Buried in Rules: How to Stay Ahead of Compliance

The Compliance Dilemma

The keyword these days seems to be resilience. With the balance of power turning in favor of those willing to protect their (digital) sovereignty, states are firmly set in their quest to protect their most critical assets — such as manufacturing, energy systems, healthcare services and more.

A part of these efforts is to mandate businesses in these areas to take their cybersecurity a lot more seriously, with proper risk management practices and sound security strategies, or else they'd face legal repercussions and fines for noncompliance.

However, the complex nature of these regulations makes organizations worried, finding that they might not have the time nor the right resources to comply.

Key Takeaways

- A growing number of companies report troubles following various compliance requirements, such as those for cybersecurity, citing them as a complex business issue.
- This is especially true for critical sectors like energy, manufacturing, professional services, and finance, which face the harshest regulations like NIS2 or DORA and are wary of buckling under the pressure.
- The reality is that cybersecurity regulations are mandated to raise digital resilience across the board, protecting key industries from the ever more malicious threat landscape.
- Compliance is only as difficult as the effort a firm puts in. Focusing on step-by-step prevention can be the key to overcoming compliance difficulties.

Critically Vulnerable Sectors

As a business grows, its operations become more complex, which can seem daunting to leadership. Based on the MetLife and U.S. Chamber of Commerce Small Business Index for Q4 2025, compliance was an increased issue for 37% of the surveyed firms.

In the Q4 2024 issue of the report, businesses based in the manufacturing (51%) and professional services (57%) sectors said they were impacted the most.

Why These Sectors?

Manufacturing is in the news often, as some states would like to retain and protect this critical sector, since it is directly responsible for keeping a large portion of the national economy, workforce and other industries alive (medical devices, aerospace, chemicals, IT hardware).

As for professional services, when a firm cannot provide a particular service in-house, contracting an external partner (like accounting, legal services, research, or engineering) might be the best way to achieve a specific goal.

This, however, is also where their vulnerability lies. Such relationships often require sharing sensitive data, opening access to internal networks, or the provision of key components in a firm's digital supply chain.

The Supply Chain Problem

Recently, a major U.S. developer of business solutions was hit by a data compromise through one of their former partners providing payroll in a rather roundabout way. An attack by the El Dorado ransomware group hit a partner of said payroll company, leading to theft of customer information.

Similarly, multiple companies based in the UK got hacked via their payroll provider's use of the now infamous MOVEit file transfer software vulnerability by the Cl0p ransomware gang, losing sensitive employee data.

In essence, these can be called second-tier supply-chain attacks — caused by a weak link in one firm's supply chain compromising another.

Continuing with more examples from the UK, major automotive manufacturing, retail and legal firms have been targeted by groups like Scattered Spider exploiting their supply-chain partners, resulting in losses numbered in billions of pounds.

While larger businesses could, with some help, weather such attacks, others like a 158-year-old UK trucking company couldn't — all it took was a single guessed password for the company to fold.

What's Difficult About Compliance?

Let's get down to brass tacks — compliance exists to establish certain standards across the board, leveraging governmental guidance to more easily achieve higher resilience. Without said guidance, firms would probably act according to their individual risk assessments, based on the industry they're in, the resources they must protect, and the available budget to work with.

That is all quite logical. You spend where the spending is called for. A firewall is only as effective as the software and protocols it's built upon, after all.

Moreover, businesses don't want to overcomplicate their bureaucracy. It takes time away from the daily agenda unless it's useful for revenue generation. By adding compliance tasks on top of their duties, they might find themselves overwhelmed, especially smaller firms, which might not have the internal resources to fully handle such tasks.

Weaponization of Disclosure

The above hasn't escaped threat actor notice, either. There have been reports of cyber attackers' use of compliance for extortion, forcing firms to do their bidding lest they get reported to the authorities by the attackers. Ransomware groups like BlackCat are known for filing formal SEC complaints to pressure victims into ransom payment.

Regulating for Prevention

The reason why regulations focus on resilience is simple — remediation is a fool's errand. This might sound controversial, but partners won't take a business seriously after it has suffered a major cyber incident. Having one's sensitive info out there on the dark web is a great recipe for a future cyber disaster.

Perhaps then, following a prevention-first approach can ameliorate the growing burden of security compliance, setting an internal preventive strategy that works to satisfy both the regulators and a firm's operational/resource demands.

As an example, procuring a combined product like ESET PROTECT MDR can satisfy multiple regulatory demands at once, with the ESET PROTECT Platform's diverse solutions filling in gaps related to vulnerability and patch management, full disk encryption, ransomware remediation, and more.

The stars of the package are ESET MDR Service and ESET Premium Support, adding a human element into the mix and upping the ante to solve sophisticated security challenges in around 6 minutes per incident — a task that usually takes firms months to accomplish.

Thus, whether we are discussing acts such as the GDPR, NIS2, or DORA in the EU, or HIPAA and the CCPA in the US, either would be satisfied thanks a full product plus service offer aimed at fully preventing any potential incident.

Prioritizing Security

Regulatory bodies aren't keen on pushing firms around just for the sake of it; they understand that to create a more secure environment, they must shepherd the private sector themselves. Otherwise, states would end up with unfinished lines of defense, endangering not only their critical sectors, but also the lives of their citizens.

TL;DR

- Compliance is both a growing burden and an opportunity to strengthen cybersecurity resilience
- Critical sectors (manufacturing, professional services, finance, energy) face the harshest regulations but also the greatest supply chain risks
- Second-tier supply chain attacks are increasingly common, with devastating consequences for unprepared organizations
- Prevention-first approaches, including comprehensive MDR solutions, can satisfy regulatory requirements while reducing operational complexity
- Regulatory bodies aim to create stronger defense lines across critical sectors, not just impose bureaucratic burdens

Source: ESET Blog: Buried in rules: How to stay ahead of compliance