COMMENTARY: Enterprises have generally treated regulatory compliance in cybersecurity as a “check-the-box” exercise. While this helps to create baseline protection, there’s something that’s often not given enough attention: What happens when something breaks?In a fast-changing world of frequent cyberattacks, complex IT environments, and AI systems, we should not make regulatory compliance just about audits and reporting. We also need to focus on measurable resilience.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Regulators are starting to make this shift in approach. It’s increasingly reflected in frameworks and evolving standards. Regulators want enterprises to demonstrate that they can effectively restore systems, recover data, and resume critical services within certain time frames.While we’re looking at a major rethinking, it also presents an opportunity. For CISOs, CIOs, CTOs, and board members, measurable resilience can become far more than a regulatory burden. It can serve as a catalyst for strengthening operational preparedness across the enterprise.The need for changeThe European Union’s Digital Operational Resilience Act (DORA) represents a good example of the emerging regulatory mindset. It requires financial institutions and their technology providers to show that they can restore systems, maintain continuity of critical services, and withstand disruptions caused by cyber incidents or technology failures. The framework also introduces stronger expectations around backup systems and testing.Although DORA has primarily a regional scope, its influence will likely extend far beyond Europe, given the framework’s strong impact on global institutions.A similar change has happened with the Monetary Authority of Singapore (MAS). Its updated cyber standards increasingly emphasize cyber resilience and rapid recovery. It requires financial institutions to ensure the confidentiality, integrity, and availability of systems, including the use of immutable backups to defend against threats like ransomware.Singapore manages a large portion of global financial transactions, which means its regulatory expectations often have an outsized influence on global financial infrastructure and technology providers.Keep in mind that this shift toward resilience has also been reflected in other frameworks and standards, including updates to the Payment Card Industry Data Security Standard (PCI DSS), HIPAA security requirements, and Europe’s NIS2 directive.AI and agentic applications have driven many of these changes in regulatory focus. AI agents operate at machine speed, and so do the threats that target them. When there’s a breach, the blast radius expands much faster than any human response.In line with zero-trust principles, organizations must assume compromise and have sufficient recovery capabilities.Regulations can't do everything Regulation has its limits. Governments move slowly, and regulatory frameworks involve an extensive process of consensus, compromise, and coordination among agencies and stakeholders. Then, there’s a fragmented regulatory landscape, which can have divergent requirements across countries and states.Expect this fluidity to continue. One example: the Federal Risk and Authorization Management Program (FedRAMP), which has been critical in helping SaaS providers sell their services to federal agencies. FedRAMP was based based on security controls from the National Institute of Standards and Technology (NIST). So, when NIST frameworks change, there’s a ripple effect through the FedRAMP ecosystem.This underscores the importance of understanding where data resides and how it’s governed. We must classify data not only by sensitivity, but by geographic location. Equally important is the metadata that describes systems and datasets. This lets organizations recover infrastructure accurately and efficiently when disruptions occur.Besides regulatory pressure, there’s also impact from the insurance industry. It’s about the adage of “follow the money.” Insurers have strong financial incentives to accurately evaluate risk exposure, and as cyber incidents grow more frequent and costly, they become far more rigorous in how they assess an organization’s resilience posture.Today, organizations increasingly find it more difficult to obtain insurance coverage unless there are strong recovery capabilities. Insurers will ask questions like:Can the company actually restore critical systems?How long will recovery take?Are backup systems regularly tested and validated?Are backups protected against tampering or ransomware through techniques such as immutability?We also have to consider whether a company has already been compromised without realizing it. From an insurer’s perspective, this creates the risk of a pre-existing condition that could quickly translate into a costly claim.With the average cost of a data breach reaching $4.44 million in 2025, insurers have every incentive to tighten requirements. Organizations that cannot demonstrate recovery readiness may find themselves uninsurable or facing premiums that make the cost of proper resilience investment look modest by comparison.The path forwardWhile governments often move slowly, they do eventually catch up. When regulatory frameworks tighten, organizations that have treated compliance as a static checklist may find themselves exposed. Regulators have the authority to impose heavy penalties for noncompliance, and the financial and reputational consequences are often severe. Preparing now costs less money than scrambling to meet new mandates later.Moving forward, organizations need to shift toward a more operational and interactive approach to compliance. Ultimately, resilience may become the “last mile” of compliance—the point where policies and controls translate into real operational capability.When done right, it transforms regulatory obligations into something far more valuable: the ability to restore operations quickly, maintain trust, and keep the business running even when disruptions occur.Chris Mierzwa, senior director, global resilience programs, CommvaultSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



