Cybersecurity and resilience regulations should not be seen as obstacles but as opportunities to strengthen organizational strategy and digital maturity. By going beyond compliance and embracing resilience as a core business advantage, companies can improve security, efficiency, and growth.
Regulation, regulation, regulation. There’s been a lot of it to worry about in recent years, particularly in the EU, concerning cyber and digital resilience. Last year saw the arrival of NIS2, quickly followed by DORA for financial institutions, and just in the last month, the new EU Data Act came into force. This won’t be stopping anytime soon. The next big bill on the horizon, the Cyber Resilience Act, is due to (gradually) start coming into force next year.
You could be forgiven for thinking that it’s all a bit too much. That regulation is getting in the way and slowing organisations down. But this is the wrong way to look at it. Resilience isn’t optional anymore, and regulation is only a waste of time if you view it as a box-ticking exercise. Organisations that approach it the right way stand to gain far more than just avoiding a fine.
There’s no shying away from it; we’ve seen a lot of cybersecurity and resilience regulations over the last few years. It’s hard to believe that even the GDPR, the regulation that set the cat amongst the pigeons and forced many organizations to really think about their data for the first time, is only seven years old. A lot has changed since then. Most notably, NIS2 and DORA. They mean ‘essential’ and ‘important’ industries (in the case of NIS2) and financial services (focused on by DORA but also covered by NIS2) have broad new responsibilities across digital risk management and incident reporting.
“Resilience isn’t optional anymore, and regulation is only a waste of time if you view it as a box-ticking exercise.”
Edwin Weijdema, Field CTO for EMEA, Veeam
It’s a lot for not just CISOs to worry about, but thanks to a new onus on ‘corporate accountability’ in regulations like NIS2, the entire exec team as well. After all, it’s their personal liability on the line. Beyond the potential fines of tens of millions of euros for the company itself, execs found grossly negligent can face being dismissed, banned from senior positions, or even prosecuted.
When you put it like that, it can (understandably) sound pretty intimidating. Particularly when you consider that even now, we’re still in a period where many companies fall outside of these heavier regulations. With the upcoming EU Cyber Resilience Act, however, which covers any companies that place digital products with software on the EU market, even more companies will soon find themselves under the scope of one digital resilience regulation or the other.
It pays to be resilient – in more ways than you think
I don’t want to be flippant. I have great sympathy for stretched IT or general business leaders for whom regulation and compliance are one of several plates to spin. Many may feel that keeping up with this growing regulation is holding them back; a recent survey of financial service IT leaders in the wake of DORA found that one in five believe the volume of digital regulation is becoming a barrier to innovation or competition.
While I understand the position, the good news is that if you look at these regulations beyond ticking boxes or simply avoiding fines, you stand to gain much more. Firstly, these regulations exist for a reason. Cyberattacks have plagued all digital organizations in recent years. Just in recent memory alone, we’ve seen major cyberattacks cripple operations for Jaguar Land Rover and M&S.
Even if regulation didn’t exist, the threats they are trying to mitigate would. In other words, you need to be paying attention and investing in cyber resilience regardless. Regulations should be viewed as the bar; when they move and change, it represents the minimum standards being raised. If you find a regulation comes into play that ‘forces you’ to start a new process or procedure, you’re already behind. You should already be doing this stuff, and your competitors probably are already.
That being said, it’s important to know that being compliant doesn’t always mean being secure. If regulations like NIS2 and DORA are the minimum bar, organizations should be aiming to clear it. Besides, the reason new directives are always coming in is because cyberthreats are evolving fast, and industry standards are, to an extent, just a snapshot in time. In other words, it’s far more effective to be compliant through being a mature, digitally resilient organisation than it is to try to be resilient through compliance alone.
Besides, it pays to be resilient beyond even avoiding fines or ransomware fallout. You could view regulation or even the threat of a cyberattack as a stick to avoid being whacked with. But what many organisations fail to realise is that having mature data resilience is a carrot in itself. Recent research from Veeam and McKinsey found that top performers with a high degree of data resilience maturity not only avoid downtime and data loss compared to others, but also experience around 10% higher average revenue growth. Why?
Regulation often focuses on the tactical, targeting the symptoms of problems and requiring organisations to deploy specific measures to mitigate risk or respond when things go wrong.
While this helps the industry gradually raise the bar and refresh best practices, this patchwork approach to resilience ultimately leaves organizations always one step behind. To achieve true data resilience maturity, companies need to be ahead of regulation, using a longer-term approach that addresses the root causes of digital risk, rather than just papering over the issues as they crop up.
The age-old trifecta of ‘People, Process, and Technology’ is still as valuable as ever, but ‘strategy’ now also needs a seat at the table. As cyberthreats evolve, regulatory pressures increase, and data ecosystems grow ever more complex, organizations need to integrate business goals with resilience planning. With a cross-functional approach in place, IT, security, and compliance can all feed into one cohesive strategy that not only anticipates threats but enforces governance and keeps businesses one step ahead of compliance.
Bringing strategy into the mix makes resilience less about ticking boxes and more about seeing the bigger picture. In the end, it’s that strategic layer that turns resilience from a regulatory obligation into a real advantage, helping businesses stay ready for whatever’s next. And, it’s why organisations that are ahead in data resilience maturity are more profitable on average. Having a joined-up strategy not only protects the business but often smooths out operational inefficiencies and breaks down silos along the way, meaning the organisation can work smarter and grow more freely.
I’m aware this all sounds great for those mature organizations, but what about those trying to take that step that gets them from chasing regulatory compliance to leading it? Existing patchwork fixes have resulted in some truly headache-inducing technical webs to unweave when it comes to data resilience.
Thankfully, there are tools out there that can help. Data resilience maturity models are becoming more readily accessible, giving organizations frameworks to follow that can not only assess their existing resilience maturity but also identify gaps and provide steps to implement targeted improvements. Turning data resilience from a series of regulatory bars to meet into a continuous point of improvement that delivers benefits not just for compliance, but for cost efficiency as well.
Organisations that use these models and follow this approach don’t view compliance as an inconvenience or a box-ticking exercise. For them, data is no longer a point of failure, but rather an enabler of growth. With new regulations like the EU Data Act and the upcoming Cyber Resilience Act, they’re likely 90% of the way there, and view regulation as a chance to test their resilience and flex their agility, staying ahead rather than just keeping up. In short, strategy has turned their resilience from a requirement into a real business advantage.
