By Nick Haan, Field CTO at Claroty
Multinational organisations have spent years building cybersecurity compliance programmes to satisfy regulators on both sides of the Atlantic. That investment is now under pressure from an unexpected direction – not from attackers, but from the regulators themselves.
The EU’s security regulation agenda is accelerating. NIS2 implementation is underway across member states, the Cyber Resilience Act runs through to a December 2027 deadline, and DORA places specific obligations on financial services firms. Meanwhile in the United States, the Trump administration is actively rolling back Biden-era cybersecurity mandates. For organisations operating across both jurisdictions, the rules are no longer pointing in the same direction.
The question facing boards and security leaders is uncomfortable: are the compliance programmes we have spent years building already becoming obsolete?
Compliance fatigue is real – and the data shows it
The anxiety is widespread and measurable. Research from Claroty, which surveyed 1,100 cybersecurity professionals globally, found that 76% believe emerging regulations will require a complete overhaul of their current security strategies. Yet 69% say their existing programmes already closely follow international and local mandates.
That gap tells a revealing story. Organisations have built programmes that satisfy today’s requirements but have little confidence they will survive what comes next. When investment is driven by external mandates rather than internal risk assessments, as the research confirms, programmes become inherently fragile. Change the mandate, and the whole architecture is called into question.
The risk of optimising for the audit
Compliance-led security has a structural flaw. When the primary measure of success is satisfying an auditor, security teams are incentivised to prioritise what is visible and documentable over what actually reduces risk. Policies get written. Checklists get completed. Boxes get ticked. But the underlying exposure may remain largely unchanged.
The problem runs deeper than the process. Most security programmes are built around an asset-centric view of risk; cataloguing assets and scoring each for vulnerability. This is necessary groundwork, but it does not tell you what matters most to the business. A vulnerability in a low-criticality system may score highly on a technical assessment while a weakness in a process that underpins core financial operations goes under-prioritised simply because it is harder to quantify.
There also tends to be a blind spot around physical infrastructure, from building management systems like HVAC to datacentres. These are included in the business-critical assets covered by DORA, and many insurers either offer lower premiums or refuse coverage to enterprises without good cyber physical security.
Operational disruption, regulatory penalties, and reputational damage do not arrive because an audit was failed – they arrive because the wrong things were protected.
Building security that outlasts the next regulation
The alternative to compliance-led security is not less rigour; it is better-directed rigour. The question that should sit at the centre of every security investment decision is straightforward: which systems would cause the greatest disruption to the business if they stopped working? Security programmes built around that answer will outperform those built around regulatory checklists and will remain relevant regardless of how the rules shift.
This means structuring risk reduction around business impact rather than technical severity alone. A critical process that underpins revenue, customer continuity, or regulatory reporting deserves prioritisation not because a framework says so, but because its failure would be immediately felt across the organisation. That framing also provides a shared language with boards, as operational risk and business continuity are conversations that finance leaders already know how to have.
The practical starting point is simplification. Most environments accumulate technology over time, each vendor relationship and maintenance contract adding tools and access pathways. That complexity is itself a risk. Rationalising remote access, reducing redundant systems, and eliminating unnecessary entry points delivers immediate security improvement without waiting for the next regulatory cycle to provide direction.
When boards ask why investment is needed despite shifting mandates, the answer should not reference any specific regulation. It should reference what the business cannot afford to lose.
Resilience is the only stable foundation
We should assume the regulatory environment will continue to shift. Organisations that have built security around what matters most to the business, rather than what the current rulebook requires, are better placed regardless of what comes next. Compliance will follow resilience.It rarely works the other way around.