arXiv: Beyond the IT Checklist: Engineering a Reasonable Standard of Care for Cyber Safety

This paper, published on arXiv, proposes a new framework for defining a "reasonable standard of care" for cybersecurity, moving beyond simple compliance checklists. It argues that current regulatory approaches, which often focus on ticking boxes for specific technical controls, are insufficient for managing dynamic cyber risks. The authors advocate for an engineering-based standard that requires organizations to demonstrate a systematic, risk-informed process for identifying, assessing, and mitigating threats, rather than just implementing a static set of measures.

The analysis is relevant to any organization subject to EU cybersecurity regulations, including those under NIS2, the Digital Operational Resilience Act (DORA), and the proposed Cyber Resilience Act. Sectors such as finance, critical infrastructure, healthcare, and digital service providers will be most affected, as they face the highest scrutiny regarding their duty of care. The paper signals that regulators may increasingly expect proof of adaptive, risk-based security engineering, not just adherence to a prescribed list of controls.

Compliance teams should begin by reviewing their current cybersecurity programs to assess whether they are overly reliant on static checklists. They should develop or enhance processes for continuous risk assessment, threat modeling, and documented decision-making around security investments. Proactively aligning internal standards with this engineering-based approach will help organizations demonstrate a robust standard of care and prepare for future regulatory expectations.