For many organisations, compliance has become the primary focus through which security and risk are managed. Legislation is adopted, policies are written, audits are passed and certifications are maintained. In theory, everything appears to be aligned with the regulations, but compliance is often not the same as readiness.
Nowadays, there are many frameworks addressing cybersecurity, ranging from the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) to System and Organization Controls (SOC 2), the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2) to name a few.
The NIST Cybersecurity Framework is a voluntary set of guidelines developed by the National Institute of Standards and Technology to help organizations manage cybersecurity risk. It organizes practices into five core functions: Identify, Protect, Detect, Respond and Recover, enabling structured and flexible security improvement.
ISO/IEC 27001 is an international standard by the International Organization for Standardization for managing information security. It defines requirements for an Information Security Management System (ISMS), emphasizing risk management, controls and continuous improvement to protect confidentiality, integrity, and availability.
The Digital Operational Resilience Act is an EU regulation that ensures financial entities can withstand, respond to and recover from ICT disruptions. It sets requirements for risk management, incident reporting, resilience testing and third-party oversight to strengthen operational resilience across the financial sector.
The NIS2 Directive is an EU directive that enhances cybersecurity across essential and important sectors. It requires risk management measures, incident reporting, and governance accountability, aiming to improve the overall resilience and security of network and information systems across member states.
SOC 2 is a framework developed by the American Institute of Certified Public Accountants for assessing how organizations manage customer data. It evaluates controls based on trust service criteria, security, availability, processing integrity, confidentiality, and privacy through independent audits of operational effectiveness.
All the above frameworks and regulations provide a structured approach, establishing baseline requirements and defining controls that organizations need to manage known risks consistently. In other words, they define what “good” looks like under normal circumstances. However, much of this can remain on paper. Factors such as the speed of recovery, the level of coordination and the decisiveness of execution often fall outside what frameworks explicitly measure. As a result, a gap emerges between theory and practise; one that becomes evident during real incidents.
The 2017 Maersk NotPetya attack is often cited as a benchmark case for resilience. Although Maersk had security measures aligned with industry practices, the malware spread rapidly across global systems, forcing a near total rebuild of its IT infrastructure. What mattered most in recovery was not compliance readiness, but the company’s ability to rebuild identity systems, restore operations from backups and coordinate response efforts across global teams under extreme time pressure.
Even outside cyberattacks, operational resilience gaps appear in cloud and service outages. For example, the 2021 Facebook (Meta) global outage was triggered by a configuration error that took down internal systems, preventing engineers from even accessing recovery tools remotely. This incident highlighted a key resilience issue: when core dependencies fail, traditional response procedures can break down if they rely too heavily on the same disrupted infrastructure.
So, what is the key to transition from compliance to resilience? The first step is a shifting from a sole focus on prevention to accepting that even the most mature security settings can experience breaches and operational downtime. Once this is acknowledged, greater emphasis is placed to whether teams can communicate effectively during downtime, whether recovery procedures function under pressure and whether the extend of system dependencies is fully understood.
Resilience is built through incident response capability, crisis management, business continuity planning and regular testing. It also requires coordination across technical, operational and leadership teams because in a real incident, technical teams alone are not enough.
The World Economic Forum has emphasised this shift as well: the goal is no longer simply to prevent incidents, but to ensure organisations can continue operating through them limiting damage and recovering quickly.
Resilience does not replace compliance; it builds on it. Compliance provides the foundation of controls and governance, while resilience focuses on how those controls perform under stress. Organisations that recognise this distinction shift their attention from the mere presence of controls to their effectiveness, testing, simulating and refining them to strengthen real response capability.
Ultimately, the question shifts from “Are we compliant?” to “Can we continue operating when it matters most?” That shift defines the difference between meeting requirements and being truly prepared. Compliance is the starting point. Resilience determines the outcome.
