EU Regulations
Incident reporting, supply chain security, and operational readiness.
NIS2 Article 21 and 23: Incident Reporting and Supply Chain Security Need More Than an ISMS
NIS2 Article 21 and 23 require operational incident reporting (24h and 72h) and supply chain risk management. An ISMS helps governance, but not day to day execution.
2026-01-06 · By Anna Bley
GDPR Articles 28, 32, 33, and 34: Why an ISMS Is Not Enough
GDPR Articles 28, 32, 33, 34 require data processing agreements, security measures, and breach notification within 72 hours. An ISMS supports governance, but not operational execution.
2026-01-28 · By Anna Bley
DORA Article 19, 28 and 30: Why an ISMS Is No Longer Enough for Financial Entities
DORA requires operational client communication during incidents, an up-to-date ICT provider register, and continuous monitoring. An ISMS alone cannot deliver this.
2026-01-27 · By Anna Bley
Cyber Resilience Act Articles 13 and 14: Why an ISMS Is Not Enough
The CRA requires Security by Design, vulnerability reporting within 24 hours, SBOMs, and CE marking. An ISMS supports governance, but not product-level compliance.
2026-01-28 · By Anna Bley
ISO 27001 Is Not NIS2 Compliance: What's Actually Missing
ISO 27001 provides the governance foundation for NIS2 – but not the operational execution. What's missing between ISMS documentation and actual NIS2 compliance, and why that's been a concrete problem since December 6, 2025.
2026-02-22 · By Anna Bley
NIS2 Supply Chain Security: Why Annual Vendor Assessments Are No Longer Enough
NIS2 Article 21(2)(d) requires continuous supply chain security – not point-in-time questionnaires. What's changing, why your ISMS hits its limits here, and how to build the operational layer that's actually required.
2026-02-22 · By Anna Bley
NIS2 Incident Reporting: How to Actually Meet the 24-Hour Deadline
NIS2 Article 23 requires an early warning within 24 hours, a qualified notification within 72 hours, and a final report within one month. Most organizations have an incident response plan. Very few can actually report under pressure.
2026-02-22 · By Anna Bley
You're NIS2-Affected — Now What? The Operational Gaps Beyond Your ISMS
You've checked whether your organization falls under NIS2. The answer is yes. You have an ISMS. And now you're discovering: between what your ISMS covers and what NIS2 operationally requires, there's a gap. This article shows where it lies – and how to close it.
2026-02-22 · By Anna Bley
NIS2 Compliance Checklist: What Your ISMS Covers and What It Doesn't
The complete overview: All ten risk management measures from Article 21, assessed against a typical ISO 27001 ISMS. Where you stand, where the gaps are, and what you need to add operationally.
2026-02-22 · By Anna Bley
Incident Response Plan vs. Incident Management System: What NIS2 Actually Requires
Every ISMS has an incident response plan. NIS2 requires an incident management system. The difference isn't semantic – it's operational. What an IMS must concretely deliver, which components it needs, and how to make the transition from plan to system.
2026-02-22 · By Anna Bley
NIS2 Audit Readiness: From Documentation to Continuous Evidence
NIS2 gives supervisory authorities the right to request evidence at any time. Not at your next audit. Not with advance notice. Any time. What this means for your evidence management – and why most organizations aren't prepared for it.
2026-02-22 · By Anna Bley