Are Cybersecurity Regulations Enough?

The European regulatory landscape for cybersecurity has never been more active. The Digital Operational Resilience Act (DORA), the revised Network and Information Security Directive (NIS-2), and the Cyber Resilience Act (CRA) collectively represent the most ambitious regulatory push for digital security in a generation.

But here's the uncomfortable question: Is compliance enough to keep your organisation secure?

The Regulatory Wave

Let's briefly survey the current landscape:

• DORA (effective January 2025) mandates ICT risk management, incident reporting, resilience testing, and third-party risk management for financial entities across the EU.
• NIS-2 (transposition deadline October 2024) expands the scope of the original NIS Directive to cover more sectors and imposes stricter requirements for risk management and incident reporting.
• CRA introduces cybersecurity requirements for products with digital elements throughout their lifecycle.

Together, these regulations signal a clear message: cybersecurity is no longer optional, and accountability extends to the boardroom.

Where Compliance Falls Short

Regulations set a minimum standard. They define what organisations must do. But they cannot account for the specific threat landscape, technology stack, or risk appetite of each organisation.

1. Compliance Is Backward-Looking

Regulatory frameworks are developed over years. By the time they take effect, the threat landscape has already evolved. Compliance ensures you meet yesterday's baseline — not today's threats.

2. Checkbox Mentality

When compliance becomes the goal rather than a byproduct of good security, organisations optimise for audits rather than resilience. Controls are documented but not tested. Policies exist but aren't enforced.

3. Scope Limitations

Regulations target specific sectors or product categories. But attackers don't respect regulatory boundaries. Supply chain attacks, for example, can originate from entities outside the scope of any single regulation.

Building Beyond Compliance

The most resilient organisations treat compliance as a foundation, not a ceiling. Here's how:

Adopt a risk-based approach. Use frameworks like ISO 27001 or NIST CSF to build a risk management programme that adapts to your specific context, rather than simply ticking regulatory boxes.

Invest in detection and response. Regulations focus heavily on prevention. But given that breaches are inevitable, organisations need mature detection, response, and recovery capabilities.

Test continuously. Move beyond annual penetration tests. Implement continuous security validation through red teaming, purple teaming, and automated attack simulation.

Engage the supply chain. DORA and NIS-2 both emphasise third-party risk. Build supplier security assessments into your procurement process and monitor critical suppliers continuously.

Foster a security culture. No regulation can mandate awareness. Invest in security training that goes beyond annual e-learning — embed security into how teams work daily.

The Bottom Line

Regulations like DORA and NIS-2 are necessary and welcome. They raise the baseline, create accountability, and drive investment in cybersecurity. But they are not sufficient.

True security requires a proactive, risk-driven approach that goes beyond what any regulation can mandate. The organisations that understand this distinction — and act on it — will be the ones best prepared for whatever comes next.