Why Regulators Are Favouring A Converged Approach To Cyber Resilience

By Nicholas Fearn • 10 June 2025

As the digital ecosystem expands exponentially and cybercriminals seek to exploit security holes within it, regulators continue to apply pressure on businesses to develop comprehensive cyber risk strategies and are holding them accountable when things go wrong.

Recognising that cyber threats are multi-faceted and global in nature, regulators are taking a more uniform approach to cyber risk compliance. A perfect example is the European Union’s Digital Operational Resilience Act, which compels bloc-wide adherence to a common set of cybersecurity rules.

International cooperation on cyber resilience, particularly in areas such as artificial intelligence (AI), is also growing. For instance, in September 2024, Britain, the US, and Canada announced plans to collaborate on cybersecurity and AI research.

Due to the rise of converged cyber regulations, businesses across all industries are now expected to develop, enforce, and regularly assess comprehensive IT risk controls and policies. Cyber experts warn that these can no longer be a single, tick-box exercise.

A Converged Approach To Cyber Resilience

A rapid increase in sophisticated cyber threats and a growing dependency on digital technologies by businesses are prompting global regulators to align on core areas, such as data protection, cyber resilience, and risk management, according to Anu Kapil, senior product manager at American IT security firm Qualys.

She argues that by taking a unified approach to privacy, cybersecurity and AI regulations, regulators benefit from streamlined oversight and the enforcement of cross-border accountability. Meanwhile, businesses can use a standard set of frameworks for centralised compliance.

Echoing similar thoughts, Sam Peters, Chief Product Officer of ISMS.online, notes that regulators worldwide are increasingly collaborating on cross-domain cyber regulations in response to the proliferation of complex digital threats, geopolitical challenges, and growing user expectations for accountability.

In doing so, Peters says regulators hope to clamp down on current siloes that exist in areas such as cybersecurity, data privacy and AI. These siloes make it harder for organisations to spot and mitigate cyber threats.

But by eliminating the aforementioned siloes, fostering more consistent IT regulations and leaning on existing risk standards like ISO 27001, he believes that regulators can help accelerate cross-sector innovation and decrease cyber risks.

Not Enough Is Being Done

Although industry standards like NIS2, DOR and ISO 27001 have become more aligned in recent times, Mark Weir, regional director for UK and Ireland at cybersecurity solutions provider Check Point Software, suggests there’s still some way to go before they become truly “consistent” and “comprehensive” on a global scale.

In particular, he says a lack of formalised artificial intelligence guidelines and governance makes it harder for organisations to use this technology appropriately. For instance, artists are concerned that AI could infringe upon their copyrights unless the technology is appropriately regulated.

But regulators aren’t just to blame. Even though industry bodies like the National Cyber Security Centre are warning of the growing risk of cyber threats and issuing guidance to counter them, Weir says lots of organisations are failing to put it into practice. He’s particularly concerned about the lack of cyber simulations and rehearsals in corporate cyber resilience plans.

He tells ISMS.online: “Without proactive planning and regular testing, the likelihood of a successful recovery from a cyberattack diminishes significantly, often resulting in service outages, data loss, and erosion of customer trust.”

What Converged Cyber Regulations Mean For Businesses

What’s clear is that as new industry regulations emerge and existing policies converge, businesses have no choice but to take their regulatory obligations seriously. For Peters, this means implementing sufficient IT risk controls, governing them robustly and being accountable when things go wrong.

With cyber and AI threats emerging rapidly, he says businesses can’t afford to treat compliance like a “one-off checklist”. Instead, they must develop a culture of continuous improvement to ensure their cyber resilience plans are truly effective.

Peters says businesses that treat cyber resilience as a “strategic” and “ongoing” exercise throughout all departments will be the most successful. He explains: “Those who get it right gain a competitive advantage: faster market entry, stronger customer trust, and reduced exposure to regulatory fines or reputational damage.”

Kapil agrees that, in light of converged cyber regulations, organisations will set themselves up for failure by not approaching compliance continuously. She encourages businesses to establish adaptable cybersecurity policies, regularly monitor them, and be prepared to respond to impromptu audit requests from regulators.

She tells ISMS.online: “To do this effectively, companies can automate evidence collection, assess control gaps proactively, and stay aligned with evolving regulations across multiple domains.”

Taking A Smarter And Integrated Cyber Resilience Approach

When it comes to responding to increased regulatory demands for converged cyber compliance and strengthening their cyber defences, Peters urges businesses to replace manual and fragmented compliance approaches with one that is smarter and more integrated.

In practice, Peters says this means centralising risk, compliance and governance into one environment that can be scaled easily, takes into account existing and emerging industry regulations, and provides insight into risk across different areas of the business.

One way of doing this, according to Peters, is the implementation of an information security management system that adheres to the requirements of a recognised industry standard such as ISO 27001. He explains that such standards are not only intentionally established but are also designed to facilitate cross-border cyber compliance in a structured and adaptable manner.

“By adopting ISO 27001 as a foundation, businesses gain a systematic way to identify, assess, and mitigate risks and crucially, its structure supports the inclusion of additional frameworks, whether for privacy, AI ethics, resilience, or sector-specific mandates,” says Peters.

He adds that after adopting an ISMS platform, businesses can integrate the recommendations of other frameworks — such as ISO 22301 for business continuity and or ISO 42001 for AI — into their different compliance efforts. He adds: “This simplifies management and makes it easier to demonstrate compliance across multiple standards and regions.”

Like Peters, Kapil warns businesses against handling different IT and cyber regulations separately as it results in “inefficient and risky” siloes. She favours a centralised approach in which companies develop cross-department policies aligned with frameworks like NIST, ISO and GDPR.

Given that regulatory obligations are constantly evolving, she emphasises the importance of continuously monitoring policies —a task that can be streamlined using automation tools. She adds: “With an integrated policy audit approach, they can reduce manual work, improve accuracy, and align risk and compliance efforts under one platform.”

The Future Of Cyber Regulations

Looking ahead, Kapil expects industry regulations to become even more stringent in the face of a rapidly expanding and increasingly ferocious cyber threat landscape. She believes that there will be increased pressure on businesses to prove they are continuously and in real-time tackling these risks using an integrated cyber risk strategy. Starting this now will help them become “more agile, audit-ready, and better protected against regulatory and cyber risks”, she adds.

Alan Jones, CEO and co-founder of secure communications provider YEO Messaging, agrees that the future of cyber risk compliance will be more integrated. He expects to see more businesses adopt this trend by authenticating users in real-time and implementing zero-trust architectures.

As more organisations develop, implement, and use AI systems, Satish Swargam, principal consultant for DevSecOps and secure development at application security firm Black Duck, predicts that future cybersecurity regulations and compliance policies will be designed around this technology.

Not only will industry regulations aim to mitigate the threats posed by AI models, but the models themselves could also streamline cybersecurity compliance. In fact, Swargam says AI has the power to “address security risks with the right context”.

Businesses benefit greatly from emerging technologies like AI; however, they also face significant ethical and cybersecurity risks that are growing in scale and sophistication. Because of this, businesses must assess these risks accordingly in a bid to protect their employees, customers and, indeed, their reputations. And doing so will keep regulators happy.

Nicholas Fearn

Nicholas Fearn is a freelance journalist from the Welsh Valleys. He’s written for major media outlets like the Financial Times, The Independent, The Telegraph, Evening Standard, iNews, HuffPost and Insider, as well as B2B publications like Computer Weekly, Computing and IT Pro. When Nic isn’t writing about the latest gadgets and tech trends, he’s probably listening to Mariah Carey’s entire discography.

Qantas Data Breach: Why Vendor Oversight Must Be a Compliance Priority

A recent Qantas data breach compromising the personal information of 5.7 million customers has highlighted the ongoing cybersecurity risk that thir...

Nicholas Fearn

Cyber security 16 July 2025

What Increased Defence Spending Means For The Cybersecurity Sector

As geopolitical tensions continue to rise globally, 2025 has seen a dramatic increase in defence spending not witnessed since the Cold War. In rece...

Nicholas Fearn

Cyber security 15 May 2025

Cybersecurity Is Battling A Mental Health Crisis – Here’s How To Solve It

The cybersecurity industry is experiencing an unprecedented mental health crisis as its teams and specialists work day and night to battle a growin...

Nicholas Fearn