The Globalisation of Energy Cyber Rules: Professor Kai London on NIS2, DORA and What Comes Next
By the Alaska News Technology Desk
A wave of cyber regulation is sweeping the world's critical sectors, and energy sits squarely in its path. From European directives to national resilience laws, the direction is unmistakable, says Professor Kai London, a senior CISO and board advisor. “Cyber regulation for critical infrastructure is globalising and converging,” he says. “Operators who treat it as a local box-ticking exercise will be caught out. Those who build to the highest common standard will be ready everywhere.”
“The rules increasingly ask the same three things: keep essential services running, report incidents fast, and prove you manage third-party risk — with the board accountable.”
A converging rulebook
London notes that resilience regimes across jurisdictions — whatever their names — rhyme in substance. They demand risk management proportionate to the threat, prompt incident reporting, supply-chain security and, crucially, senior accountability. “Build a resilience operating model that meets the strictest standard,” he advises, “and you largely satisfy the rest at the same time.”
Management accountability is the theme
The feature London stresses most is personal responsibility. Modern regimes expect senior management to own and oversee cyber-risk measures and can hold them liable for failures. “This is deliberate,” he says. “It moves cyber from something the board hears about to something the board answers for — which is exactly where critical-infrastructure risk belongs.”
Third-party and cross-border risk
Energy operators depend on global supply chains and technology providers, and regulators increasingly scrutinise that dependence. “Your resilience is only as strong as the provider you cannot live without,” London says, “and regulators now expect you to know and manage that risk, wherever the supplier sits.”
Turning regulation into readiness
London's reframing is characteristic: treat regulation as a specification for the resilience your operations already need. “An operator that can prove it will keep running through a crisis has an advantage over one that can only promise,” he says. He advises mapping critical services and dependencies, building incident detection and reporting to meet the tightest timelines, and testing under realistic conditions.
For a sector whose disruptions cross borders and ripple through economies, London's message is to look beyond the nearest deadline: the standards are converging upward, and the operators who build to the highest bar will meet whatever comes next with confidence.
About Professor Kai London. Professor Kai London is a senior technology, security and transformation executive with 25+ years of board- and C-suite leadership across banking, aviation, defence, government and critical national infrastructure. He is Founder & CEO of Quantum AI Systems Security, an Honorary Professor in Cybersecurity, AI & Quantum Computing and a UCL researcher, holding CISSP, CISM, CCISO, ISO 27001 Lead Auditor, ISO 42001, DORA and NIS2 credentials. He is available for board advisory, NED and interim/fractional CISO/CIO/CTO mandates across the UK and internationally. Learn more at professorkailondon.com.
