EU groups struggle with mounting compliance burdens
▼ Summary
– EU cybersecurity frameworks like NIS2 and DORA are expanding, creating compliance overload and uncertainty for organizations about priorities and enforcement.
– NIS2 implementation varies by EU member state because it is a directive, with Croatia and Slovenia having different legislation and maturity levels.
– Antonija Vojnović suggests regulations are useful but too many are introduced simultaneously, overwhelming organizations and hindering effective implementation.
– AI spending in Europe is forecast to reach $290 billion by 2029, prompting the EU AI Act and ETSI standard EN 304 223 for AI system cybersecurity.
– Vojnović believes AI can be regulated, but awareness of responsible use and misuse risks may be more valuable than the AI Act itself.
European organizations are increasingly finding themselves buried under a growing pile of compliance obligations as cybersecurity governance undergoes a major transformation. With frameworks like NIS2 and DORA evolving in parallel, and AI regulation adding new layers of complexity, security teams are scrambling to keep pace. The future remains uncertain, yet companies have no choice but to adapt.
Antonija Vojnović, Governance, Risk and Compliance Department Manager at Span, shared her insights during the Span Cyber Security Arena conference. She discussed how these overlapping regulatory frameworks are reshaping compliance priorities and influencing everyday decisions for security professionals.
The compliance overload hitting EU companies
Businesses across the European Union are facing an unprecedented wave of regulations, with some frameworks overlapping and others diverging in scope and intent.
“Not everyone can explain what applies to whom and why. For example, GDPR and NIS2 affect different types of data, but they should complement each other,” Vojnović explained.
Many organizations are left confused about where to begin or how to rank their compliance efforts. Because NIS2 is a directive, its implementation varies from one EU member state to the next. Each country must translate it into national law.
“Croatia has legislation in place. Slovenia also has legislation, though not in the same form,” she noted.
Vojnović emphasized that NIS2 aims to raise awareness and harmonize cybersecurity standards across the EU, but not all nations are equally mature in their approach. Different countries and companies require varying amounts of time to adjust.
In Croatia, organizations are still awaiting the first round of audits to see how enforcement will actually work, what penalties might be imposed, and whether initial findings will trigger adjustments.
She added that uncertainty persists around implementation details and scope, including which specific organizations will ultimately fall under the directive.
Parallel regulatory pressure creates confusion
When asked whether the growing stack of regulations will ultimately benefit the sector, Vojnović argued that while regulations are helpful, too many are being introduced simultaneously.
She pointed to NIS2, DORA, and the AI Act as examples of frameworks arriving at the same time, putting enormous pressure on organizations attempting to implement them all.
Her suggestion is to introduce one regulation first, observe its real-world effects, and then build upon it with additional measures.
Vojnović stated that the sheer volume of change leaves organizations feeling overwhelmed and uncertain about how to prioritize competing requirements.
A Censuswide survey found that 96% of financial services organizations in EMEA believe their data resilience is insufficient to meet regulatory expectations under DORA.
AI security and the regulatory response
The AI frenzy is impossible to ignore, and the EU is no exception. AI spending in Europe is projected to hit $290 billion by 2029, growing at an annual rate of 33.7%.
This rapid growth brings concerns about misuse and the difficulty of controlling real-world AI applications. The EU has responded with the AI Act, which establishes rules for AI development and deployment.
The European Telecommunications Standards Institute (ETSI) has also released EN 304 223, a standard focusing on baseline cybersecurity requirements for AI systems in active use. It treats AI as its own distinct security category, paying close attention to system-specific risks.
Vojnović believes AI can be regulated, but the effectiveness depends on how the technology is used and how it might be misused for malicious purposes. She is skeptical that the EU AI Act will drive significant change.
“I think awareness may ultimately be more valuable. People should understand that AI tools can use private information for training purposes and that these tools should be used responsibly,” she said.
She added that AI can be useful, but not in every situation. It should be applied where it adds real value, without feeding in private data or relying on it for every decision.
(Source: Help Net Security)
