Liability is arguably one of the least talked about topics in control room security conversations, Barco says in a recent blog. Nonetheless, it can have serious consequences for both organisations and individuals, as liability extends far beyond simple operational errors. There are many different types of liability in control rooms: liability for security incidents, non-compliance with regulations, data protection breaches, operational failures, and environmental impacts. Each carries its own set of legal, financial, and reputational consequences that can ripple through entire supply chains. Here, Timo Kosig, Product Security Officer at Barco Control Rooms gives his insight
In my field as a Product Security Officer, it’s especially the liability for security incidents that demands constant attention and strategic thinking. The question is deceptively simple: when a security breach happens, who is liable?
The anatomy of security liability
The nature of a security breach fundamentally shapes liability distribution. When a careless employee opens the digital door for malicious intruders – perhaps by clicking on a phishing email or using weak passwords – the liability path is relatively straightforward. The organization bears responsibility for inadequate training, policy enforcement, and access controls.
However, the landscape becomes significantly more complex when hackers exploit a reported vulnerability. This scenario triggers a carefully orchestrated chain of responsibility that spans multiple stakeholders, each with distinct obligations and timeframes.
The manufacturer’s first line of defense
When a vulnerability is discovered and reported, manufacturers are expected to address it promptly and distribute security updates. Today, that expectation is driven primarily by contractual commitments and industry standards; under the EU Cyber Resilience Act (CRA, which applies to the European Economic Area), for example, manufacturers will be legally required to handle vulnerabilities and provide security updates without undue delay for the product’s lifecycle once the CRA becomes applicable after its transition period in December 2027.
Computer Technician/network administrator working on a server
The challenge lies in balancing speed with thoroughness. Rushed patches can introduce new vulnerabilities, while delayed responses leave customers exposed. At Barco, we’ve established rigorous protocols that enable rapid response without compromising quality or introducing additional risk vectors. Once the EU Product Liability Directive becomes national law in the European Economic Area, it will cover software and digital services. Companies can be held liable for cybersecurity failures or missing security updates. This encourages building security into products from the start.
The integrator’s critical role
In many control room deployments, specific operational responsibilities are contractually assigned to the integrator that installs and services the system. To the extent the contract assigns that duty, the integrator is responsible for distributing security updates and communicating their availability to customers. Failing to do so may cause the integrator to become liable.
The integrator’s responsibilities extend beyond mere notification. They must ensure customers understand the risks of delayed implementation and provide adequate support for patch deployment. This intermediary role requires deep technical expertise combined with strong customer relationship management.
End customer responsibilities and challenges
Compliance Rules Law Regulation Policy Business Technology concept.
Once patches are made available, responsibility for timely installation typically sits with the end customer in on‑site deployments, unless the service agreement assigns installation to the manufacturer or the integrator. Barco’s shared‑responsibility guidance for CTRL explicitly calls out the customer’s duty to install security updates in a timely manner. If they fail to do so the end customer exposes themselves to being liable. This is where the liability chain often encounters its greatest friction.
End customers frequently resist installing patches due to legitimate operational concerns. Introducing new software often means system downtime in environments where continuity is paramount. The installation process itself can be labor-intensive, sometimes requiring service staff to physically visit every hardware component with USB drives to install patches. Perhaps most concerning is the fear of operational implications from new software in mission-critical environments.
These concerns, while understandable, create dangerous security gaps. Organizations that only update their systems once annually are essentially running year-old vulnerabilities in environments that demand the highest security standards.
Innovation in patch management
Recognizing these challenges, we developed solutions that address the core friction points in security update deployment. For Barco CTRL systems, patches can be rolled out automatically throughout the entire system from a central location in remarkably short timeframes, often during a coffee break rather than requiring extended maintenance windows.
This approach transforms patch management from a disruptive, resource-intensive process into a seamless operational routine. By eliminating the technical barriers to timely updates, we remove one of the primary excuses for delayed security implementations.
Regulatory evolution: the NIS2 directive
The regulatory landscape is rapidly evolving to address these liability complexities. Many countries and regions are currently working on legislation that reflects this reality. Consider the NIS2 directive, for example, which enhances cybersecurity across the European Union by requiring organizations in critical and important sectors to implement stricter security measures and incident response protocols. This directive represents a significant shift in how cybersecurity responsibility is allocated, particularly at the executive level.
The directive requires management to actively approve all cybersecurity risk management measures and oversee their implementation. This is more than a delegable responsibility. Executives can be held liable for their entity’s breach of cybersecurity obligations under applicable national law.
NIS2 also provides for entity‑level administrative fines (up to €10m or 2% of global turnover for essential entities; €7m or 1.4% for important entities) and allows Member States to impose further measures (e.g., temporary bans on exercising managerial functions in serious, persistent non‑compliance cases).
Organizations falling under NIS2 scope (such as Barco) must implement technical, operational, and organizational cyber risk-management measures that are both appropriate and proportionate to existing threats.
The regulation demands measures that eliminate or reduce incident impact while ensuring security levels adapted to current risks. Importantly, these measures must follow a risk-based approach that balances state-of-the-art international standards against implementation costs—a requirement that emphasizes practical, sustainable security rather than theoretical perfection.
To read the full blog, click here
For more Barco news, click here
