THREAT OPS › Threat News › Completing Compliance with Evidence : A Bottom-Up Approach to NIS2, DORA, and the Cyber Resilience Act
Completing Compliance with Evidence : A Bottom-Up Approach to NIS2, DORA, and the Cyber Resilience Act
GRC (Governance, Risks and Compliance) as it is most often practiced works top-down, you read a piece of regulation, draft a policy, declare coverage, and archive a documentary record. This approach has value, it structures, it documents, it meets an auditor's formal expectations. It also has a known limitation: it mostly reflects what the organization describes and far less easily what actually h