Somewhere right now, a security team is updating a risk register it spent 18 months building, not because the threat landscape changed, but because the regulatory requirements have shifted again. They are not alone in the frustration they must be feeling. Our recent report revealed that three-quarters of security professionals believe that emerging regulations will require a complete overhaul of their current security strategies.
The regulatory environment for cybersecurity has never been more complex or more contradictory. In Europe, organisations are racing to meet NIS2 obligations while simultaneously preparing for the Cyber Resilience Act, which carries a full compliance deadline running through to December 2027. Meanwhile in the United States, the reverse is happening as organisations are faced with several Biden-era cybersecurity executive orders being deprioritised, including mandates that were intended to strengthen baseline national cybersecurity and resilience.
For organisations operating across both markets, this is creating a headache as the compliance programmes they have spent years designing and implementing are being pulled in different directions.
The weight of overlapping obligations
There are currently a multitude of regulations that organisations are expected to manage simultaneously. NIS2 expands the scope of the original Network and Information Security Directive, covering more sectors, more organisation types, and introducing stricter incident reporting timelines and board-level accountability requirements. The Digital Operational Resilience Act (DORA) applies specifically to the financial sector and demands demonstrable resilience testing, third-party risk management, and threat-led penetration testing at scale. And then we add in the Cyber Resilience Act (CRA), which extends baseline cybersecurity requirements across a range of connected products encompassing hardware, software, and everything in between.
Each of these frameworks addresses a real risk and cannot be ignored, however, the cumulative effect for the already overworked security and compliance teams is significant. For example, organisations that have designed their processes and policies around one framework, then must look at all the other regulations and make changes to their programmes, whether that includes trying to retrofit or entirely rebuild them, to accommodate the requirements. In the event of a breach, teams also have the additional burden of figuring out which countries are involved, which regulatory jurisdictions apply, and what each entity requires.
Budgets that were dedicated to one set of obligations must now stretch to cover others, and the skills required on a team to navigate the regulatory requirements is immense. Finding people who understand both the complex and technical elements of regulations such as NIS2, combined with the knowledge and operational experience needed to apply this to critical infrastructure is not easy to recruit or retain.
The result is a creeping compliance fatigue that poses its own security risk. Teams that spend most of their time on audit readiness have less capacity for threat detection, incident response planning, and resilience testing, which are critical in reducing the likelihood and impact of a breach.
When the goalposts move in opposite directions
The US-EU regulatory divergence adds a level of confusion and complexity that goes beyond workload. When two major markets adopt different postures on cybersecurity requirements, security strategies in organisations, particularly those that operate globally, face an almost impossible task; to design a regulatory programme that meets both, or maintain separate programmes for each.
Dual programmes require parallel governance structures, separate audit processes, and distinct reporting chains, all of which create operational complexity and cost. On the other hand, a unified programme, designed to meet the ‘higher’ standard, requires sustained investment even in jurisdictions where that standard is no longer mandated.
There is also a longer-term board-level challenge here as security leaders are being asked to make multi-year investment cases for compliance programmes in a world where the regulatory framework underpinning those investments may look different in 12 months. For security and compliance professionals being faced with the question “Will this programme still be relevant in 2027?”, the answer is increasingly: “We do not know.”
From compliance programmes to resilience postures
The organisations navigating this most effectively are those that have reframed the question to: “What would make us genuinely harder to breach, faster to recover, and more transparent with regulators, regardless of which framework applies?”
This shift from compliance-led to resilience-led security strategy has a practical implication as it tends to lead to programmes that are more durable across regulatory cycles. Capabilities like comprehensive asset visibility, network segmentation, real-time anomaly detection, and documented incident response processes deliver genuine security value, and they also satisfy the substantive requirements of NIS2, DORA, and the CRA, even if the specific evidence requirements differ between frameworks.
Asset visibility is particularly critical across the board, as incomplete asset inventories are a problem that has a knock-on effect into every other element of compliance and risk management. No-one cannot demonstrate control over an environment that they cannot fully see or build a reliable regulatory response around an asset register known to be inaccurate.
In particular, many organisations overlook cyber-physical systems in their security assessments, but these are critical to compliance with regulations like DORA. Organisations also risk poor premiums or no coverage at all from insurers if they cannot prove strong cyber-physical security. Mission-critical assets like data centres are especially important, but all assets need to be considered.
Investing in genuine, continuous asset discovery is not a compliance activity. It is a foundational security requirement that happens to underpin almost every regulatory obligation simultaneously.
Strategically, network visibility, segmentation, detection capability, and incident response maturity are not going to become less important regardless of how the regulatory landscape shifts. Where there needs to be more adaptability is on the audit trails, the reporting formats and the specific control mappings, as this is where organisations need to remain agile, because these are the elements that are most exposed and subject to regulatory change.
Maintaining standards
The anxiety captured in that initial 76% figure is not irrational as we are likely to see some compliance work become obsolete due to the nature of a regulatory environment that is currently in flux. But the underlying security capabilities that good compliance programmes are supposed to produce are not going anywhere.
The organisations that will weather this period of regulatory whiplash most effectively are those that have kept genuine resilience, rather than audit readiness, at the centre of their security strategy.
While the goalposts are moving, the ability to detect, withstand, and recover from serious cyber incidents has not changed, and that is what needs to remain in front of mind for all organisations.
Nick Hann, Field CTO, Claroty
