Regulatory pressure is rarely the real problem.

The real problem is what organisations do to themselves once regulation enters the conversation.

Network and Information Security Directive 2 (NIS2), Digital Operational Resilience Act (DORA), and the Cyber Resilience Act (CRA) are often treated as events — something that “arrives”, triggers activity, and then moves on.

Organisations rush to commission assessments, appoint programme leads, and generate dashboards — all of which imply forward motion.

What’s missing is usually judgement.

Regulation does not create new risk

These frameworks largely formalise risks that already exist:

  • unclear accountability

  • over‑delegated decision‑making

  • under‑tested response capability

  • weak operational evidence

If those weaknesses weren’t present before, regulation would feel boring.

When regulation feels urgent, it’s often because it has exposed an existing fragility.

The mid‑market overreaction pattern

A common sequence appears again and again:

  1. A regulation is flagged by legal or compliance

  2. Security is asked for a “gap assessment”

  3. Gaps are translated into controls

  4. Controls are translated into spend

  5. Spend becomes the proxy for progress

At no point is there a calm conversation about what decisions are actually required.

This is how organisations end up compliant on paper and brittle in practice.

Compliance is evidence, not activity

Regulatory frameworks care far more about demonstrability than motion.

Not:

  • how many tools you run

  • how large the programme is

  • how detailed the roadmap looks

But:

  • who can decide

  • how quickly they can act

  • what happens when something breaks

A small organisation that can evidence sensible, bounded decisions will often fare better than a larger one drowning in documentation it can’t operate.

The leadership artefact problem

Regulation often produces artefacts designed for reassurance rather than use:

  • heat maps no one trusts

  • matrices no one remembers

  • policies no one has tested

These artefacts tend to survive because they look defensible in isolation.

But in an incident, none of them help a leader decide what to do next.

A better framing question

Instead of asking:

“Are we compliant?”

A more useful question is:

“Which decisions are now explicitly ours to make — and what evidence supports them?”

This reframing shifts the work from:

  • abstract control alignment
    to

  • concrete operational ownership

It also narrows scope dramatically.

Regulation favours restraint

One of the quiet advantages of regulatory pressure is that it can legitimise saying no.

No to:

  • uncontrolled tooling sprawl

  • undefined accountability

  • programmes that exist only to signal seriousness

Used properly, regulation becomes a forcing function for clarity — not expansion.

Closing thought

Regulatory frameworks don’t reward organisations that panic well.

They reward organisations that can show:

  • deliberate choices

  • bounded responsibility

  • and calm execution when plans are tested

If regulation feels overwhelming, it’s rarely because the framework is complex.

It’s because decision‑making was already carrying too much ambiguity.

Keep Reading

© 2026 Cloudguardian.
beehiivPowered by beehiiv