Compliance
SOC 2, ISO 27001, NIS2, DORA, HIPAA, and the cyber insurance market that sits on top of them.
The state of compliance in 2026: SOC 2, ISO 27001, NIS2, DORA, EU AI Act, cyber insurance. Where each framework stands and what CISOs should prioritise.
We compare Vanta, Drata and Secureframe for SOC 2 Type II in 2026 — real 2026 pricing, honest weaknesses of each platform, and which one fits which buyer. Independent analysis.
A practical NIS2 compliance checklist for UK and EU businesses in 2026. Scope, Article 21's ten measures, incident reporting timelines, management liability, and the UK parallel regime most guides miss.
DORA is in supervision mode. Here's what Register of Information submissions revealed, what TLPT actually requires, and the third-party risk gaps regulators are finding.
Type I and Type II implementation, platform comparisons, auditor preparation. SOC 2 is table stakes for B2B SaaS — the work is in doing it without wasting six months.
View all SOC 2 articlesISO 27001:2022 transition, Annex A control mapping, certification strategy for organisations that need internationally-recognised assurance rather than US-centric SOC 2.
View all ISO 27001 articlesArticle 21 measures, scoping decisions, and enforcement posture across the EU and the parallel UK Cyber Security and Resilience Bill regime.
View all NIS2 articlesThe Digital Operational Resilience Act for financial services — ICT risk management, third-party registers, and the supervisory posture now that dry-runs are over.
View all DORA articlesSecurity Rule implementation for covered entities and business associates — where HIPAA ends, where SOC 2 begins, and where the new 2026 enforcement posture actually bites.
View all HIPAA articlesPCI-DSS 4.0 customised approach, in-scope boundary discipline, and whether tokenisation actually gets you out of scope.
View all PCI-DSS articlesCMMC 2.0 levels, DFARS interplay, and the realistic path for defence industrial base suppliers that do not have dedicated compliance headcount.
View all CMMC articlesEU AI Act, NIST AI RMF, ISO 42001, and the compliance obligations that sit above the security controls in the AI Security category.
View all AI Governance articlesThe underwriting requirements that have become the most effective compliance enforcement body in the Western economy — pricing, exclusions, and what insurers actually check.
View all Cyber Insurance articlesTPRM programmes that actually reduce supplier incident exposure rather than generate questionnaire throughput.
View all Third-Party Risk articlesThe EU AI Act applies in phases through 2026 and 2027. A phase-by-phase compliance guide for security teams: risk classification, documentation, post-market monitoring and Digital Omnibus implications.
A practical breakdown of NIS2 Article 21's 10 cybersecurity measures. What the directive actually requires, how it maps to ISO 27001:2022, and how to evidence compliance.
Third-party breaches nearly quadrupled since 2020. After Salesloft/Drift and Snowflake, a practical TPRM framework for 2026: questionnaires, continuous monitoring, OAuth hardening.
HIPAA Security Rule compliance for 2026: technical safeguards, breach notification timelines, the May 2026 NPRM, and why healthcare remains the most-targeted ransomware vertical.
The ISO 27001:2022 transition deadline has passed but many organisations are mid-migration. A practical guide to the new Annex A controls and what recertification now requires.
Compliance in 2026 has crossed a threshold that most CISOs feel but few will name. The frameworks are no longer the destination — they are the price of entry. SOC 2 has become expected rather than differentiating. ISO 27001:2022 has completed its messy transition. NIS2 is enforceable across the EU. DORA has moved from dry-run to active supervision. The EU AI Act is entering its most consequential phase. And cyber insurers have quietly become the most effective compliance enforcement body in the Western economy.
This is the category where the site’s commercial commitment matters most. Our comparison articles on SOC 2 platforms, cyber insurance carriers, third-party risk tooling, and compliance automation contain no affiliate links to the vendors compared. The advertiser pool for this category is the largest and highest-CPC on the site — which is exactly why we decline the affiliate revenue. It would directly shape the advice.
What you will find here, in descending order of commercial stakes: platform comparisons (Vanta vs Drata vs Secureframe; cyber insurance carrier analysis; TPRM tool benchmarks); regulatory checklists that take clear positions on what matters and what is noise (NIS2 Article 21 ten measures, DORA ICT risk management, HIPAA 2026 enforcement posture); implementation guides for the work the platforms will not do for you (policy writing, access reviews, scoping decisions); and cyber insurance coverage that treats the market as the enforcement layer it has become.
A few editorial positions that shape the coverage in this category, stated plainly:
Compliance platforms are monitoring and evidence-collection layers, not programme replacements. Roughly 80% of what a SOC 2 programme needs is automated. The other 20% — policy design, control implementation, access reviews, remediation — is the work that determines whether you pass. The platforms all know this. The salespeople do not always say it.
Scope discipline is the single highest-leverage compliance decision an organisation makes. Every in-scope system is a system you have to monitor, audit, remediate, and re-scope every year. Buyers who define tight scope pay less, finish sooner, and end up with defensible programmes. Buyers who define loose scope fund consultants in perpetuity.
Multi-framework programmes are cheaper per-framework than single-framework programmes, but only if you implement the controls once and map them to every framework that needs them. Running parallel programmes per framework is the single most common waste we see.
Cyber insurers have quietly become the real compliance authority. They require MFA, immutable backups, EDR coverage, identity governance, and incident response readiness — often with more specificity and more consequences than the compliance frameworks that nominally regulate the same organisations. A CISO who meets their insurer’s requirements generally meets SOC 2 and ISO 27001 as a side effect. The reverse is not reliably true.
Regulatory deadlines are real, and sometimes they matter more than the consequences of missing them. NIS2 is enforceable now. DORA supervision has moved from dry-run to active. The EU AI Act enters its most consequential phase in August 2026. We flag the dates that should appear on your planning calendar, and we are specific about which organisations each date applies to — because most of the “NIS2 compliance” coverage on the internet gets the UK position wrong and the scoping rules wrong.
Each sub-category below has its own set of articles. The anchor pieces are the platform comparisons and the regulatory implementation guides — those carry the highest reader value and the highest editorial stakes, and they are the articles we most stubbornly refuse to compromise on. The category also feeds the annual State of Compliance hub, which is our pillar synthesis of where each framework stands heading into the year.
If you are starting a compliance programme from scratch and want to understand where to focus, the SOC 2 comparison and the cyber insurance requirements article together cover roughly 80% of what most growth-stage B2B SaaS buyers need. If you operate in the EU or UK, add NIS2 — or DORA if you are in scope for financial services. Everything else is sequenced downstream of those three decisions.