for security and compliance teams
Practical guidance for teams who need provable evidence and procurement-ready answers, without the theatre.
CISOs need decision-grade cyber metrics in 2026. This framework shows which metrics matter, how to avoid metric theater, and how to support board-level defensibility.
The ESAs designated critical ICT third-party providers under DORA in November 2025. This article explains what changes for financial entities and ICT dependency strategy.
The gap in the market is real: US-centric GRC tools do not serve EU-regulated entities. Compliance should be continuous, not periodic. EU sovereignty is a requirement, not a feature. This is the thesis behind FortisEU.
DORA has been in effect since January 17, 2025. Here are the first artifacts auditors and regulators ask for, and how to respond with evidence instead of narrative.
Having a national law does not mean entities are compliant. This guide addresses the entity-level operational readiness gap: how to move from legal awareness to demonstrable compliance with documentation, evidence, and operational capability.
Cadence: weekly
Boards increasingly ask where the business is exposed, not only whether the organization is compliant. Here is why exposure management belongs in the boardroom and how to report it.
Cadence: weekly
The manual screenshot-and-spreadsheet evidence model does not scale to the supervisory cadence that NIS2 and DORA now impose. Control-as-code — defining controls, their tests, and their evidence artefacts in version-controlled configuration — is the pattern that regulated entities are converging on. This post explains the architecture, the governance implications, and the implementation traps.
Cadence: weekly
The EU Cybersecurity Act certification framework has two schemes in substantive use in 2026 — EUCC for ICT products and the long-awaited EUCS for cloud services — plus an AI Act-linked scheme that is moving through draft. This is the practitioner's view of which certifications are worth pursuing, what they actually deliver in procurement, and where the schemes still fall short of the original policy promise.
Cadence: weekly
Tabletop exercises are the most commonly performative artefact in operational resilience programmes. This post explains how to design exercises that satisfy DORA Article 25, NIS2 Article 21(2)(b), and a supervisor who has read the playbooks before you have — and how to produce evidence that survives audit without inventing findings that did not exist.
Cadence: weekly
Regulation 2024/1183 requires every Member State to offer an EU Digital Identity Wallet by late 2026, and relying-party obligations reach deep into financial services, health, and any sector with KYC workflows. This post explains the obligations, the privacy architecture, and the integration decisions regulated entities must make in 2026.
Cadence: weekly
The Commission-adopted Regulatory Technical Standard on subcontracting arrangements requires financial entities to look past their direct ICT third-party providers into the chain of subcontractors that actually deliver critical services. This post explains what the RTS requires, how to build the evidence, and where most programmes are underinvested.
Cadence: weekly
DORA Articles 11-12 require financial entities to build, test, and maintain ICT business continuity and disaster recovery capabilities that go far beyond traditional DR plans. This operational guide covers the BIA, recovery planning, testing obligations, and crisis communication requirements.
Cadence: weekly
The EU AI Act's high-risk AI system obligations apply from August 2, 2026. Deployers and providers have four months to build conformity assessment capability, technical documentation, risk management systems, and post-market monitoring. This is the operational preparation guide.
Cadence: weekly
NIS2 Article 21(2) lists ten minimum cybersecurity risk-management measures. This guide breaks down each measure operationally — what it requires, what evidence supervisors expect, and where implementation gaps are most common.
Cadence: weekly
The DORA ICT risk management framework under Articles 5-16 is the operational backbone of digital operational resilience. Fifteen months after go-live, most financial entities have the documentation — but not the operational maturity. This guide covers what supervisors expect beyond paper compliance.
Cadence: weekly
ISO 27001:2022's new Annex A controls align closely with NIS2 Article 21 measures. Organisations doing both simultaneously save 30-40% effort vs sequential implementation. A detailed mapping of control overlaps and practical efficiency gains.
Cyber insurers increasingly use NIS2 and DORA compliance status as underwriting criteria. Organisations with demonstrable compliance get better premiums. This post analyses the convergence between regulatory evidence and insurance evidence, and why compliance automation reduces both regulatory risk and insurance costs.
The EU AI Act's four-tier risk classification sounds simple on paper. In practice, classifying your AI systems requires navigating prohibited practices under Art. 5, high-risk pathways through Annex I and III, GPAI obligations, and transparency requirements. This decision tree gives you a structured approach.
The EU data sovereignty conversation has matured. Data location alone is insufficient. Operational sovereignty — who controls encryption keys, who can access data — matters more. A practical architecture guide with three sovereignty tiers and regulatory grounding.
DORA Articles 26-27 require certain financial entities to conduct threat-led penetration testing every three years. This is not a standard pentest. Here is who must do it, how it works, and how to prepare.
DORA Articles 28-29 require financial entities to assess ICT concentration risk, but multi-cloud isn't always the answer. A nuanced analysis of when diversification makes sense, when single-cloud with exit planning is smarter, and what supervisors actually look for.
CRA Article 14 vulnerability reporting obligations start September 2026. This guide covers what manufacturers must report to ENISA, the 24-hour notification window, SBOM requirements, and how to prepare.
Audit readiness proves a control existed at review time. Control confidence proves the control is functioning continuously. Here is how to make the transition under NIS2 and DORA.
Cadence: weekly
Annual vendor questionnaires fail under NIS2 and DORA. Modern TPRM requires continuous monitoring, event-driven assessment, and concentration risk analysis — not thicker spreadsheets.
Static compliance scores hide trajectory risk. Time-to-non-compliance tells boards when they will fall out of compliance if nothing changes — a leading indicator that transforms governance from status reporting to timing decisions.
The biggest cost of platform fragmentation is not license spend. It is delayed decision-making, data silos, duplicate effort, and increased compliance risk across every domain.
Cadence: weekly
DORA incident reporting under Art. 17-23 requires staged, structured submissions. This operational guide covers the classification taxonomy, the three-report cycle, ESA templates, common mistakes, and parallel reporting with NIS2.
Identity is the #1 attack vector in 2026. Credential-based attacks, MFA bypass, and identity sprawl make identity governance a regulatory requirement under NIS2 and DORA, not just a security best practice.
Cadence: weekly
The AI Office published signatory updates for the GPAI Code of Practice in February 2026. Learn what procurement and security teams should require from AI vendors now.
ENISA recorded 188 major telecom security incidents in 2024 — dominated by human error, cascading failures, and reporting delays. Here is why these patterns preview NIS2 enforcement for every regulated sector, and what boards should change now.
Security questionnaires cost 8-12 hours each and stall pipeline. A properly built Trust Center reduces inbound requests by 60-70%, shortens procurement cycles, and turns compliance overhead into a revenue accelerator.
Most NIS2 guidance targets large enterprises. But medium-sized entities are in scope too. Here is how the proportionality principle under Article 21(1) translates to different implementation depths for smaller organisations.
Periodic compliance gives management a snapshot. Continuous control monitoring gives leadership operational truth. Here is how to make the shift.
NIS2 enforcement is live across Europe. This guide covers which national competent authorities are active, what supervisory interactions look like, and how to prepare for the questions boards are asking their CISOs.
Traditional GRC documents risk. Operational risk intelligence surfaces risk while there is still time to act. Here is why the old model fails under NIS2 and DORA and what replaces it.
Cadence: weekly
ENISA's European Vulnerability Database (EUVD) changes how EU organizations triage and prioritize vulnerabilities. An operational playbook for integrating EUVD into your vulnerability management workflow and satisfying NIS2 Art. 21(2)(e).
A retrospective analysis of three supply chain security incidents from 2025, examined through the lens of NIS2 Art. 21(2)(d) and DORA Chapter V. For each incident: would compliance have prevented or mitigated it? What controls were missing? What does this mean for 2026 compliance programmes?
NIS2 Article 20 creates management body accountability for cybersecurity, not automatic personal fines. Here is what the liability actually looks like, how it varies across Member States, and what documentation protects you.
The ESAs and UK FCA/PRA signed a DORA cooperation memorandum in January 2026, creating new cross-border oversight obligations. A practical playbook for financial entities operating in both EU and UK jurisdictions.
An honest analysis of where compliance automation delivers ROI and where it does not. Evidence collection saves 70-80% of manual effort. Regulatory interpretation and board communication remain human-dependent. Here is how to calculate your real return — including the setup costs most vendors do not mention.
ENISA's NIS360 methodology reveals uneven maturity across NIS2 sectors. A practical playbook for using NIS360 insights to prioritize controls, benchmark sector maturity, and build an executable compliance program.
An operational guide to DORA's specific TPRM requirements: building the register of information under Article 28(3), designing a criticality assessment methodology, writing exit strategies that survive supervisory scrutiny, and implementing the contractual provisions of Article 30.
Eight years of GDPR enforcement have shifted the regulatory focus from privacy policies to technical controls. Analysis of cumulative fines, DPA activity, and what the enforcement trajectory means for 2026-2027.
Access reviews and offboarding are becoming core audit artifacts under EU cyber regulation. This operational guide shows how to implement evidence-based identity governance that satisfies NIS2 Art. 21(2)(i) and DORA Art. 9(4)(c).
Cadence: weekly
The EU AI Act is not just a legal framework — it is an operating model problem. Map Art. 9-15 high-risk requirements to practical controls covering risk management, data governance, documentation, transparency, human oversight, and robustness.
SOC 2 is a US-originated framework, but EU SaaS companies selling to US enterprises increasingly need it. An honest analysis of when SOC 2 is worth the investment, how it interacts with GDPR and NIS2, and the practical path for EU companies with existing ISO 27001 certification.
Organisations subject to NIS2, DORA, and GDPR do not need three incident response plans. They need one unified IRP that triggers all applicable notifications from a single incident record. Here is how to build it.
Every deferred control gap, stale evidence artefact, and unreviewed policy is compliance debt — and it compounds. Here is how CISOs can measure it, communicate it to the board, and pay it down strategically.
2025 was the year EU cybersecurity regulation moved from theory to enforcement. DORA applied, NIS2 transposition happened (mostly), and AI Act prohibited practices kicked in. Here is what mattered, what surprised us, and what 2026 brings.
A practical guide to reducing security questionnaire response time using knowledge base building, AI-assisted drafting, template standardisation, and approval workflows — without sacrificing accuracy or creating contractual exposure.
Article 5 of the EU AI Act — the prohibited practices ban — became enforceable on February 2, 2025. Ten months in, here is what actually changed in practice, which systems were affected, and what the enforcement landscape looks like.
DORA Chapter V transformed vendor risk from an annual assessment exercise into continuous operational oversight. Here is why the old questionnaire model fails, what continuous oversight actually means, and how to transition in 90 days.
NIS2, DORA, and the EU AI Act are creating unprecedented demand for compliance professionals. Here is what a modern EU compliance team looks like — roles, skills, team structures by org size, and what to automate versus hire for.
Data residency is not data sovereignty. A procurement-grade explanation of Cloud Act and FISA 702 exposure, the EU-US DPF's limitations, and practical criteria for evaluating cloud providers under GDPR Art. 44-49 transfer safeguards.
Nine months after DORA's January 17, 2025 application date, the supervisory approach is taking shape. Here is what national competent authorities and ESAs are focusing on in their first reviews — and where financial entities are falling short.
ENISA's 2025 NIS Investments report reveals a persistent gap between cybersecurity technology spending and talent investment. Why tools without people fail, and how to allocate budgets that actually build resilience.
ENISA became a CVE Numbering Authority root in 2025, launching the EUVD and shifting EU vulnerability coordination. Here is what security leaders need to change in their vulnerability management programs.
Six months after the October 2024 transposition deadline, only a handful of EU Member States have fully transposed NIS2 into national law. Here is the scorecard, the reasons for delay, and what cross-border entities should do now.
How to translate ENISA's 2025 Threat Landscape report into board-level investment priorities. A framework for converting ransomware, supply chain, and AI-enabled threat trends into defensible executive decisions.
The EU AI Act's general-purpose AI obligations started on August 2, 2025. This guide shows how security and compliance teams can turn legal text into an auditable operating model.
Monthly insights on NIS2, DORA, and procurement-ready security reviews. No spam.
By subscribing, you agree to our Privacy Policy.