All Articles
-
DORA's First Enforcement Cycle: Fines, Register of Information Failures, and What CISOs Must Fix Now
European regulators are issuing the first material penalties under DORA's 2026 enforcement cycle. Register of Information gaps and ICT risk management failures are the lead findings. Here's what boards and CISOs need to do before Q3 supervisory reviews.
regulatory-update -
ITDR: What the Board Needs to Know About Identity Threat Detection
Identity Threat Detection and Response addresses the gap that SIEM and EDR leave open — the lateral movement, credential abuse, and token theft that lives inside authenticated sessions. This briefing explains what ITDR is, what it catches that existing tools miss, and how to build the business case.
risk-analysis -
NIS2 Enforcement Is Underway: What Early EU Penalties Mean for Your Organisation
EU member states have begun issuing formal NIS2 enforcement actions. Germany has issued 47 formal notices, France has ordered remediation across energy and transport, and personal liability for senior executives is now active. What CISOs need to bring to the board.
regulatory-update -
Post-Quantum Cryptography: The Migration Decision CISOs Can No Longer Defer
NIST's post-quantum cryptography standards are final, NSA compliance deadlines for national security systems begin in January 2027, and adversaries are already collecting encrypted data for future decryption. This briefing provides CISOs with the governance framework for starting migration now.
risk-analysis -
Geopolitical Cyber Risk in 2026: A Briefing Framework for Boards and CISOs
Nation-state cyber operations have moved from targeted espionage to broad pre-positioning and disruptive campaigns affecting commercial organisations. This briefing provides CISOs with a framework for assessing and communicating geopolitical cyber risk to boards.
risk-analysis -
Shadow AI: The Governance Gap That's Driving Your Next Data Breach
Three quarters of CISOs have already discovered unsanctioned GenAI tools running in their environments. The data suggests the breach hasn't happened yet -- but the conditions are in place.
risk-analysis -
CIRCIA Is Live: What the 72-Hour Reporting Rule Means for Your Organisation
The Cyber Incident Reporting for Critical Infrastructure Act final rule took effect in May 2026, establishing mandatory 72-hour incident reports and 24-hour ransomware payment disclosure for covered entities. Here's what CISOs need to have in place before an incident.
regulatory-update -
NIS2 Supply Chain Security: What Article 21 Actually Requires -- and What Most Organisations Are Getting Wrong
NIS2 Article 21 mandates supply chain security as a core cybersecurity obligation for essential and important entities. This briefing covers what the directive requires, the implementation gaps most organisations have, and what boards need to understand before their national regulator comes looking.
risk-analysis