Regulatory analysis, practical risk guidance, and commercial decision support across DORA, NIS2, Cyber Essentials, M&A due diligence, cyber insurance, and board accountability. No vendor marketing. Written by practitioners.
Detailed analysis of DORA, NIS2, and Cyber Essentials identity obligations — with specific article references, evidence requirements, and readiness checklists. Written for compliance officers, CISOs, and legal teams.
Articles 5, 9, and 17 create specific obligations for privileged access, MFA, service account governance, and audit evidence. What supervisors are checking in the first enforcement cycle.
Article 21 explicitly mandates MFA, least privilege, and access control governance. Fines reach €10M or 2% of global turnover. What the directive requires and how UK organisations with EU market exposure are affected.
Read Pillar ArticleUser access control (Requirement 4) and MFA for cloud services are the most common Cyber Essentials Plus failure points. What assessors test, where organisations fail, and how to prepare — particularly relevant for NHS, councils, and central government suppliers.
Read ArticlePractical guidance for specific business decisions — cyber insurance renewals, M&A transactions, and board reporting. Each article covers a concrete scenario and what identity evidence is required.
Underwriting questionnaires now ask for percentages, evidence, and exception registers — not policy documents. Exactly what underwriters expect and what happens when you cannot answer.
Read ArticlePrivilege inheritance, trust relationship complexity, directory consolidation cost, non-human identity sprawl, and regulatory gaps — the five issues that consistently surface after deals close.
Read ArticleUnder DORA and NIS2, directors are accountable for access controls. The five questions that establish whether your board has the information it needs — and what good answers look like.
Read ArticleArticle 5 makes the management body directly responsible for ICT risk management. What "sufficient knowledge" of identity risk means in practice, and what questions DORA supervisors are asking boards.
Read ArticleLonger perspectives on the direction of identity security — where the profession is heading, what most organisations are still getting wrong, and why.
As AI systems take on more security decision-making, the accountability question becomes urgent — and the answer is not straightforward.
Read ArticleThe difference between security that works and security that can be demonstrated to an auditor — and why the distinction matters more than most practitioners acknowledge.
Read ArticleThe identity recovery phase that most IR frameworks miss — and why it matters for compliance and recurrence prevention under DORA and NIS2.
Read ArticlePractitioner-level analysis of Active Directory attacks, identity architecture, and access control patterns. Written for security engineers, IAM architects, and blue teams who need technical depth alongside regulatory context.
How Kerberoasting extracts service account credentials without elevated privileges, the Windows Event IDs that expose it, and the AD controls — gMSA, AES enforcement, SPN audit — that prevent it.
Read ArticleWhy service accounts are the most exploited identity type in AD — no MFA, static passwords, excessive privilege. How to enumerate them, scope privilege, and migrate to gMSA.
Read ArticleNHIs outnumber human identities by 10:1 and are the least governed. Inventory challenges, supply chain exposure, secrets in source code, and the controls that close the gap.
Read ArticleStanding privilege is what turns a credential compromise into a catastrophic breach. How to implement JIT access with Entra PIM and PAM vaults — and why DORA and NIS2 are making it mandatory.
Read ArticleWhat CAF B2.a–B2.d requires for CNI operators, the specific IGPs assessors test, and how to produce the privileged account inventory and evidence pack that supports a positive assessment.
Read ArticlePractical reference documents for security teams, board packs, and pre-assessment preparation. Each maps to a specific regulatory requirement or commercial decision.
The questions underwriters ask about MFA, privileged access, logging, and recovery — with what good evidence looks like for each.
View Service10 items mapped to Articles 5, 9, and 17 — with what evidence a DORA supervisor expects for each control.
Read Article5 questions every board should receive answers to, and what adequate vs inadequate answers look like under DORA.
Read ArticleThe 5 identity risk areas to assess before transaction close — including what answers raise red flags for deal teams.
Read ArticleOfficial advisories from NCSC, ENISA, CERT-EU, Europol, Action Fraud, BSI, CERT-FR, and NCSC-NL — aggregated automatically, direct from government sources. Updated every page load.
View Live Intelligence FeedThese articles cover common scenarios — but every organisation's situation is different. A scoping call takes 30 minutes and is free.