# Organizational Negligence: The Silent Liability of Supervisory Boards
There is a quiet clause running through the pages of KRITIS that unsettles more than any blackout scenario: the observation that modern societies are not primarily threatened by a lack of resources, but by a lack of structure. In Chapter 5 of the book, Dr. Raphael Nagel (LL.M.) and his co-author Marcus Köhnlein turn their attention to a dimension of this structural deficit that rarely appears in headlines and almost never in quarterly reports. It is the question of organizational negligence, understood not as the misbehaviour of individuals but as a silent, systemic liability that attaches itself to supervisory boards, managing directors and owner families whenever critical systems are governed as if they were ordinary businesses. The essay that follows draws on this chapter to ask a deliberately uncomfortable question for anyone who signs balance sheets or audit reports in the infrastructural substrate of Europe: at what point does the gap between formal compliance and factual resilience itself become the liability?
## The Moving Target of the Stand der Technik
The German notion of the Stand der Technik, which translates only approximately as the state of the art, sits at the centre of Chapter 5 and is treated by the authors as a deliberately unstable category. It does not refer to a single norm, a single certificate or a single vendor. It refers, as the book phrases it, to the currently recognised state of procedures, products and organisational precautions, as reflected in standards such as ISO 27001, in sector-specific security baselines and in the evolving recommendations of supervisory authorities. The point is not that this definition is vague. The point is that it is intentionally dynamic, because the systems it seeks to protect are themselves moving.
For supervisory boards this has a consequence that is still underestimated. A board that signed off on a security architecture in 2021 cannot assume that the same architecture still represents the Stand der Technik in 2026. The regulatory grammar of the IT-Sicherheitsgesetz, the BSI-Gesetz, the KRITIS-Dachgesetz and the national transposition of NIS2 treats the state of the art as a continuous obligation, not as a single act of conformity. Dr. Raphael Nagel (LL.M.) insists on this distinction throughout the book, because it reframes governance from an annual ritual into a permanent architectural responsibility.
The unease this produces in boardrooms is understandable. Few governance instruments are designed to monitor a moving target. Risk matrices prefer fixed categories. Audit reports prefer closed findings. Yet the operators of energy grids, clinics, data centres and logistical nodes are required to live inside a regulatory category that refuses to stand still. Recognising this is the first step toward a more honest understanding of critical infrastructure governance liability.
## Why Compliance Reports Are Not Enough
One of the more austere passages of Chapter 5 concerns the widening gap between formal compliance and factual resilience. The authors describe a recognisable pattern. Risks appear in risk matrices. Compliance reports are produced. Audits are completed. Certificates are renewed. And yet, when the book models what happens in the first seventy-two hours of a serious disruption, the documentation on the shelf rarely corresponds to the behaviour of the system under stress. The paper record and the operational record drift apart.
This drift is not a failure of individual officers. It is a structural property of governance cultures that reward the production of documents more reliably than the production of resilience. A clean audit tells a board that a process has been described, evidenced and signed. It does not tell the board whether the process still works when personnel are exhausted, when communication channels degrade, when notstrom reserves approach their limits, or when a supplier fails simultaneously in several jurisdictions. The compliance report describes the building. The blackout tests the foundations.
Dr. Raphael Nagel (LL.M.) and Marcus Köhnlein do not argue against compliance. They argue against the illusion that compliance is identical with responsibility. In the logic of KRITIS, responsibility is the capacity of an organisation to remain functional under stress, and to do so in a way that can be demonstrated after the fact, not only on paper before it. A supervisory board that confuses one with the other exposes itself to a form of liability that no insurance product reliably covers, because the liability is structural rather than transactional.
## Organizational Negligence as Structural Risk
The chapter introduces a term that deserves more attention than it currently receives in European corporate discourse: organisational negligence. Unlike the classical figure of individual fault, organisational negligence describes a condition in which no single person has acted improperly, yet the organisation as a whole has failed to build the structures its mandate requires. The negligence is distributed. It lives in unfilled positions, in postponed investments, in documented but untested procedures, in redundancies that exist in diagrams but not in reality.
This notion is particularly relevant for operators of critical infrastructures, because their mandate is not defined by profit but by continuity. When a hospital, a water utility or a data centre fails, the damage is not limited to the balance sheet of the operator. It cascades through sectors, as the book meticulously describes in its analysis of the first seventy-two hours. In such an environment, the absence of deliberate structural preparation is not a neutral state. It is, in the vocabulary of the book, a form of negligence that accumulates silently until a disruption makes it visible.
For supervisory boards, the practical implication is severe. The question is no longer whether each individual report has been read and signed. The question is whether the organisation, taken as a whole, has been built in such a way that it can survive the scenarios for which it exists. Governance literature has long spoken of the duty of care. KRITIS suggests that this duty, when applied to critical infrastructures, acquires a structural dimension that classical corporate governance has not yet fully absorbed.
## The Mittelstand, Owner Families and the Weight of Continuity
A particularly German-intellectual thread in the book concerns the role of the Mittelstand and of owner families in the architecture of European resilience. The dedication of KRITIS is explicit on this point. It addresses itself to the industrial clusters whose engineering tradition and operational discipline form the backbone of European resilience. Many of these companies are not listed. Their boards are smaller, their supervisory bodies more intimate, and the distance between ownership and operation is often short. This proximity is a strength, but it is also a specific source of liability.
Owner families tend to think in generations rather than in quarters. This disposition is, in principle, well suited to the long time horizons of critical infrastructure. In practice, however, it can produce a false sense of security. Structures that have functioned for decades are assumed to continue functioning by inertia. Sicherheitsarchitekturen that were adequate in an earlier regulatory era are carried forward because they are familiar. The authors are careful not to moralise about this, but they are also clear. Familiarity is not a substitute for the Stand der Technik, and tradition does not discharge the duty to adapt.
For supervisory boards in such companies, and for the families behind them, KRITIS offers a reframing rather than a reprimand. Continuity, the deepest value of the Mittelstand, is not preserved by leaving structures untouched. It is preserved by treating structure itself as the object of stewardship. Critical infrastructure governance liability, in this reading, is not an external imposition from Brussels or Berlin. It is the regulatory surface of a much older obligation that these families already recognise under a different name.
## Recommendations for Supervisory Boards and Owner Families
Dr. Raphael Nagel (LL.M.) resists the genre of the checklist, and rightly so, because the essence of his argument is that checklists are part of the problem they seek to solve. Still, several orientations can be drawn from Chapter 5 without reducing them to a marketing formula. The first is the recommendation to distinguish explicitly, in board minutes, between compliance reporting and resilience reporting. These are not synonyms. A supervisory board that receives only the first is, by the standards of the book, undergoverned.
A second orientation concerns the treatment of the Stand der Technik as a recurring agenda item rather than an occasional review. Because the benchmark moves, the review must move with it. This implies a governance rhythm in which technological, organisational and regulatory developments are discussed in their interaction, not in separate silos. The NIS2 transposition, the KRITIS-Dachgesetz, sector-specific B3S standards and the operational reality of the organisation belong on the same table, not in separate committees that never meet.
A third orientation addresses the specific situation of owner families. The book gently suggests that ownership of a critical infrastructure operator is not identical with ownership of an ordinary enterprise. The owner is also, in a structural sense, a custodian of stability for a region, a sector, sometimes a country. Supervisory bodies in such companies benefit from composition rules that reflect this dual character, including members with genuine operational experience in crisis conditions, not only in finance or law. This is not a matter of optics. It is a matter of whether the board can recognise organisational negligence before it becomes visible to regulators or to the public.
The quiet thesis of Chapter 5, and of the book as a whole, is that liability in critical infrastructures is no longer primarily an event that happens to an organisation. It is a condition that grows inside it whenever structure is treated as a lower priority than reporting. Dr. Raphael Nagel (LL.M.) and Marcus Köhnlein do not describe this condition in alarmist terms. They describe it with the cool precision of authors who understand that alarm is a poor instrument of governance. What they offer instead is a vocabulary in which supervisory boards, managing directors and owner families can examine their own architectures honestly. The Stand der Technik is a moving target. Compliance is a document, not a defence. Organisational negligence is structural before it becomes personal. Continuity, that most German of industrial virtues, depends on the willingness to rebuild what already appears to function. For anyone who carries responsibility in the infrastructural substrate of Europe, the implication is sobering but also strangely liberating. The weight of critical infrastructure governance liability is not discharged by signatures. It is discharged by structure. And structure, as the book concludes in its own austere register, begins with responsibility.
For weekly analysis on capital, leadership and geopolitics: follow Dr. Raphael Nagel (LL.M.) on LinkedIn →