This is part 1 of a three-part blog series on sustainable compliance in the Digital Decade era. In this first part, I lay the foundation: how do you translate the growing stack of legislation and associated standards into a sustainable and workable framework? In part 2, you will discover how to keep this framework alive like a Tamagotchi. In part 3, we dive into the tooling question.
The regulatory maze: does this sound familiar?
GDPR, NIS2, DORA, the AI Act, the Data Act, the Cybersecurity Act, CSRD, CSDDD… And that is without even mentioning sector-specific standards such as NEN 7510 for healthcare or the General Security Requirements for Central Government Contracts (ABRO). Do you recognise the feeling that you can no longer see the avalanche because of the snow?
You are not alone. Whether you work in healthcare, at a legal services provider, an SME, or a government organisation, the amount of legislation and regulation is growing exponentially. And it is not just increasing in volume, it is also becoming more complex. Laws overlap, refer to one another, and sometimes impose slightly different requirements on the same processes. Add to that the extra wave of standards that attempt to provide clarification but instead introduce yet another dimension.
The reflex is understandable: a separate project for each law, its own spreadsheet, a new folder in SharePoint. But honestly? That is a recipe for duplication, inconsistency and, when the auditor or regulator eventually arrives, stress.
There is a better way.
The foundation: an integrated control framework
The key to manageable and sustainable compliance lies in an integrated risk and control framework. Not a separate management system for every law, but one modular framework in which requirements (legal, regulatory, standards and contractual), risks and control measures are intelligently linked.
The core principle is simple but powerful: many-to-many relationships.
-
Inventory the applicable laws, standards and other (contractual) requirements. These provide input both for identifying and assessing risks and for defining control measures.
-
The risks identified by the organisation are individually mitigated by one or more control measures.
-
Each control measure can be traced back to one or more risks and requirements.
-
Make the framework complete by explaining why you deviate from a requirement or accept a risk.
Consider well-structured access management. It helps you comply with the GDPR (only authorised access to personal data), with NIS2 (security measures for network and information systems), with ISO 27001 (A.9 Access Control), and with your own business risks relating to data breaches.
The reverse is also true. The GDPR requirement for “appropriate technical and organisational measures” calls for a combination of access management, encryption, awareness training and incident procedures.
Why is this so valuable?
This many-to-many structure offers three concrete advantages:
-
Impact analysis when controls fail. If a control measure does not function properly, you immediately see which legal obligations, certifications and business risks are affected. No surprises during an audit.
-
Rapid impact analysis when legislation changes, new legislation appears or contracts signed with new requirements. When a new law or requirement arrives, you map the requirements to existing risks and controls. You immediately see where you already comply and where gaps remain.
-
Efficient expansion. Adding new standards (such as ISO 42001 for AI management systems) becomes a matter of mapping rather than starting from scratch.
Demonstrability: from “we do it” to “we prove it”
A control framework is only complete if you can demonstrate that your measures actually work. This is no longer a nice-to-have but a hard requirement. And you do not do this only for your own organisation and management.
-
For auditors and certification bodies: whether you pursue ISO 27001 certification, NEN 7510 certification or soon ISO 42001 for AI, without demonstrable compliance there is no certificate or it will cost more than it brings value.
-
For regulators: authorities such as the Dutch Data Protection Authority (AP), the Netherlands Authority for Consumers and Markets (ACM), the Netherlands Authority for the Financial Markets (AFM), the Health and Youth Care Inspectorate (IGJ) and the Dutch Authority for Digital Infrastructure (RDI) want to see proof that your controls work, proactively and reactively.
-
For your clients: your business clients increasingly demand demonstrability. They themselves must comply with CSRD, CSDDD, NIS2 or DORA and are required to assess their supply chains. If you cannot demonstrate that your security and compliance are in order, you will not pass supplier selection processes or you risk losing existing clients.
Not a banking system, but still serious
I started this blog with the promise of a pragmatic approach. No over-engineering such as you often see in the financial sector, where compliance departments can sometimes be larger than the business units they support.
But pragmatic does not mean optional. It means:
-
Focus on what matters. Risk-based working means investing your time and resources in the controls that address the greatest risks, not in ticking every checkbox.
-
Governance that fits your organisation. An SME does not need a three lines of defence model with dozens of full-time equivalents. But you do need clear agreements on who does what.
-
Demonstrability that works. Not a folder structure where no one can find anything anymore, but a system in which you can locate proof that a control works within five minutes.
The goal is a framework that gives management confidence and insight, convinces auditors and clients, and does not paralyse the organisation.
The next step: keeping the framework alive
A well-designed framework on paper is only the beginning. The real challenge lies in maintenance. How do you ensure that your framework evolves alongside new legislation, changing risks and the growth of your organisation?
In part 2 of this series, I will explore the PDCA cycle as the engine for lasting compliance. How do you plan your activities? How do you monitor the effectiveness of your controls? How do you report to management? And how do you prevent your framework from gradually ageing into a dusty document that no one opens anymore?
Would you like to know where your organisation stands and which risks deserve priority? We offer the Digital Decade Roadmap to provide insight into the applicability of legislation and your current compliance level, a clear first step before regulators or auditors do it for you.
