Disciplined security. Trusted AI. Confident oversight.

NIS2 is now embedded in EU national laws with uneven transposition, direct senior management liability and a first wave of supervision focused on governance, risk management and incident handling for essential and important entities.

• Why it matters Health, digital infrastructure, finance, SaaS and managed services now face scrutiny of cyber governance and supply chain assurance, not only technical control lists.
• Action Confirm in scope entities and services by country, map NIS2 articles to existing ISO 27001, SOC 2 and DORA programs, define named accountable executives and rehearse reporting within 24 and 72 hours.
• For boards Ask for a single NIS2 exposure view with national nuances, a dated remediation plan and clarity on where external advisors are used for readiness, playbooks and training.
• Where we help Independent NIS2 readiness reviews, board workshops and cross standard mapping that converts legal text into an operating plan.

New EU procedural rules target faster, more consistent GDPR enforcement in large cross border cases, while regulators sharpen focus on AI use, consent, dark patterns and real world harm.

• Why it matters Large platforms and data intensive SaaS providers can expect tighter timelines, more coordinated investigations and higher expectations on documentation, AI transparency and user rights handling.
• Action Refresh records of processing, DPIAs and AI impact assessments, confirm routes for cross border complaints, align cookie and consent patterns with current guidance and rehearse regulator facing playbooks.
• For boards Request a concise view of top GDPR exposures by product and geography, recent regulator interactions and how AI is governed in practice rather than only in policy.
• Where we help GDPR and AI governance health checks, evidence packs that stand up to DPA review and practical playbooks for investigations and data subject requests at scale.

Public TLS certificate lifetimes are tracking toward roughly 45 to 47 days by 2027 to 2029, while exploited vulnerabilities on KEV lists remain a top initial access route in ransomware and data breach reports.

• Why it matters Manual certificate and patch processes become operationally impossible, turning basic hygiene into a resilience and reputation risk when outages or breaches surface in public.
• Action Inventory internet facing assets, automate certificate issuance and renewal, align patch SLAs with KEV and similar lists and feed metrics into risk dashboards instead of siloed ops reports.
• For boards Ask for clear numbers on unmanaged internet assets, certificate expiries and KEV age, plus an independent view of what an attacker sees from the outside.
• Where we help External attack surface reviews, automation patterns and board ready metrics that turn hygiene into a measurable resilience program.

Compromised OAuth tokens and SaaS to SaaS integrations between Gainsight, Salesforce and other cloud services allowed attackers to pull data from hundreds of tenants without breaching core platforms directly.

• Why it matters Customer success, marketing and analytics tools often hold privileged, lateral access into CRM, data warehouses and ticketing systems, yet sit outside traditional perimeter and vendor reviews.
• Action Map high privilege SaaS integrations, rotate tokens and keys, tighten scopes, implement anomaly detection on API usage and update vendor due diligence to cover integration posture and incident duties.
• For boards Request a clear narrative on exposure to this family of incidents, lessons learned and a forward plan for SaaS supply chain governance, including when external advisors are involved.
• Where we help SaaS integration risk assessments, playbooks for token compromise and advisory on vendor clauses that reflect modern cloud attack paths.

The number of active ransomware groups and data theft only operations continues to climb, with AI boosted phishing and exploitation turning smaller crews into outsized risks for healthcare, SaaS and critical services.

• Why it matters Double and triple extortion, regulatory reporting and business interruption now matter as much as decryption and backups, with executives personally involved in decisions under pressure.
• Action Validate backup and restore for critical paths, harden identity and remote access, align incident and ransom playbooks with legal, regulatory and insurance expectations and test them with realistic scenarios.
• For boards Ask when the last end to end ransomware exercise ran, what assumptions failed and which external specialists would be called at each stage of detection, containment and negotiation.
• Where we help Scenario design, tabletop exercises, purple team engagements and post incident reviews that drive accountable action rather than long reports.

Draft revisions of ISO 9001 and ISO 14001 are moving through the DIS and FDIS stages, with publication expected from 2026 and a likely three year transition window that will cascade into sector and integrated standards.

• Why it matters Quality and environmental management updates will influence how customers, regulators and investors assess leadership, culture, risk, climate and supply chain resilience alongside security and privacy.
• Action Identify which certifications rely on ISO 9001 and ISO 14001, track revision milestones, run a light gap analysis against draft themes and plan to align ISO, ESG and security programs instead of treating them separately.
• For boards Ask how upcoming ISO changes will affect customer expectations, audit scope and resource planning and how they will be harmonized with ISO 27001, 27701 and 42001 journeys.
• Where we help Cross framework roadmaps, integrated management system design and practical transition plans that reduce duplicate effort across quality, environment and security.