EU Cyber Regulation Maturity: Turn Compliance Into a Strategic Advantage

EU Cyber Regulation Maturity: Turn Compliance Into a Strategic Advantage

Regulatory bodies in the EU have recognized how critical it is to secure financial and information systems given the rise in cyber threats and responded in turn with new regulations aimed at boosting defences. These include the Digital Operational Resilience Act (DORA), which establishes unified standards for cybersecurity and ICT resilience, the Network and Information Security Directive 2 (NIS2), which focuses on incident reporting, risk management, and collaboration to improve security, and the EU AI Act, a first-of-its-kind regulatory framework for responsible AI governance.

While recent respondents to an AuditBoard and Ascend2 survey of risk, InfoSec, and IT compliance professionals agreed that cybersecurity threats are a major concern, they were also worried about the effort needed to comply. The vast majority (90%) said that their workload will be impacted by conformance with DORA, the NIS2 Directive, and/or the EU AI Act, with InfoSec professionals expecting the heaviest burden. Further, even organisations that claim to be in compliance may be missing key components, putting them at risk of non-conformance. 

Uncover some of our findings about each regulation below, then download the full report, Unlock Regulatory Compliance With DORA, NIS2, and the EU AI Act, to explore the results in more detail and learn how you can take steps to advance on your compliance journey.

Compliance With DORA: Current State

At the time of the survey, 40% of organisations reported already being in compliance with DORA, and an additional 53% planned to meet the January 2025 deadline. However, a closer examination reveals potential gaps between perceived and actual compliance. Amongst those claiming to be compliant, 77% have implemented critical controls such as regular ICT system testing and monitoring of third-party ICT service providers, but this leaves a notable portion who have not completed these foundational elements. Similarly, only 65% of those claiming compliance report having timely, standardised incident reporting, another key aspect of DORA.

In comparison, organisations not yet in compliance lag further behind, with only 61% conducting regular ICT system testing and 59% monitoring third-party ICT service providers. This suggests organisations should conduct a gap analysis on their current compliance posture against their future state target compliance, in order to understand, prioritise, and undertake the actions required for full regulatory compliance and avoidance of consequent penalties.

Compliance With NIS2: Current State

The NIS2 Directive enforces stricter cybersecurity requirements for organisations classified as either essential entities (39% of those surveyed) or important entities (58%). Both classifications must comply, with essential entities facing potentially harsher penalties for non-compliance. 

Despite the directive’s compliance deadline having passed, only 52% of organisations report being compliant, and another 44% plan to meet requirements by the end of next year. (At the same time, organisations surveyed are more likely to already be in compliance with NIS2 than the other two regulations.) Compliance progress varies across organizations, partly due to the varying publication and enforcement of NIS2 legislation at the national level. Organisations that are deemed essential are significantly more likely than those deemed important entities to have taken critical steps toward compliance.

Compliance With the AI Act: Current State

The EU AI Act is recognised as the world’s first comprehensive regulatory framework for artificial intelligence, applying not only to EU member states but also to organisations wishing to trade with the EU bloc. Included in its measures are requirements for effective oversight, control, documentation, and transparency across AI systems. The regulation establishes a European Artificial Intelligence Board to foster national cooperation and ensure compliance.

The EU AI Act classifies businesses based on the potential harm an AI system could cause if it malfunctions, is misused, or fails to meet safeguards. Nearly half (47%) of organisations surveyed report being categorised as high risk, or potentially causing significant harm if their data protection controls fail. Another 36% are classified as limited-risk, and 12% report minimal risk classification. Unacceptable risk is prohibited under the Act.

At the time of the survey, one-third of organisations reported already being in compliance with the EU AI Act, whilst 38% expected to comply by February 2025. Another 24% plan to be in compliance by the end of 2025.

There seems to be less of an urgency to comply with the EU AI Act amongst those surveyed compared to other regulations with just over half (52%) indicating that compliance is a high priority requiring immediate attention. This could be due to the two-year grace period provided for AI products after they go to market. It is critical that organisations are proactive about their compliance with the EU AI Act now, as this grace period applies only to launched products, not to those in development, and deadlines are fast approaching.

Make EU Compliance Your Competitive Advantage

Our research uncovered a number of challenges and gaps as organisations work to comply with the DORA, NIS2, and AI Act. These regulations should be prioritized — not only to avoid penalties, but as an opportunity to set your business apart from the rest. Get your copy of Unlock Regulatory Compliance With DORA, NIS2, and the EU AI Act for additional insights and actions you can take now to successfully navigate this landscape.