The rules you hate might save your business
Datapanic is nothing new: even as far back as the 1990s, security vendors routinely exaggerated the threat level in order to sell products. In fact, the paranoia dates to the early days of personal computing – as, indeed, do security breaches.
Famously, Prince Philip’s Prestel e-mail inbox was breached, and, in 1983, the BBC’s Micro Live programme, part of the British government’s Computer Literacy Project, was hacked live on air during a demonstration of how electronic messaging worked (frankly, there could be no better demonstration).
As the years passed, nuisance viruses did corrupt data on PCs, Macs and even venerable home computers such as the Commodore Amiga.
Still, in most cases, though, the damage was limited Most of the time, it just didn’t matter. With the exception of organisations using mainframes – principally financial institutions, mega corporations and governments – few businesses were truly ‘computerised’. And even those that were partially ‘digital’, say doing payroll runs, were using machines that weren’t connected to the outside world.
This is the crucial difference today. The old saying (well, new saying, really) that ‘every business is a technology business’ is a wild exaggeration, but it contains an important kernel of truth: we’re all connected. Hence not only the rise in breaches, but the blizzard of regulations organisations now face.
Compliance is annoying, no doubt, and it can be a real impediment to even starting a business – something that is taken advantage of by entrenched outfits who can throw staff and money at it in a way small companies can rarely afford.
It is not all for nothing, however.
Almost two thirds (63%) of Irish businesses expect their compliance burden to worsen over the next year. Four in 10 say regulators aren’t giving them enough support. And more than half have no dedicated compliance officer – even as they rank regulatory demands as their single biggest operational headache.
A recent CRIFVision-Net survey of 550 companies found that more than half lack a dedicated GDPR compliance role, yet view data protection as their largest regulatory burden.
Now, as the Digital Operational Resilience Act (DORA), NIS 2, and the EU AI Act layer themselves atop existing obligations, businesses face an uncomfortable question: is compliance a cost to be minimised, or an investment that could determine survival?
The grumbling is understandable. Compliance is expensive, time-consuming, and seems to multiply with each passing year. For small outfits in particular, keeping pace with verification processes, reporting requirements, and overlapping jurisdictional demands stretches already-thin resources to breaking point. When you’re trying to run a business, the paperwork can be overwhelming.
The frustration intensifies when businesses discover that different regulations often require similar information in different formats, reported to different regulators.
The hidden value
And yet, for all its frustrations, compliance is fundamentally a good thing. Not in some abstract, civic-minded sense, but in hard commercial terms that should matter to every board.
In an era where data breaches cost an average of €3.78 million and can halt production for months, demonstrating robust controls is a sign of competitive advantage.
Customers, partners, and investors increasingly demand proof of compliance before signing contracts. Procurement processes now routinely require ISO 27001 certification, evidence of GDPR compliance, and assurances around NIS 2 readiness.
Compliance frameworks provide structure that many businesses desperately need but wouldn’t build themselves. GDPR, whatever its irritations, forces organisations to understand what data they hold, where it lives, and who can access it.
Likewise, NIS2, DORA and the AI Act aren’t regulatory make-work schemes; they are basic operational regimes that too many companies neglected until compelled. Left to their own devices, many would simply hope nothing goes wrong.
Third, the costs of non-compliance dwarf the costs of compliance. Fines under the AI Act can reach 70% of global income. GDPR penalties run into tens of millions and typically see share prices drop and customer trust hurt. The direct fines are painful; the indirect costs are catastrophic.
A company that suffers a preventable breach because it couldn’t be bothered with compliance doesn’t just get fined – it loses customers and credibility that may never fully return.
Businesses do have legitimate frustrations. Regulators could do more to harmonise regulations, provide clearer guidance, and simplify currently scattered oversight across multiple different.
But the solution isn’t to rail against compliance or treat it as an add-on to ‘real’ business. Despite concern about bureaucratic overhead, it really is no different to, say, accounting or HR. It’s the framework that keeps you operational when threat actors come calling – and they will come calling.
Subscribers 0
Fans 0
Followers 0
Followers