Cybersecurity stands between rapid innovation and an avalanche of regulations. It’s not enough to be driven by fear or merely to “tick off” compliance; what’s decisive is a responsible, long-term strategy led from the top. And that strategy is being shaped today by new rules from NIS 2 through GDPR to the AI Act.
From Fear to Strategy
Companies tend to respond in three ways: with fear, by pure compliance box-ticking, or with a responsible approach. The first two are reactive and formal; the third is about a well-thought-out strategy, planning, and business continuity. Responsibility lies with leadership: it must decide on priorities, resources, and make clear that security is not a brake on innovation, but its prerequisite.
A good illustration comes from practice: during a training session at a large company, managers were asked how long they could survive without production. Answers ranged from two weeks to six months, which shows that without a unified leadership view it is difficult to plan both defense and recovery. A clear strategy and shared baselines are therefore key.
Regulations: More Than Just NIS 2
A host of frameworks now feed into security: besides NIS 2, there are GDPR, DORA, the Cyber Resilience Act, and the AI Act. AI was adopted at record speed, but regulation is arriving later, creating tensions between innovation and rules. The solution is not “paper” compliance, but a unified framework within the company and measurable outcomes that enable safe innovation.
The “Digital Omnibus” of 19. 11. is also reshuffling the deck, aiming to tidy up the surplus of regulations. It will bring adjustments to definitions in GDPR and, above all, a unified “single entry point” for reporting incidents for GDPR, NIS 2, CER, DORA, and eIDAS; its creation falls within ENISA’s remit. A further complication is that NIS 2 is a directive, so each EU member state implements it differently — multinational groups with subsidiaries in different countries need to factor this into their planning.
Security as a Process, Not a Project
Cybersecurity is not a target milestone but a way of managing the company. After “implementation,” the journey only begins: you need to build a security culture, regularly assess risks, and improve procedures. Many teams need leadership support so they have the mandate and resources to sustain defenses over time.
The consequences of failures extend beyond individual companies. In the case of Jaguar Land Rover, the impact of a cyber incident on the UK economy is estimated at 2,5 to 2,75 billion pounds, which already affects GDP. That is exactly why a leader must decide on investments, planning, and clear rules for incident response — from reporting through a single point to restoring production. A strategic approach is today the best insurance against uncertainty and changes in legislation.
