In a nutshell: Formal compliance requirements such as NIS2 or DORA are necessary but not sufficient — organisations that rely on documentation and certifications overlook the reality of attack scenarios and operational failure risks.
While organisations increasingly fulfil regulatory requirements, the number of vulnerable organisations either increases or remains at high levels. Certifications and audits create only formal foundations, not actual cyber resilience.
Regulatory requirements for organisations have become more stringent. NIS2, DORA and the Cyber Resilience Act require organisations to meet stricter disclosure obligations and tighter control mechanisms. At the same time, the threat landscape has expanded: in addition to traditional cyberattacks, state-sponsored attacks, hybrid threats and targeted data espionage are increasing. Critical infrastructures and organisations thus face technical and geopolitical challenges.
Concrete incidents highlight the gap between formal compliance and operational security. Battery manufacturer VARTA suffered a severe ransomware attack in 2024 that led to the shutdown of IT systems and production standstill at all sites — with significant financial damage and consequences for stock market value. Following a cyberattack with the publication of internal data on the darknet, Schumag AG had to file for insolvency. These examples illustrate: in an emergency, it is not the quality of documentation that determines an organisation’s resilience, but actual crisis management and operational capability.
The problem of “paper security” is that processes and policies exist on paper, but their actual effectiveness is not sufficiently tested or verified. If technical measures are not consistently implemented, systems are not regularly tested, or infrastructures are not continuously adapted, security concepts lose their impact. Attackers do not orient themselves towards standards or compliance requirements.
For CISOs, this means: regulatory compliance is a necessary but not sufficient foundation. The step beyond mere compliance requires a holistic approach — with continuous testing, operational robustness and genuine resilience testing. Audits and certifications are important, but they do not guarantee real security if operational implementation is lacking.
Source: www.it-daily.net · Published 7 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.3.