Matilda Bailey has built a distinguished career at the intersection of networking infrastructure and next-generation wireless solutions, providing her with a unique vantage point on how data flows—and fails—during a crisis. As the regulatory landscape in Europe shifts under the weight of the NIS2 Directive and the Digital Operational Resilience Act (DORA), her focus has increasingly moved toward the structural integrity of organizational communication. Matilda understands that in the modern threat landscape, a technical fix is only as good as the governance framework supporting it. Her expertise helps organizations bridge the gap between high-level policy and the gritty reality of maintaining situational awareness when the “reporting clock” begins to tick.
This conversation explores the critical shift from technical detection to organizational orchestration, highlighting how collaboration friction serves as a primary driver for lost control. We examine the new legal mandates that place management bodies directly in the crosshairs of cyber risk responsibility and the evolving role of the CISO as a linchpin in the executive decision chain. The dialogue further addresses the complexities of cross-border incident management and why communication tools must now be treated as core operational infrastructure rather than mere productivity software.
The industry often focuses on the initial moment a breach is detected, but you’ve suggested that the real loss of control happens later. Could you elaborate on why the minutes and hours following detection are actually the most dangerous for an organization’s stability?
In my experience watching high-stakes incidents unfold, the technical containment is rarely where the wheels fall off; instead, it is the friction within the coordination chain that causes the most damage. When an incident hits, the “operational picture” often fragments almost immediately as teams retreat into their respective silos, leaving leadership to make blind guesses under extreme time pressure. We see a recurring pattern where escalation pathways become muddy, and the “reporting clocks” start running against an organization that hasn’t yet agreed on who has the authority to pull the trigger on a public statement. This friction creates a vacuum where control is lost not to the attacker, but to the internal chaos of misaligned legal, technical, and executive stakeholders. It is during those first few hours that an organization’s reputation and regulatory standing are truly won or lost, based entirely on their ability to maintain a coherent narrative and a defensible decision-making process.
With the implementation of NIS2 and DORA, we are seeing a significant shift in how management bodies are viewed. How does this new direct responsibility for cyber risk change the way a board of directors interacts with their security teams?
The era of the board treating cybersecurity as a “black box” handled by the IT department is officially over because NIS2 makes management bodies directly responsible for incident response governance. This legal shift means that executive leadership is no longer just a passive recipient of quarterly reports; they are now part of the active decision chain that will be audited by regulators after the dust settles. I’ve noticed that this creates an intense pressure to maintain “traceable” decision-making, where every move made during a live incident must be defensible and documented. Boards are now forced to ask much tougher questions about how information is escalated, realizing that if they aren’t informed within those tight regulatory windows, they are the ones who will face the supervisory scrutiny. It transforms the relationship from a budget-approval dynamic into a shared operational commitment where the board’s own accountability is tied to the speed and clarity of the internal communication flow.
European regulators are now imposing very strict timelines, such as the 24-hour early warning and the 72-hour notification. From an operational standpoint, what are the biggest hurdles teams face when trying to meet these aggressive reporting windows?
Meeting a 24-hour early warning deadline under NIS2 is a monumental task because it requires an organization to have a mature internal coordination engine that can function while the operational picture is still forming. The biggest hurdle isn’t the technical analysis of the malware; it’s the internal alignment required to move a finding from a security analyst’s screen to the legal department and then to the executive suite for final approval. Often, organizations get bogged down in internal debates over reporting thresholds or jurisdictional responsibilities, and suddenly 18 of those 24 hours have vanished without a single word being sent to the authorities. These clocks assume that your security, legal, and operational functions are already speaking the same language, which is rarely the case in companies that haven’t rigorously tested their communication arrangements through crisis exercises. When you’re staring at a 72-hour deadline for a detailed notification, any delay in shared situational awareness becomes a massive liability that can attract immediate regulatory intervention.
You mentioned that the CISO is now a central figure in the decision chain rather than just a technical lead. How does this change the specific skills and priorities a CISO needs to possess to be successful under these new regimes?
The modern CISO is being judged less on their ability to configure a firewall and more on their “coordination discipline” and their ability to support a coherent organizational response under fire. They are now expected to sit at the intersection of regulatory timelines and executive accountability, which requires a deep understanding of governance that many technical leaders didn’t originally sign up for. A successful CISO today needs to ensure that when a “significant incident” occurs, the pathway from detection to the board room is paved with clear, auditable communication that survives a post-incident review. They have to be the architects of a decision-making framework that remains stable even when the technical environment is crumbling. If they can’t provide the executive team with the situational awareness needed to make a defensible decision, then even the most brilliant technical containment strategy won’t save the organization from regulatory fallout.
During large-scale incidents that cross national borders, we often see a breakdown in cooperation. What are the unique challenges of maintaining communication and situational awareness when multiple jurisdictions and entities like CERT-EU or national CSIRTs are involved?
Cross-border incidents introduce a layer of complexity that can paralyze even the most prepared entities because you aren’t just managing your own internal silos; you’re navigating a web of different national authorities and reporting frameworks. In exercises conducted by ENISA, we see that fragmented communication between participating entities often leads to delays in response that have nothing to do with technical gaps. You might have one country’s CSIRT moving at one speed while a jurisdictional dispute in another region slows down the entire collective response. The institutional reality is that effective management requires a shared language across mechanisms like EU-CyCLONe, where uncertainty about who “owns” a decision can lead to a total breakdown in situational awareness. It is a compounding effect: if your internal communication friction is high, your ability to provide timely information to external response entities vanishes, leaving you isolated during a crisis that requires a unified front.
If we reframe collaboration tools as “core operational infrastructure” rather than just productivity software, how should organizations change their approach to selecting and securing these platforms?
We have to stop looking at communication tools through the lens of simple usability and start evaluating them as the literal backbone of our resilience strategy. When a crisis hits, these platforms become the only way leadership can maintain a coherent operational picture, yet many organizations still treat them as “soft” adjuncts to their security stack. If the tool you use to coordinate your response is the same one that gets taken down or compromised during the incident, you have effectively lost your ability to govern the crisis. Organizations need to ensure their collaboration environments are resilient enough to handle high-stress, parallel actions from legal, operational, and executive stakeholders simultaneously. This means treating these tools with the same level of scrutiny as your primary servers—ensuring they provide a secure, auditable, and reliable space where decisions can be traced and situational awareness can be maintained even when everything else is failing.
What is your forecast for how the integration of AI will impact these coordination and reporting requirements in the next few years?
I anticipate that AI will become the primary engine for managing the “reporting clock,” but it will also introduce a new layer of governance risk if not handled with extreme care. We will likely see AI tools used to automate the first draft of those 24-hour and 72-hour notifications by pulling data from fragmented technical logs and translating them into the regulatory language required by NIS2. However, the real challenge will be ensuring “decision traceability” when an AI is assisting in the escalation process—if a human leader makes a call based on an AI-generated summary that turns out to be hallucinated or incomplete, the legal accountability still rests with the management body. My forecast is that the most resilient organizations will be those that use AI not to replace human coordination, but to strip away the friction of data gathering, allowing executives to focus entirely on the high-level strategy of defensible decision-making. We are moving toward a future where the speed of your “governance AI” will be just as important as the speed of your threat detection.
