Liability is arguably one of the least talked about topics in control room security conversations. Nonetheless, it can have serious consequences for both organizations and individuals, as liability extends far beyond simple operational errors. There are many different types of liability in control rooms: liability for security incidents, non-compliance with regulations, data protection breaches, operational failures, and environmental impacts. Each carries its own set of legal, financial, and reputational consequences that can ripple through entire supply chains.
In my field as a Product Security Officer, it's especially the liability for security incidents that demands constant attention and strategic thinking. The question is deceptively simple: when a security breach happens, who is liable?
The nature of a security breach fundamentally shapes liability distribution. When a careless employee opens the digital door for malicious intruders – perhaps by clicking on a phishing email or using weak passwords – the liability path is relatively straightforward. The organization bears responsibility for inadequate training, policy enforcement, and access controls.
However, the landscape becomes significantly more complex when hackers exploit a reported vulnerability. This scenario triggers a carefully orchestrated chain of responsibility that spans multiple stakeholders, each with distinct obligations and timeframes.
When a vulnerability is discovered and reported, manufacturers are expected to address it promptly and distribute security updates. Today, that expectation is driven primarily by contractual commitments and industry standards; under the EU Cyber Resilience Act (CRA, which applies to the European Economic Area), for example, manufacturers will be legally required to handle vulnerabilities and provide security updates without undue delay for the product’s lifecycle once the CRA becomes applicable after its transition period in December 2027.
The challenge lies in balancing speed with thoroughness. Rushed patches can introduce new vulnerabilities, while delayed responses leave customers exposed. At Barco, we've established rigorous protocols that enable rapid response without compromising quality or introducing additional risk vectors. Once the EU Product Liability Directive becomes national law in the European Economic Area, it will cover software and digital services. Companies can be held liable for cybersecurity failures or missing security updates. This encourages building security into products from the start.
In many control room deployments, specific operational responsibilities are contractually assigned to the integrator that installs and services the system. To the extent the contract assigns that duty, the integrator is responsible for distributing security updates and communicating their availability to customers. Failing to do so may cause the integrator to become liable.
The integrator's responsibilities extend beyond mere notification. They must ensure customers understand the risks of delayed implementation and provide adequate support for patch deployment. This intermediary role requires deep technical expertise combined with strong customer relationship management.
Once patches are made available, responsibility for timely installation typically sits with the end customer in on‑site deployments, unless the service agreement assigns installation to the manufacturer or the integrator. Barco’s shared‑responsibility guidance for CTRL explicitly calls out the customer’s duty to install security updates in a timely manner. If they fail to do so the end customer exposes themselves to being liable. This is where the liability chain often encounters its greatest friction.
End customers frequently resist installing patches due to legitimate operational concerns. Introducing new software often means system downtime in environments where continuity is paramount. The installation process itself can be labor-intensive, sometimes requiring service staff to physically visit every hardware component with USB drives to install patches. Perhaps most concerning is the fear of operational implications from new software in mission-critical environments.
These concerns, while understandable, create dangerous security gaps. Organizations that only update their systems once annually are essentially running year-old vulnerabilities in environments that demand the highest security standards.
Recognizing these challenges, we developed solutions that address the core friction points in security update deployment. For Barco CTRL systems, patches can be rolled out automatically throughout the entire system from a central location in remarkably short timeframes, often during a coffee break rather than requiring extended maintenance windows.
This approach transforms patch management from a disruptive, resource-intensive process into a seamless operational routine. By eliminating the technical barriers to timely updates, we remove one of the primary excuses for delayed security implementations.
The regulatory landscape is rapidly evolving to address these liability complexities. Many countries and regions are currently working on legislation that reflects this reality. Consider the NIS2 directive, for example, which enhances cybersecurity across the European Union by requiring organizations in critical and important sectors to implement stricter security measures and incident response protocols. This directive represents a significant shift in how cybersecurity responsibility is allocated, particularly at the executive level.
The directive requires management to actively approve all cybersecurity risk management measures and oversee their implementation. This is more than a delegable responsibility. Executives can be held liable for their entity's breach of cybersecurity obligations under applicable national law.
NIS2 also provides for entity‑level administrative fines (up to €10m or 2% of global turnover for essential entities; €7m or 1.4% for important entities) and allows Member States to impose further measures (e.g., temporary bans on exercising managerial functions in serious, persistent non‑compliance cases).
Organizations falling under NIS2 scope (such as Barco) must implement technical, operational, and organizational cyber risk-management measures that are both appropriate and proportionate to existing threats.
The regulation demands measures that eliminate or reduce incident impact while ensuring security levels adapted to current risks. Importantly, these measures must follow a risk-based approach that balances state-of-the-art international standards against implementation costs—a requirement that emphasizes practical, sustainable security rather than theoretical perfection.
Understanding liability requires recognizing the full spectrum of costs associated with cybersecurity breaches. The financial impact extends far beyond immediate technical remediation.
Ransom payments represent the most visible cost, often reaching millions of dollars depending on organizational size and critical infrastructure dependencies. However, this direct cost frequently pales compared to operational disruption expenses.
Downtime costs can be catastrophic, with companies remaining offline for weeks following sophisticated attacks. For critical infrastructure providers, this downtime can cascade through entire economic sectors, stretching far beyond their own downtime. The September 2025 hacking of a supplier of airport check-in and boarding systems is a clear example of this, impacting many airports (and passengers) across Europe.
Perhaps the most devastating is reputational damage, particularly for companies serving critical infrastructure organizations. Trust, once broken, requires years to rebuild and may never fully recover. In sectors where reliability and security are foundational to business relationships, reputational damage can be lethal for a business.
At Barco, we recognize that cybersecurity is fundamentally a shared responsibility requiring active engagement across the entire value chain. Our role extends beyond manufacturing secure products to enabling secure operations throughout their lifecycle.
This philosophy drives our investment in automated patch management, proactive vulnerability management, and comprehensive security support services. We understand that our customers' security challenges become our liability exposure, creating powerful alignment between business interests and security outcomes.
The future of control room security liability lies in frameworks that promote rapid response, clear responsibility allocation, and incentive alignment across all stakeholders. This requires moving beyond blame-focused approaches toward collaborative models that prioritize threat mitigation over liability avoidance.
Success demands that manufacturers, integrators, and end customers work together to establish realistic timelines, adequate resources, and clear communication channels for security response. Only through such collaboration can we build control room environments that are both operationally effective and security resilient.
The stakes are too high, and the threats too sophisticated, for fragmented approaches to security liability. The organizations that thrive in this environment will be those that embrace shared responsibility while maintaining clear accountability for their specific roles in the security ecosystem.
More than being about protecting individual organizations, security in critical infrastructure is about safeguarding the systems that underpin modern society. That responsibility belongs to all of us, and the liability frameworks we build today will determine how well we meet that challenge tomorrow.
NOTE: Throughout this text, I have mainly focused on examples from the European Union. This does not mean that other countries and regions are not working on legislation in this field. Listing all national initiatives would be way beyond the scope of this article, and could never be complete.
Hungry for more security insights? Head over to our Barco CTRL security page and bookmark it. We're constantly adding new articles, expert analysis, and practical tips.
