The expanding digital landscape and wave of high-impact cyberattacks have prompted governments worldwide to intensify their efforts in cybersecurity regulation. This challenge presents an opportunity. Rather than viewing this process as a tick-box exercise, businesses should focus on addressing the underlying issues of visibility and complexity.
The expanding digital landscape and wave of high-impact cyberattacks have prompted governments worldwide to intensify their efforts in cybersecurity regulation. The EU’s NIS2 directive, implemented by most member states last year, largely mirrors the USA’s Zero Trust mandate, while the UK is preparing to introduce its own Cyber Security and Resilience bill by late 2025.
Stronger regulation is a welcome step, but it is not without challenges. Ten months after the NIS2 enforcement, many businesses are still struggling to meet its rigorous standards. The complexity and scale of modern IT environments often leave organisations without the visibility needed to implement effective governance controls, making regulations seem daunting.
But this challenge presents an opportunity. Rather than viewing this process as a tick box exercise, businesses should focus on addressing the underlying issues of visibility and complexity. By solving these foundational problems, compliance becomes a natural outcome, not just a regulatory requirement.
Diagnosing complex IT environments
According to the European Union Agency for Network and Information Security (ENISA), the primary obstacle to meeting NIS2 regulations is the complexity of modern supply chains and infrastructure, particularly those involving third-party data and a limited view of cloud-based environments. While cloud computing offers huge advantages, its rapid adoption, alongside the explosive growth of the Internet of Things (IoT), has introduced significant challenges.
By late 2024, the number of connected devices worldwide had surged to 16.6 billion, dramatically expanding the attack surface and adding layers of complexity to IT estates. The cloud, while enabling seamless third-party collaboration, also introduces new security risks. NIS2 rightly addresses this by mandating stricter controls over third-party applications and data sharing.
An over-reliance on technology that was once fit for purpose compounds the issue. Many organisations still rely on networking solutions like Software Defined Wide Area Networks (SDWANs), originally built for on-premises environments. In isolation, SDWAN struggles to support the increasingly dynamic nature of accessing data from of any device, to any place storing data, both private and public cloud., often obscuring visibility and complicating governance. In effect, businesses are trying to secure their digital assets without a clear view of what those assets are, a major barrier to both compliance and security.
To meet the demands of today’s threat landscape, businesses must ‘turn on the lights.’ That means investing in modern solutions that enable proactive governance. Only then can organisations secure their attack surfaces and build compliant networks.
Securing cloud environments
Visibility and strong network governance are key drivers of effective compliance. The first step is controlling access in cloud environments, something that isolated SD-WAN solutions struggle to achieve. Instead, organisations should adopt a more holistic, cloud-native approach through Secure Access Service Edge (SASE). SASE builds on the access control strengths of SD-WAN but goes further by integrating advanced security capabilities directly into the cloud. It combines networking and security into a unified framework, enabling granular access controls and consistent policy enforcement across distributed environments.
Crucially, SASE makes cloud-native assets visible, making it easier to identify and mitigate cyber risks. This lays the groundwork for strong governance and is essential for meeting the demands of modern frameworks like NIS2. Moreover, enhanced visibility and access control make it far easier to implement Zero Trust architectures, which are vital for preventing unauthorised access and stopping threats before they spread.
Establishing efficient network governance
The next step is applying precise and effective network controls, and microsegmentation is one of the most powerful tools available. Microsegmentation divides cloud-native networks into segregated and secure zones, making it easier to enforce tailored security and access policies.
Think of it like a house: each room has its own door and light switch. Access to each room requires reauthentication, and the controls within can be customised based on the sensitivity of the data or the function of the zone. This structure not only strengthens Zero Trust architecture but also limits the impact of potential breaches by preventing lateral movement across the network.
More importantly, microsegmentation simplifies control. It gives networking and security teams a clear framework to apply the right protections in the right places, streamlining risk mitigation as a result. This is especially critical in sectors like retail and finance, where sensitive customer and personal data is at stake. By isolating and securing these high-risk areas, organisations can significantly reduce the likelihood of a major breach.
Treating compliance as an opportunity
In line with the increase in everyone’s digital footprints, so attack surfaces are expanding rapidly, and many businesses remain underequipped to meet the challenge. Rising regulatory demands are not just a compliance issue; they are a wake-up call to take control of increasingly complex IT environments, and that control starts with visibility.
Businesses need to approach regulation as an opportunity to address foundational security challenges like fragmented infrastructure, poor visibility and outdated controls. By investing in the right frameworks and technologies, businesses can build safer, more resilient networks.
About the Author
Jonathan Wright is Chief Product Officer at GCX Managed Services, where he leads the business transformation strategy and the expansion of all its lines of business.
