EMEA & Ireland — DORA — NIS2 — EU AI Act — ISO 42001
Execution Record

Regulatory Delivery & Assurance

27 years delivering regulated outcomes under scrutiny — NIS, NIS2, CAF, Ofgem, DORA. Not doctrine alone: assessed, evidence-packed, and regulator-ready.

27YearsSecuring regulated critical infrastructure
CAF A–DAssessmentsFull-objective delivery end-to-end
Zero BreachesTrack RecordManaging >£500B in regulated assets
4RegulatorsNIS/NCSC, Ofgem, FCA, EBA/ESMA
Regulatory Execution

900+ Frameworks Delivered

Across 60 jurisdictions, spanning cybersecurity, data protection, AI governance, digital markets, and financial resilience. Every framework aligned to delivery capability, evidence production, and regulator expectation.

30+Regulatory FrameworksCore & emerging requirements
60Jurisdictions60+ jurisdictions worldwide
6Doctrine ResponsesIntegrated delivery models
100%Evidence-PackedRegulator-ready delivery
Foundation Delivery

Core Frameworks (Existing)

The regulatory foundation: NIS/NIS2, NCSC CAF, Ofgem OES. Each delivered end-to-end with evidence packs, assessment roadmaps, and regulator-ready submissions across £500B+ in managed assets.

NIS / NIS2 Regulations

NIS/NIS2
In Force

UK SI 2018/506 + EU 2022/2555. Delivered OES compliance programmes across energy, finance, and digital infrastructure. End-to-end gap assessments, CAF alignment, evidence production, and Board-level reporting.

Enforcer: Ofcom, Ofgem, ICO, EBA/ESMA
Decision Rights™Recoverability™

NCSC Cyber Assessment Framework

CAF
In Force

Full CAF A–D assessments across all four objectives. Produced IGP scoring, evidence packs, and remediation roadmaps aligned to NCSC expectations. Direct experience with regulator-ready submissions.

Enforcer: NCSC
Evidence Chain™

Ofgem Cyber Compliance (OES)

Ofgem
In Force

Ofgem-specific NIS compliance for Operational Technology environments in energy. Delivered evidence packs for review cycles. Mapped ICS/SCADA controls to CAF objectives with supporting artefacts.

Enforcer: Ofgem
Recoverability™

ISO 27001 / NIST → CAF Mapping

Mapping
In Force

Cross-mapped ISO 27001 and NIST control frameworks against CAF objectives to eliminate duplicate effort. Produced control equivalence matrices used in regulator correspondence.

Enforcer: Multiple (via CAF alignment)
Evidence Chain™
EU Regulatory Landscape

EU Cybersecurity & AI Regulations

Comprehensive EU coverage: DORA (financial resilience, now enforced), NIS2 (critical infrastructure transition), EU AI Act (risk-based classification), CRA (supply-chain security). Personal director liability, €10M+ fines, Board oversight requirements.

DORA (EU 2022/2554)

DORA
In Force17 Jan 2025 • Active enforcement

Digital Operational Resilience Act for financial sector. 4-hour incident reporting for major incidents. Register of Information Q1 2026, on-site ICT risk inspections underway. Board-level ICT risk framework requirements.

Enforcer: EBA, EIOPA, ESMA
Evidence Chain™Recoverability™

NIS2 Directive (EU 2022/2555)

NIS2
Transposition13/27 MS not transposed (Apr 2026)

Expanded NIS scope to essential services and critical digital infrastructure. €10M or 2% global turnover fines. First audits 30 Jun 2026. Art. 20: personal liability for directors on cyber negligence.

Enforcer: National CAs, ENISA
Decision Rights™Board Survivable™

EU AI Act (EU 2024/1689)

AI
Phased2 Aug 2026 key provisions

Risk-based classification: Prohibited, High-Risk, Limited Risk, Minimal Risk. Penalties up to 7% global annual turnover. Mandatory conformity assessments, documentation, and human oversight for high-risk systems.

Enforcer: National Market Surveillance, EU AI Office
AI Accountability™

Cyber Resilience Act (EU 2024/2847)

CRA
PhasedDec 2027 full application

Security by design for products with digital elements. Automatic security updates, vulnerability handling, and responsible disclosure. Enforcement via National Market Surveillance authorities.

Enforcer: National Market Surveillance
Evidence Chain™Contract Control™

EU Cybersecurity Act (2019/881 + 2026)

ECS
LegislativeCOM(2026)900 published 20 Jan

Extends ENISA mandate to managed security services certification. ICT supply-chain security focus. €341M budget allocation 2028–2034. Expands security product certification schemes.

Enforcer: ENISA, National CAs
Evidence Chain™

Cyber Solidarity Act (EU 2025)

Solidarity
In Force4 Feb 2025

€36M Cybersecurity Reserve fund. EU-wide SOC network activation. ENISA Single Reporting Platform by Sept 2026. Cross-border incident response and intelligence sharing.

Enforcer: ENISA, National SOCs
Recoverability™

eIDAS2 EU Digital Identity

eIDAS
RolloutDec 2026 — 27 MS adoption

EU Digital Identity Wallets across all Member States. Secure trustworthy digital identity infrastructure for cross-border services. Pilot programmes expanding. Interoperability mandates.

Enforcer: National Supervisory Bodies
Decision Rights™

ISO 42001 AI Management

ISO
PublishedCert. available now

International standard for AI governance systems. Establishes controls for developing, implementing, and managing AI across organizational functions. Aligned with EU AI Act risk frameworks.

Enforcer: Accredited Certification Bodies
AI Accountability™
Data & Platform Governance

Data Protection & Digital Markets Regulation

GDPR (enforcement exceeds €7.1B), ePrivacy, DMA/DSA for digital platforms. Data protection by design, algorithmic transparency, gatekeeper regulation, user consent frameworks. Irish DPC as EU lead authority.

GDPR (EU 2016/679)

GDPR
In ForceTotal enforcement €7.1B+

Data protection by design and by default. 72-hour breach notification. DPIAs for high-risk processing. Fines up to 4% global turnover. Irish DPC enforcement: €4.04B. 2026 coordinated transparency focus.

Enforcer: National DPAs (CNIL, ICO, BfDI, DPC)
Evidence Chain™Board Survivable™

ePrivacy Directive (2002/58/EC)

ePrivacy
In ForceAwaiting Regulation replacement

Regulates cookies, electronic marketing, email spam, privacy of electronic communications. Consent requirements, opt-in/opt-out mechanisms. Cookie banner compliance and tracking controls.

Enforcer: National DPAs
Contract Control™

Digital Markets Act (DMA)

DMA
In ForceGatekeepers designated

Designates digital gatekeepers (Meta, Alphabet, Apple, etc.). Mandates interoperability, prohibits self-preferencing, prevents combining user data without consent. Compliance documentation requirements.

Enforcer: European Commission (DG COMP)
Decision Rights™

Digital Services Act (DSA)

DSA
In ForceVLOP compliance ongoing

Strict risk assessment and independent audits for VLOPs (45M+ EU users). Faster illegal content removal, algorithmic transparency, user appeals. Systemic risk mitigation requirements.

Enforcer: EC, National Digital Services Coordinators
AI Accountability™
UK Regulatory Framework

UK Cybersecurity & Data Protection

Post-Brexit independent regulatory framework: NIS 2018, UK GDPR, FCA Operational Resilience, Cyber Security & Resilience Bill 2025. Digital Security Act, PSTI for products, Telecoms Act. ICO enforcement authority with enhanced powers.

UK FCA Operational Resilience

FCA
In ForceCompliance 31 Mar 2025

Financial firms identify important business services, set impact tolerances, test against severe-but-plausible scenarios. Board accountability for resilience. Attestations to FCA/PRA on control effectiveness.

Enforcer: FCA, PRA
Recoverability™Decision Rights™

UK GDPR + Data Protection Act 2018

DPA
In ForcePost-Brexit independent

UK GDPR with post-Brexit modifications. DPA 2018 supplements GDPR for law enforcement processing. 72-hour breach reporting to ICO. Appropriate technical/organisational security measures.

Enforcer: ICO
Evidence Chain™Board Survivable™

NIS Regulations 2018 (UK SI 506)

NIS
In ForceSector CA enforcement

Operators of essential services (energy, health, transport, water) and digital service providers. Security requirements, incident reporting to sector CAs. Alignment with upcoming Cyber Security & Resilience Bill.

Enforcer: Ofcom, Ofgem, ICO, etc. (Sector CAs)
Recoverability™

Cyber Security & Resilience Bill 2025

CSRB
In ProgressExpected 2026

Expands NIS scope to more digital services and supply chains. Tightens incident reporting timelines. Increases fines. Introduced 12 Nov 2025. Replaces/amends NIS 2018.

Enforcer: DSIT, Sector CAs
Decision Rights™Recoverability™

Product Security Act 2022 (PSTI)

PSTI
In ForceImplementation ongoing

Security requirements for consumer-connectable products. Bans default passwords, mandates vulnerability disclosure, minimum security update periods. Fines up to £10M or 4% global turnover.

Enforcer: OPSS
Contract Control™

Telecoms Security Act 2021

Telecoms
In Force

Stricter security duties on public telecom providers. Supply chain security for network equipment and services. Critical equipment controls (vendor assessments, equipment bans, change controls).

Enforcer: Ofcom
Contract Control™

Computer Misuse Act 1990

CMA
In Force

Criminal offences: unauthorised computer access, modification, making/supplying misuse tools. Incident response policies, forensics coordination. Board awareness of criminal liability exposure.

Enforcer: CPS, NCA
Board Survivable™

Data (Use and Access) Act 2025

DUA
EnactedPost-Brexit international data flow reform

Reforms data protection to simplify research and AI use cases. Clarifies international data transfer mechanisms post-Brexit. Interoperability requirements for data holders.

Enforcer: ICO
AI Accountability™

SEC Cyber Rules (US — Global Impact)

SEC
In ForceGlobal public companies affected

Material cyber incident disclosure within 4 business days. Annual reporting on cyber risk management. Board-level oversight requirements. Affects all publicly traded companies globally.

Enforcer: SEC, DOJ
Board Survivable™
Irish Regulatory Authority

Ireland Digital Regulation Matrix

Ireland as EU lead authority: DPC (GDPR enforcement), NCSC (cybersecurity), AI Office of Ireland (Oifig IS), Coimisiún na Meán (online harms). Personal director liability, €35M AI fines, €20M online safety fines. Dynamic regulatory environment.

Data Protection Act 2018 (DPC)

DPA
ActiveEU One-Stop-Shop lead

Enhanced DPC focus on Dark Patterns in UI/UX. Mandatory Right to be Forgotten for children's data. DPC as primary EU enforcement authority under One-Stop-Shop mechanism. Coordinated EU investigations.

Enforcer: DPC (Irish Data Protection Commissioner)
Evidence Chain™Board Survivable™

National Cyber Security Bill 2024/26

NIS2
EnforcedNCSC on statutory footing

Places NCSC Ireland on statutory basis. Personal liability for Board members re cyber negligence. NIS2 transposition. Critical infrastructure and essential services designation.

Enforcer: NCSC Ireland
Decision Rights™Board Survivable™

Regulation of AI Bill 2026 (Ireland)

AI
Transitional1 Aug 2026 statutory establishment

General Scheme published Feb 2026. AI Office of Ireland (Oifig IS) coordinating enforcement across Central Bank, DPC, etc. AI fines up to €35M or 7% global turnover. Risk-based framework mirroring EU Act.

Enforcer: Oifig IS (AI Office of Ireland)
AI Accountability™

Online Safety & Media Regulation Act

Safety
ActiveAggressive enforcement underway

Governs harmful content on social media and video platforms. Fines up to €20M or 10% turnover. Rapid removal requirements, algorithmic transparency, user redress mechanisms.

Enforcer: Coimisiún na Meán (Media Commission)
Decision Rights™

Digital Services Act 2024 (Ireland)

DSA
ActiveImplementation ongoing

Regulates online marketplaces, illegal content hosting, advertising transparency. Community guidelines enforcement. Algorithmic risk assessments for VLOPs operating in Ireland.

Enforcer: Coimisiún na Meán
AI Accountability™
Comparative Analysis

UK vs EU Regulatory Divergence

Post-Brexit regulatory divergence across cybersecurity, data protection, and AI governance. Different implementation timelines, enforcement authorities, and fine structures. Cross-border firms require dual-compliance programmes.

Framework / AspectUK ApproachEU ApproachKey Divergence
NIS / NIS2UK NIS 2018 (SI 506)
Sector CAs (Ofcom, Ofgem)		EU NIS2 (13/27 transposed)
National Competent Authorities		NIS2 expanded scope vs UK standalone regulation
Data Protection Fine Structure4% global turnover (UK GDPR)
No coordination mechanism		4% global turnover (GDPR)
One-Stop-Shop coordination (DPC lead)		EU coordinated enforcement vs UK isolated
AI GovernanceNo dedicated AI regulation yet
Sector-specific oversight		EU AI Act (2 Aug 2026)
Risk-based mandatory framework
€35M fines (7% turnover)		EU AI Act binding vs UK deregulatory approach
Product SecurityPSTI (2022) — vulnerabilities, updates
£10M or 4% global turnover fines		CRA (Dec 2027) — security by design
Mandatory automatic updates
Phased enforcement		UK early implementation vs EU phased (2027)
Cyber Risk for FinancialsFCA Operational Resilience
31 Mar 2025 compliance		DORA (17 Jan 2025 in force)
4-hour incident reporting		UK resilience focus vs EU incident reporting
Director LiabilityComputer Misuse Act 1990
Criminal exposure (Computer Misuse)		NIS2 Art. 20 (personal liability)
Ireland National Cyber Bill
Statutory duty of care		EU explicit personal liability vs UK criminal law
Incident Reporting TimelinesNIS 2018: Sector-specific timelines
GDPR: 72 hours to ICO		DORA: 4 hours for major incidents
GDPR: 72 hours to DPA		EU tighter critical incident timelines (4h)
Digital Markets RegulationNo equivalent (proposed Online Safety Bill)DMA (in force) — Gatekeeper regulation
DSA (in force) — Content, VLOP oversight		EU hardline gatekeeper controls vs UK softer approach
International Data TransfersData Use & Access Act 2025
Post-Brexit data flow flexibility		GDPR adequacy assessments
SCCs / BCRs required		UK pragmatic post-Brexit vs EU strict adequacy

Regulatory Divergence Impact: Organisations operating cross-border (UK + EU/Ireland) require parallel compliance programmes. EU regulations often move faster (NIS2, AI Act, CRA) with stricter fines and tighter timelines. UK takes more flexible, sector-specific approach. Dual-headquarter firms and financial services with UK/EU presence should integrate evidence production across both frameworks to avoid duplication.

Hands-On Delivery

Assessment Experience

A — Governance & Risk

A1–A4 Coverage

  • Cyber risk management framework design
  • Board-level governance documentation
  • Third-party dependency mapping
  • Organisational risk appetite statements

Evidence Produced:

  • Evidence packs
  • IGP scoring matrices
  • Gap analysis reports
  • Remediation roadmaps

B — Protect

B1–B6 Coverage

  • Service protection policies
  • Identity and access management
  • Data security & media management
  • System security architecture

Evidence Produced:

  • Control assessments
  • Architecture reviews
  • Policy gap analysis
  • Uplift plans

C — Detect

C1–C2 Coverage

  • Security monitoring capabilities
  • Anomaly detection (OT/IT)
  • SOC integration assessments
  • Alert triage process design

Evidence Produced:

  • Monitoring maturity assessment
  • Capability maps
  • Detection playbooks
  • SOC roadmaps

D — Respond & Recover

D1–D3 Coverage

  • Incident response framework design
  • Tabletop exercise testing
  • Business continuity validation
  • Lessons-learned integration

Evidence Produced:

  • IR playbooks
  • Exercise reports
  • Recovery plans
  • Validation evidence
Delivery Under Scrutiny

Regulatory Deliverables Under Deadline

Fixed Submission Deadlines

Delivered regulatory artefacts — CAF self-assessments, evidence packs, remediation plans — within fixed regulatory submission windows. Coordinated multi-workstream delivery against NIS2's 24-hour and 72-hour incident reporting obligations.

Concurrent Compliance Workstreams

Managed parallel compliance programmes across NIS, DORA, and ISO 27001 in simultaneous engagement cycles. Built prioritisation frameworks to sequence deliverables without regulatory exposure. Zero missed submission deadlines across 8+ regulated programmes.

SME Evidence Coordination

Assembled and directed SME networks to produce evidence under time constraints — turning technical operations data into regulator-ready documentation. Built evidence libraries mapped to specific CAF objectives and control references.

Operational Capability

Incident Response & Crisis Uplift

  • Designed and uplifted IR frameworks aligned to CAF Objective D (D1 Response, D2 Recovery)
  • Ran tabletop exercises for senior stakeholder groups including CISO, CTO, Legal, and Board observers
  • Tested response capability against realistic OT/IT attack scenarios (ransomware, supply chain compromise, insider threat)
  • Validated detection, containment, and recovery playbooks against regulatory expectations
  • Integrated post-exercise lessons learned into updated CAF D1/D2 scoring and evidence packs
  • Built crisis communications frameworks for regulators, customers, and executive leadership

Impact Metrics

10+

Tabletop Exercises

D1/D2

CAF Objective Uplift

<4h

Detection-to-Escalation

NIS2 Art.23

Reporting Process Validated

Lean Execution

Delivery Model: Small Team Ownership

Scoping & Mandate Setting

Defined assessment scope against regulatory boundaries. Established evidence requirements, stakeholder responsibilities, and timelines before engagement commencement.

Assessment Execution

Conducted end-to-end assessments independently — no reliance on large consultancy teams. Directly interviewed technical and operational SMEs. Produced findings without intermediary layers.

Evidence Production & Scoring

Built evidence packs from first principles. Applied IGP scoring methodology. Documented objective ratings with full supporting rationale aligned to NCSC guidance.

Reporting & Regulatory Submission

Authored final assessment reports in regulator-ready format. Structured findings for Board, CISO, and regulatory consumption simultaneously.

Remediation Roadmap Design

Developed prioritised remediation plans mapped to CAF objectives and NIS obligations. Sequenced activity by regulatory exposure, resource constraint, and delivery dependency.

Ongoing Assurance Tracking

Maintained remediation progress against regulatory milestones. Built governance cadence for Board reporting, including control status dashboards and risk register updates.

Enterprise Governance

Risk, Governance & Assurance Framework

Cyber Risk Register Management

Designed and maintained cyber risk registers aligned to enterprise risk frameworks (ISO 31000, NIST RMF). Calibrated risk ratings against regulatory impact thresholds. Produced risk reporting packs for Board and CISO consumption aligned to NIS and DORA obligations.

Governance Forum Design

Designed cyber governance forums including ISRM Committees, Cyber Risk Committees, and Executive Oversight panels. Produced governance charters, terms of reference, meeting cadence, and reporting templates. Ensured regulatory visibility at Board level.

Assurance & Control Testing

Managed second-line assurance activity across control environments. Delivered control testing schedules, findings registers, and closure evidence. Produced assurance outputs for regulatory submissions, internal audit, and third-party review.

Featured Engagement — UK Critical National Infrastructure

Sector

Energy (Operational Technology Environment)

Regulatory Context

UK NIS Regulations + Ofgem OES obligations

Scope
  • End-to-end CAF self-assessment against all A–D objectives
  • Ofgem-aligned compliance review and evidence production
  • OT/IT security architecture review against CAF B-objective controls
  • Incident response capability assessment and CAF D1/D2 scoring
My Role
  • Led assessment end-to-end as sole lead assessor
  • Conducted technical interviews with OT operations, IT security, and executive stakeholders
  • Produced CAF self-assessment report, evidence pack, and IGP scoring matrix
  • Built remediation roadmap prioritised by regulatory exposure and operational risk
Outcome
  • Materially improved CAF maturity profile across all four objectives
  • Closed critical Objective D gaps ahead of Ofgem review cycle
  • Board-level presentation delivered summarising regulatory position and remediation investment case
  • Zero regulatory findings raised at subsequent Ofgem review

Ready to Discuss Regulatory Delivery?

CAF assessments, NIS/NIS2 compliance programmes, Ofgem OES engagement, and incident response uplift — delivered end-to-end.

ContactView Publications
May 2026 · OT/ICS Doctrine Series · 11 Frameworks Cross-Mapped

Industrial Resilience — Regulatory Framework Coverage

21 OT/ICS doctrine papers (May 2026) cross-mapped against the regulatory frameworks they engage. Each framework links to the relevant papers.

Contact Email Direct