Regulating digitisation of critical infrastructures: we need diverse experts to translate cyber security risks into the sector-specific contexts

As digital innovations proliferate across critical infrastructure sectors, we begin to regulate them to ensure reliable and safe delivery of essential services like water, energy or transport. The Network and Information Systems Security (NIS) Directive, implemented across the EU and the UK, is a prime example of such efforts. It is a novel regulatory response to the increased interconnection of industrial computers to the internet.

Our research, based on interviews with 30 cyber security practitioners conducted in 2020, uses the case study of the water sector in England to address how traditional environmental governance goals (water availability, affordability, sustainability, continuity of supply, public participation) compare against the cyber security ambitions. Our research traces how diverse experts collaborate on the NIS Directive. Practitioners like regulators, lawyers, senior managers, water engineers, IT security experts negotiate their interpretations of NIS to advance their respective priorities. Accessing the diversity of experiences and opinions is crucial so that the NIS could overcome the expertise asymmetry and allow non-technical experts to contribute towards agenda setting.