EU organizations buckle under rising compliance pressure

Cybersecurity governance in the EU is shifting under expanding frameworks such as NIS2 and DORA, while AI raises new questions for security teams. What the future brings is hard to predict, and organizations must find a way to cope.

Antonija Vojnović, Governance, Risk and Compliance Department Manager at Span, spoke with Help Net Security at the Span Cyber Security Arena conference about how these regulatory frameworks are shaping compliance priorities and day-to-day decision-making.

Compliance overload across organizations

Companies in the EU are dealing with an increasing volume of regulations, with frameworks overlapping in some areas while differing in others.

“Not everyone can explain what applies to whom and why. For example, GDPR and NIS2 affect different types of data, but they should complement each other,” Vojnović said.

Organizations are often unsure where to start or how to prioritize compliance efforts.

NIS2 implementation differs among EU member states because it is a directive, which means each country must translate it into national legislation.

“Croatia has legislation in place. Slovenia also has legislation, though not in the same form.”

Vojnović says the goal of NIS2 is to improve awareness and align cybersecurity standards at EU level, but not all countries are at the same level of maturity. Different countries and companies need different amounts of time to adapt.

In Croatia, she notes, organizations are still waiting for the first audits to understand how enforcement will work in practice, what penalties will look like, and whether changes will follow after initial findings.

She adds that uncertainty remains around implementation and scope, including which organizations will fall under the directive.

Parallel regulatory pressure

Asked whether the growing set of regulations will ultimately help, Vojnović says regulations are useful, but too many are being introduced at the same time.

She points to NIS2, DORA, and the AI Act as examples of frameworks that arrive in parallel, creating pressure for organizations trying to implement them.

She suggests introducing one regulation first, observing how it works in practice, then building on it with additional measures.

Vojnović says the volume of change leaves organizations overwhelmed and unsure how to prioritize requirements.

According to a Censuswide survey, 96% of financial services organizations in EMEA say their data resilience is not where it needs to be to meet regulatory expectations under DORA.

AI security and regulatory response

AI frenzy is visible in every corner, and the EU is no exception. AI spending in Europe is forecast to reach $290 billion by 2029, growing at 33.7% annually.

Along with that growth comes concern about misuse and how difficult it can be to control real-world applications of AI systems. The EU has responded with the AI Act, setting out rules for how AI is developed and used.

The European Telecommunications Standards Institute (ETSI) has also published EN 304 223, a standard focused on baseline cybersecurity requirements for AI systems in operational use. It treats AI as its own security category, with attention to system-specific risks.

Vojnović thinks AI can be regulated, but this depends on how it is used and how it may be misused for malicious purposes. She is not convinced the EU AI Act will bring major change.

“I think awareness may ultimately be more valuable. People should understand that AI tools can use private information for training purposes and that these tools should be used responsibly.”

Vojnović adds that AI can be useful, but not in every scenario. It should be used where it adds value, without entering private information or relying on it for everything.