Regulatory analysis, practical risk guidance, and commercial decision support across DORA, NIS2, Cyber Essentials, M&A due diligence, cyber insurance, and board accountability. No vendor marketing. Written by practitioners.
Detailed analysis of DORA, NIS2, and Cyber Essentials identity obligations — with specific article references, evidence requirements, and readiness checklists. Written for compliance officers, CISOs, and legal teams.
Articles 5, 9, and 17 create specific obligations for privileged access, MFA, service account governance, and audit evidence. What supervisors are checking in the first enforcement cycle.
Article 21 explicitly mandates MFA, least privilege, and access control governance. Fines reach €10M or 2% of global turnover. What the directive requires and how UK organisations with EU market exposure are affected.
Read Pillar ArticleUser access control (Requirement 4) and MFA for cloud services are the most common Cyber Essentials Plus failure points. What assessors test, where organisations fail, and how to prepare — particularly relevant for NHS, councils, and central government suppliers.
Read ArticlePractical guidance for specific business decisions — cyber insurance renewals, M&A transactions, and board reporting. Each article covers a concrete scenario and what identity evidence is required.
Underwriting questionnaires now ask for percentages, evidence, and exception registers — not policy documents. Exactly what underwriters expect and what happens when you cannot answer.
Read ArticlePrivilege inheritance, trust relationship complexity, directory consolidation cost, non-human identity sprawl, and regulatory gaps — the five issues that consistently surface after deals close.
Read ArticleUnder DORA and NIS2, directors are accountable for access controls. The five questions that establish whether your board has the information it needs — and what good answers look like.
Read ArticleArticle 5 makes the management body directly responsible for ICT risk management. What "sufficient knowledge" of identity risk means in practice, and what questions DORA supervisors are asking boards.
Read ArticleLonger perspectives on the direction of identity security — where the profession is heading, what most organisations are still getting wrong, and why.
As AI systems take on more security decision-making, the accountability question becomes urgent — and the answer is not straightforward.
Read ArticleThe difference between security that works and security that can be demonstrated to an auditor — and why the distinction matters more than most practitioners acknowledge.
Read ArticleThe identity recovery phase that most IR frameworks miss — and why it matters for compliance and recurrence prevention under DORA and NIS2.
Read ArticlePractical reference documents for security teams, board packs, and pre-assessment preparation. Each maps to a specific regulatory requirement or commercial decision.
The questions underwriters ask about MFA, privileged access, logging, and recovery — with what good evidence looks like for each.
View Service10 items mapped to Articles 5, 9, and 17 — with what evidence a DORA supervisor expects for each control.
Read Article5 questions every board should receive answers to, and what adequate vs inadequate answers look like under DORA.
Read ArticleThe 5 identity risk areas to assess before transaction close — including what answers raise red flags for deal teams.
Read ArticleOfficial advisories from NCSC, ENISA, CERT-EU, Europol, Action Fraud, BSI, CERT-FR, and NCSC-NL — aggregated automatically, direct from government sources. Updated every page load.
View Live Intelligence FeedThese articles cover common scenarios — but every organisation's situation is different. A scoping call takes 30 minutes and is free.