of the Metro Company, this dynamic is shown by keeping current reporting structures while gradually adjusting to meet the directive’s requirements. While this approach fulfils compliance, it risks undermining the harmonisation goals of the directive by reinforcing existing practices. I.e., with the EU seeking to establish 'uniformity' very little change will take place, as member states will seek to protect their existing structures – leading to very little change, therefore, not fully adopting the EU's narrative. Adaptive Strategies and Learning The Metro Company has shown adaptability to these challenges by delegating reporting to the Risk Committee and adopting standards of ISO 27001. This shows the strategic use of ambiguities of the directive to make compliance align with operational realities. These efforts reflect policy-oriented learning, where actors fine-tune strategies based on feedback and changed circumstances. Further underlining the company's commitment to balancing compliance with efficiency is the proactive adoption of NIS2 requirements ahead of enforcement. This brings me to my problem formulation: 'How is the NIS2 directive operationalised by implementing actors at the Metro Company, and what challenges and strategies emerge as they navigate the directive's requirements?’ NIS2 is operationalised at the Metro Company through collaborative governance and strategic adaptation. While challenges include coercive pressures, resource constraints, and sector-specific ambiguities, the strategies adopted by the company in optimising reporting flows, leveraging expertise, and adopting ISO standards—demonstrate the potential for localised agencies to address the structural demands. This is what balances regulatory compliance with organisational realities, giving insight into the practical application of the EU directives. The experience of the Metro Company shows how blurred the boundaries between global policy goals and local governance contexts in shaping implementation are. This flags the importance of flexible governance, collaboration across departments, and sectoral approaches in reaching the goals of cybersecurity in accounting for diverse organisational realities. It is now up to policymakers to provide much clearer guidance, given collaborative mechanisms that do work and should ensure effective, harmonised implementation across sectors 25 Bibliography Boban, M. (2024). Cybersecurity in the digital age: Regulatory framework based on the implementation of the NIS2 directive. In V. Terziev (Ed.), Social transformations and social programming, 601-611. Bowen, G. A. (2009). Document analysis as a qualitative research method. Qualitative Research Journal, 9(2), 27–40. https://doi.org/10.3316/QRJ0902027 Carrapico, H., & Farrand, B. (2020). Discursive continuity and change in the time of Covid-19: The case of EU cybersecurity policy. Journal of European Integration, 42(8), 1111–1126. https://doi.org/10.1080/07036337.2020.1853122 Dansk Standard. (2023, March). Få styr på kravene i NIS2 med ISO/IEC 27001. Dansk Standard. Retrieved from https://www.ds.dk/da/nyhedsarkiv/2023/03/faa-styr-paa-kravene-i-nis2-med-iso-iec- 27001 Digitaliseringsstyrelsen. (n.d.). ISO-måling i staten. Digitaliseringsstyrelsen. Retrieved from https://digst.dk/sikkerhed/informationssikkerhed-i-myndigheder/iso-maaling-i-staten/ Hann, A. (1995). Sharpening up Sabatier: Belief systems and public policy. Politics, 15(1), 19-26. Kianpour, M., & Raza, S. (2024). More than malware: Unmasking the hidden risk of cybersecurity regulations. International Cybersecurity Law Review, 5, 169–212. https://doi.org/10.1365/s43439- 024-00111-7 Knill, C., & Lenschow, A. (2005). Coercion, competition, and communication: Different approaches of European governance and their impact on national institutions. Journal of Common Market Studies, 43(3), 581-604. The Metro Company. (2016). Kommissorium for bestyrelsens risikokomite. Retrieved from internal company document. 26 The Metro Company. (2016). Kommissorium for revisionskomiteen. Retrieved from internal company documents. Official Journal of the European Union. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX:32022L2555 Sabatier, P. A. (1986). Top-down and bottom-up approaches to implementation research: A critical analysis and suggested synthesis. Journal of Public Policy, 6(1), 21-48. Singh, C. (2023). The European approach to cybersecurity in 2023: A review of the changes brought in by the Network and Information Security 2 (NIS2) Directive 2022/2555. International Company and Commercial Law Review, 5, 251-261. Yin, R. K. (2018). Case study research and applications: Design and methods (6th ed.). Sage Publications. Field notes and company reports referenced in this study are available upon reasonable request. 27

From Policy to Practice: The Metro Company's Adaptation to the NIS2 Directive PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue