Compliance isn’t the goal. Resilience is. 

What the New Legislations Are Really About 

These laws are part of the EU’s push to build a trusted, resilient, and competitive digital economy. 
They may differ in scope and wording, but they share the same intent: 

• Resilience: Essential services must keep running, even in a crisis. 

• Trust: Data, systems, and supply chains must be protected. 

• Accountability: Leadership must own and manage risk. 

• Consistency: A shared security baseline across Europe. 

This isn’t about bureaucracy. It’s about structured management of digital risk. 

Different Rules, Same Foundation 

Whether it’s NIS2’s or CER’s focus on essential sectors or DORA’s focus on financial services, the underlying expectations are the same. Strip away the legal text and you’ll find that each legislation calls for a structured, risk-based approach built on a few fundamental capabilities: 

1. Know what you have and what’s critical. Map your assets, suppliers, and data, and identify which ones are vital to your operations. 

2. Protect what matters most. Assess how disruption could impact your business and apply proportional measures based on risk and importance. Security should enable operations, not constrain it. 

3. Detect incidents early. Incidents happen. Early detection limits damage and builds trust. 

4. Respond effectively. Clear plans, roles, and communication (and reporting) lines make all the difference under pressure. 

5. Recover and improve. Be able to recover and learn from incidents. Resilience means adapting, not avoiding all risks. 

These are not new ideas. They follow principles aligned with ISO 27001 and the NIST Cybersecurity Framework, offering practical methods to keep your business running under pressure. 

From Compliance Checklists to Business Resilience  

Many organisations jump straight into legal compliance, creating policies and documents to “tick the box.” This often results in documentation-heavy systems that do not improve security or resilience. You can be fully compliant on paper and still be vulnerable in practice. 

The problem is a compliance mindset. It focuses on documents and audits instead of underlying risks and processes. What is needed is a resilience mindset. One that focuses on protecting operations and people, not just passing an audit. Real security comes from how you run the business, not how many policies you produce. 

Start by aligning legislation with your own context. Use the intent of the law as direction, not a checklist. Build security into everyday processes and tools so it becomes part of how work gets done. Automate repetitive or time-consuming tasks to free people from administrative effort and reduce human error. 

Leadership is key. Make managers responsible for integrating security in their areas. Culture and accountability are far more effective than documents. 

An Information Security Management System (ISMS) brings all this together. It gives structure to the work, defining responsibilities, managing risk systematically, and ensuring continuous improvement. When you manage information security through an ISMS, compliance follows naturally. It becomes a byproduct of doing things right. 

When security is embedded in how the business operates, it stops being an additional task. It moves security from “extra work” to “the way we do things.” 

Start With the Right Question 

If your company is newly covered by NIS2 or similar laws, don’t start by asking, “Which article applies to us?” 

Start by asking, “Do we have a structured way to understand, manage and improve our digital resilience?” 

If the answer is no, that’s your first compliance gap, and your best opportunity. 

Build your ISMS before you build your compliance folders. That’s how you turn legislation into value, not paperwork. Because compliance isn’t the goal. Resilience is. 

Eli Sofie Amdam

Director, Cyber & Digital Risk

Send email

+4741336656