Manage compliance

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that regulates how organisations process and protect personal information of individuals in the EU. It applies to any organisation, regardless of where it’s based, that offers goods or services to, or monitors the behaviour of, individuals within the Union.

The regulation is built around several core principles:

• Transparency and fairness — Be clear and open about why data is collected and how it will be used.
• Purpose and minimisation — Collect data only for a specific, stated purpose, and retain it only as long as needed.
• Accuracy — Ensure the data you hold is correct and kept up to date.
• Security — Implement strong measures to protect data against loss, destruction, or unauthorised access.

It also grants individuals specific rights, including: access to their data, correction, deletion, and the ability to withdraw consent at any time.

From an operational standpoint, organisations must establish a legal basis for processing data, report qualifying breaches to the relevant authority within 72 hours, and embed data protection into the design of new systems and processes rather than treating it as an afterthought.

Non-compliance can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher.

Where do we fit

We can help with security-related requirements covered in Article 32 (security of processing). This includes implementing technical and organisational measures, building secure processes that respect data minimisation and retention principles, and ensuring your ISMS addresses data protection risks. We can also support breach response procedures and gap assessments where security and privacy requirements overlap.

We don’t offer DPO services, data subject rights processes, data protection impact assessments, legal interpretation of processing lawfulness, or representation with supervisory authorities. These require privacy expertise positioned as an independent function.

The Digital Operational Resilience Act (DORA) is an EU regulation that ensures financial entities can withstand, respond to, and recover from information and communication technology (ICT) disruptions and threats. It applies to almost all financial institutions operating within the EU, such as banks, insurers, investment firms, and payment providers, as well as their third-party technology providers, such as cloud platforms and software vendors.

The regulation is built around several core pillars:

• ICT risk management — Establish a comprehensive governance framework to identify, protect against, and recover from IT risks.
• Incident reporting — Classify and report major technology-related incidents to relevant authorities within strict time frames.
• Resilience testing — Regularly test IT systems for weaknesses, ranging from basic assessments to advanced penetration testing.
• Third-party risk management — Actively monitor and control the risks introduced by external IT suppliers and the wider supply chain.

Firms must map their critical IT assets, enforce strict security requirements with service providers, and prove they can maintain critical business functions during a severe cyberattack or ICT disruption.

Non-compliance can result in severe regulatory sanctions, personal liability for management, and for critical third-party providers, daily penalty payments of up to 1% of their global average daily turnover.

Where do we fit

We can help with ICT risk management framework development, gap assessments against DORA requirements, policy development, and third-party risk processes. If you already have ISO/IEC 27001, we can help map your existing controls to DORA requirements and close gaps.

Threat-led penetration testing (TLPT), audits, and ongoing legal consulting or regulatory filings are outside our scope. Independent verification should be sourced separately from implementation support.

The Network and Information Security Directive 2 (NIS2) is the second iteration of the EU’s directive aimed at establishing a high common baseline of cybersecurity across all member states. It significantly expands the scope of cybersecurity requirements compared to the original NIS Directive, applying to both medium and large organisations across 18 sectors including energy, transport, health, digital infrastructure, and ICT service providers.

The directive is built around several core pillars:

• Risk management measures — Implement technical, operational, and organisational measures to manage cyber risks.
• Incident reporting — Follow strict, phased reporting requirements for significant incidents.
• Supply chain security — Assess and manage the cybersecurity risks within your broader supply chain and supplier relationships.
• Management accountability — Senior management must actively approve, oversee, and be trained on cybersecurity measures.

Operationally, organisations must establish security policies, maintain business continuity and crisis management plans, and secure network and information systems throughout their lifecycle.

Non-compliance can result in fines of up to €10 million or 2% of global annual turnover, as well as personal liability and temporary bans for senior management.

Where do we fit

We can help with scoping and applicability assessment, gap analysis against requirements, risk management framework implementation, policy development, supply chain security processes, and management briefings on accountability obligations. ISO/IEC 27001 provides a strong foundation — we can help you build on it.

We don’t provide formal legal opinions, entity classification determinations, or legal representation with regulatory authorities.

The Cyber Resilience Act (CRA) is an EU regulation that sets cybersecurity requirements for products with digital elements placed on the EU market. This includes software applications, connected devices, and their remote data processing components. It applies to manufacturers, importers, and distributors, covering the entire product lifecycle from design through to end-of-support.

The regulation is built around several core pillars:

• Secure by design — Products must be designed and developed with appropriate levels of cybersecurity from the outset, based on risk assessment.
• Vulnerability handling — Manufacturers must identify and remediate vulnerabilities, provide security updates, and maintain a coordinated disclosure process.
• Incident reporting — Actively exploited vulnerabilities and severe incidents must be reported within 24 hours.
• Transparency — Provide clear security information to users, including support duration, update processes, and a software bill of materials.

Products must carry CE marking to demonstrate conformity. Most obligations apply from December 2027, with vulnerability reporting requirements taking effect from September 2026.

Non-compliance can result in fines of up to €15 million or 2.5% of global annual turnover, whichever is higher.

Where do we fit

If you develop software for the EU market, we can help you assess development practices against CRA requirements and build compliant processes: secure SDLC implementation, vulnerability management workflows, incident reporting procedures, and documentation practices. Our background in software development and security engineering makes this a natural fit.

We don’t handle CE marking, conformity assessments for critical products, or act as your authorised representative.