Ever-expanding regulatory requirements (without matching resources)¶
Europe’s regulatory machinery has developed a remarkable talent for producing rules at a pace that would make a rabbit colony blush, while steadfastly refusing to provide the carrots required to implement any of it. NIS2, DORA, the GDPR enhancements, the AI Act and the Cyber Resilience Act all arrive with noble intentions, serious faces, and a level of resourcing that could generously be described as fictional. Organisations stumble from one deadline to another while quietly constructing a towering pile of security debt that threatens to wobble, topple, and flatten anyone foolish enough to look directly at it.
The compliance treadmill¶
Nothing illustrates European optimism quite like the 18 to 24 month compliance window. It is meant to encourage preparedness and orderly planning. What it actually encourages is denial, delay, a mild sense of doom around month twelve, panic around month six, and a procurement frenzy at month one. Consultants and software vendors make a tidy profit. Organisations produce documentation that looks vaguely convincing if you squint. Nothing fundamental improves.
The cycle is reliably familiar. Brussels publishes another directive. Member states interpret it in seventeen slightly incompatible ways. Regulators issue guidance that reads like it was written by a committee voting on synonyms. Industry studies the horizon in the hope someone else will go first. Deadlines approach. Something is bought. Something is installed. Boxes are ticked. Everyone returns to normal life until the next regulation lumbers into view and the whole procession begins again.
By now the pile-up resembles an archaeological dig. GDPR from 2018 is still not implemented properly. The first NIS Directive from the same year is a patchwork of partial compliance. PSD2 from 2019 kept the banks sweating. NIS2 in 2024 was widely greeted with theatrical confidence. DORA in 2025 inspired the financial sector to clutch its collective chest. The AI Act in 2026 is already a fog of uncertainty. And the Cyber Resilience Act in 2027 is prompting manufacturers to consider new and creative forms of stress eating.
All of these rules require staff, budget, expertise, and time. None of them provide staff, budget, expertise, or time.
Paper compliance, the art of looking secure¶
A good deal of compliance work consists of manufacturing the appearance of competence, a sort of bureaucratic stage-play in which everyone pretends that documents reflect reality rather than aspiration.
Organisations invest significant care in producing policies that are beautifully formatted, legally reviewed, approved by senior management, and read by approximately three people. They sit in SharePoint libraries gathering digital sediment and are retrieved only when auditors approach.
Risk registers acquire a life of their own. Endless rows list every imaginable calamity along with carefully assigned risk scores and action plans which nobody pursues outside the two weeks before an audit. Training metrics proudly report that 95 percent of staff completed awareness training, which in practice meant clicking through slides while half-thinking about lunch, guessing answers, and receiving certificates that confirm a level of enlightenment not found in nature.
Vendor assurance questionnaires are worse. Two hundred questions are sent to a supplier who cheerfully selects “yes” for everything with the enthusiasm of a child completing a treasure hunt. No evidence is required and none is offered. The questionnaire is filed with ceremony and accepted as proof that due diligence occurred.
The resulting disconnect between paperwork and reality becomes vast. Policy says the organisation has a fully tested incident response programme with round-the-clock coverage. Reality is an engineer glancing at email alerts between other tasks and a dusty Word document last updated during a previous geological period. Auditors confirm compliance. Breaches later confirm that the policy lives in a parallel universe.
Rushed tooling, panic procurement in action¶
When deadlines reach critical mass and no actual controls are implemented, organisations reach for the organisational equivalent of a healing potion: Buy Something Fast.
The timeline is predictable. Eighteen months before the deadline there is talk of forming a working group. Twelve months before there is a sense that something probably ought to happen. Six months before, everyone acknowledges the situation is urgent but continues behaving as if it is not. Three months before, actual panic sets in. Two months before, someone issues an RFP. One month before, the vendor who answers emails becomes the chosen one. A contract is signed. A tool is installed with default settings. Compliance is declared.
Unfortunately, what gets bought is rarely what is needed. It is simply what is available, what is marketed as “compliance ready”, and what promises miracles for the attractive price of €30 000 per year and six months of configuration effort, which the organisation compresses into a single afternoon. Alerts begin to appear. Nobody knows what to do with them. There are too many. Fatigue sets in. The tool eventually becomes a silent monument to past panic. Screenshots are still taken for future audits. The box stays ticked.
Quick fixes, the duct tape philosophy¶
Proper implementation of regulations requires architectural changes, meaningful process updates, actual engineering effort, and patience. Quick fixes require none of these things and therefore win every time.
If regulation demands encryption at rest, the real solution involves a comprehensive review of storage systems, data classification, proper key management, and a few months of actual work. The quick fix is enabling device encryption on laptops and declaring victory. The laptops are indeed encrypted. Everything else remains unprotected. Compliance reporting celebrates this triumph with admirable confidence.
This pattern is repeated everywhere. Multifactor authentication becomes a single factor plus a token for email only. Vulnerability scanning becomes a monthly Nmap run that nobody reviews. Incident response becomes a one-page document. Backup and recovery becomes a cloud service no one has ever tested. Quick fixes fulfil the letter of the rule while entirely missing its spirit, and they persist for one simple reason: they allow everyone involved to pretend things are under control.
Temporary workarounds that harden into permanent infrastructure¶
Nothing lasts longer than a temporary workaround. It begins with the promise of a proper solution once the crisis subsides. The crisis never subsides. The workaround becomes familiar. Familiarity becomes trust, and trust becomes permanence.
A shortcut intended for three weeks continues for three years. VPNs are postponed while a hastily opened port remains exposed long after the person who opened it has left the organisation. VLAN arrangements grow tangled. Logging systems collect terabytes of unread data. Alerting systems train staff to ignore them. All of it meets the minimum compliance requirements on paper while in reality the stack becomes brittle, opaque, and unmaintainable.
The illusion of managed risk¶
Risk registers insist that risks are accepted or mitigated. Accepted usually means ignored. Mitigated often means “we have applied a thin layer of procedural varnish”. Leadership sees the register and concludes the organisation is mature. Auditors see the register and conclude the organisation is diligent. Security teams see the register and conclude they should consider new careers.
The accumulating debt¶
Every shortcut, every untested tool, every undocumented workaround contributes to an expanding mound of security debt. Its interest compounds silently. Quick fixes interact in ways nobody predicted. Staff turnover erodes institutional memory. Systems become too fragile to modify. Refactoring becomes impossibly expensive. Eventually the temporary patch becomes a load-bearing wall and no one dares touch it.
When failure finally occurs, the post-mortem resembles a geological survey. Layers of quick fixes, half-implemented controls, contradictory configurations and fossilised workarounds appear stacked atop each other. At that point the real cost is counted in months of remediation and many millions of euros.
The regulatory whack-a-mole¶
By the time one regulation is grudgingly implemented, two more are already on the horizon. GDPR consumed Europe’s attention in 2018. PSD2 arrived soon after. The original NIS Directive needed fixing. Then came NIS2. DORA followed. The AI Act loomed. The Cyber Resilience Act bared its teeth. There is never a moment when the system can breathe. Staff burn out. Organisations lose good people because working in permanent crisis mode is no one’s lifelong ambition.
The resource fantasy¶
Regulations assume organisations have dedicated teams, strong governance, well maintained systems, and budgets that adjust like elastic. Actual organisations have a handful of people juggling responsibilities, budgets that cannot stretch further, and technology stacks that creak like haunted floorboards. The distance between regulatory fiction and operational reality is the gap where compliance theatre thrives.
What regulations should include but do not¶
The obvious solutions are rarely adopted. If a regulation requires ten million euros worth of work, then somebody should provide ten million euros, rather than hoping it materialises through goodwill. Grace periods should reflect the complexity of the tasks. Contradictory requirements should be removed instead of layered endlessly. Regulators should differentiate between organisations that try in good faith and those that simply impersonate effort. And yes, there should be explicit resource requirements, not an assumption that companies can conjure expertise from the ether.
None of this tends to occur, because regulators write rules, legislators approve them, and everyone quietly assumes implementation is someone else’s problem.
The survival tactics¶
Organisations that do not want to drown must prioritise brutally, document their limitations, push back when timelines are impossible, collaborate with peers, and invest in fundamentals rather than fashionable tools. Individuals must protect themselves with written documentation, clear boundaries, and the occasional strategic refusal.
The bleak reality¶
Every regulation adds cost. Every cost generates shortcuts. Shortcuts generate debt. Debt accumulates. And each compliance cycle allows everyone to pretend the debt does not exist, until an incident forces a more honest accounting.
Most likely, a bill is coming. It has always been coming. And we keep adding interest.