The keyword these days seems to be resilience. With the balance of power turning in favor of those willing to protect their (digital) sovereignty, states are firmly set in their quest to protect their most critical assets — such as manufacturing, energy systems, healthcare services and more.
A part of these efforts is to mandate businesses in these areas to take their cybersecurity a lot more seriously, with proper risk management practices and sound security strategies, or else they’d face legal repercussions and fines for noncompliance.
However, the complex nature of these regulations makes organizations worried, finding that they might not have the time nor the right resources to comply.
Key points of this article:
- A growing number of companies report troubles following various compliance requirements, such as those for cybersecurity, citing them as a complex business issue.
- This is especially true for critical sectors like energy, manufacturing, professional services, and finance, which face the harshest regulations like NIS2 or DORA and are wary of buckling under the pressure.
- The reality is that cybersecurity regulations are mandated to raise digital resilience across the board, protecting key industries from the ever more malicious threat landscape. Individual approaches to security aren’t up to snuff any longer.
- Compliance is only as difficult as the effort a firm puts in. Certainly, remediation is more costly and time-consuming, especially when threat actors themselves abuse the regulatory reporting system. Therefore, focusing on step-by-step prevention can be the key to overcoming compliance difficulties.
Critically vulnerable
As a business grows, its operations become more complex, which can seem daunting to leadership. With scale comes increasing legal and other obligations — requiring specialized expertise. Based on the MetLife and U.S. Chamber of Commerce Small Business Index for Q4 2025, compliance was an increased issue for (37%) of the surveyed firms.
In the Q4 2024 issue of the report, specifically, businesses based in the manufacturing (51%) and professional services (57%) sectors said they were impacted the most..
Why these sectors, exactly? Manufacturing seems to be in the news often, as some states would like to retain and protect this critical sector, since it is directly responsible for keeping a large portion of the national economy, workforce and other industries alive (medical devices, aerospace, chemicals, IT hardware…).
As for professional services, we can say the same. Simply, when a firm cannot provide a particular service in-house, contracting an external partner (like accounting, legal services, research, or engineering) might be the best way to achieve a specific goal.
This, however, is also where their vulnerability lies. Such relationships often require sharing sensitive data, opening access to internal networks, or the provision of key components in a firm’s digital supply chain, which when said partner is exploited, can result in incidents vectoring from third parties. These incidents are especially difficult to monitor for.
The supply chain of a supply chain of a…
On that note, recently, a major U.S. developer of business solutions was hit by a data compromise through one of their former partners providing payroll in a rather roundabout way. An attack by the El Dorado ransomware group hit a partner of said payroll company, leading to theft of customer information that the payroll firm had been processing.
In truth, a handshake and a few signatures are no longer a guarantee of impenetrable business relationships. For sure, any burgeoning partnership or procurement order must go hand in hand with a full security audit to prevent trouble down the line, especially when critical data is in question.
Similarly, multiple companies based in the UK got hacked via their payroll provider’s use of the now infamous MOVEit file transfer software vulnerability by the Cl0p ransomware gang, losing sensitive employee data.
In essence, these can be called second-tier supply-chain attacks — caused by a weak link in one firm’s supply chain compromising another.
Continuing with more examples from the UK, major automotive manufacturing, retail and legal firms have been targeted by groups like Scattered Spider exploiting their supply-chain partners, resulting in losses numbered in billions of pounds.
Supply chains, especially digital ones, are ripe for attacks due to the intense connection between suppliers and contractors, built on top of trust and the intermixing of critical nodes for effective resource allocation and use.
While larger businesses could, with some help, weather such attacks, others like a 158-year-old UK trucking company couldn’t — all it took was a single guessed password for the company to fold.
What’s difficult about compliance?
Let’s get down to brass tacks — compliance exists to establish certain standards across the board, leveraging governmental guidance to more easily achieve higher resilience. Without said guidance, firms would probably act according to their individual risk assessments, based on the industry they’re in, the resources they must protect, and the available budget to work with.
That is all quite logical. You spend where the spending is called for. A firewall is only as effective as the software and protocols it’s built upon, after all. Going beyond what’s needed and implementing excessive layers of security with multiple different providers at once might be a case of diminishing returns, since determined hackers will still likely find a way in…depending on how strong one’s controls over those layers and the in-between seams (like integration platforms) are.
Moreover, businesses don’t want to overcomplicate their bureaucracy. It takes time away from the daily agenda unless it’s useful for revenue generation. By adding compliance tasks on top of their duties, they might find themselves overwhelmed, especially smaller firms, which might not have the internal resources to fully handle such tasks.
Weaponization of disclosure
The above hasn’t escaped threat actor notice, either. There have been reports of cyber attackers’ use of compliance for extortion, forcing firms to do their bidding lest they get reported to the authorities by the attackers. Ransomware groups like BlackCat are known for filing formal SEC complaints to pressure victims into ransom payment, but they’re not alone, according to ENISA.
Regulating for prevention
The reason why regulations focus on resilience is simple — remediation is a fool’s errand. This might sound controversial, but partners won’t take a business seriously after it has suffered a major cyber incident. Having one’s sensitive info out there on the dark web is a great recipe for a future cyber disaster.
Perhaps then, following a prevention-first approach can ameliorate the growing burden of security compliance, setting an internal preventive strategy that works to satisfy both the regulators and a firm’s operational/resource demands.
As an example, procuring a combined product like ESET PROTECT MDR can satisfy multiple regulatory demands at once, with the ESET PROTECT Platform’s diverse solutions filling in gaps related to vulnerability and patch management, full disk encryption, ransomware remediation, and more.
The stars of the package are ESET MDR Service and ESET Premium Support, adding a human element into the mix and upping the ante to solve sophisticated security challenges in around 6 minutes per incident…a task that usually takes firms months to accomplish.
Thus, whether we are discussing acts such as the GDPR, NIS2, or DORA in the EU, or HIPAA and the CCPA in the US, either would be satisfied thanks a full product plus service offer aimed at fully preventing any potential incident.
For those companies or organizations that require an added touch in the form of custom security solutions, ESET Corporate Solutions’ exhaustive service offer can reliably slot in to even the most sensitive environments.
Prioritizing security
Regulatory bodies aren’t keen on pushing firms around just for the sake of it; they understand that to create a more secure environment, they must shepherd the private sector themselves. Otherwise, states would end up with unfinished lines of defense, endangering not only their critical sectors, but also the lives of their citizens.
