On October 17th, the EU’s Network and Information Security Directive 2, NIS2 for short, will be enforced across all member states to enhance cyber resilience. New rules place a high focus on proactively managing third-party risks. While having industry-standard security certifications, such as ISO 27001 or SOC2, are non-negotiables for remaining compliant, they may not reflect a company’s cyber readiness.
Experts say that the gap between compliance and security has always existed. However, new regulations have highlighted the issue by placing greater emphasis on having to prove security.
This has led to increased scrutiny of organizations’ security practices and, according to Aurimas Bakas, CEO at Cyber Upgrade, exposed many cases of paper-only compliance. This describes companies that have checked all the technical boxes but lack a working action plan to enforce cyber defense lines.
Certification Limitations and the ‘Paper-Only’ Problem
Bakas explained that while the certification process is not inherently faulty, it can often be misapplied.
“Laser focus on documentation can create a false sense of security if organizations do not follow through with the actual implementation of processes and prioritize the effectiveness of security controls,” he said. „There’s a massive gap between documentation and actual compliance. I would go as far as to say that 90% of the clients we have worked with weren’t compliant, even though they had all the documentation.”
Complex modern supply chains and rapidly evolving systems continue to create multiple weak points, allowing attackers to gain access to sensitive data. Many clients, especially teams that lack in-house cybersecurity experts, are unaware of possible blind spots where the risks, even for SMEs, are in the hundreds.
“Lack of security incidents can be as much of a red flag as frequent breaches – it can mean a lack of detection capabilities to identify all the threats, as no environment is completely immune to attacks. A good way to test readiness is to hire a red team — a group of ethical hackers — to simulate real-world attacks and test the effectiveness of security defenses,” Bakas suggested.
Paper-Only Compliance: A Widespread Issue Across Businesses
The issue of paper-only compliance affects most businesses regardless of size. For instance, smaller entities often lack resources for robust security controls, leaving them heavily dependent on external help, which can be hit-or-miss. On the other hand, bigger businesses are usually too reliant on the progress they have already made, such as getting ISO 27001 certified, and end up neglecting continuous threat monitoring.
“Compliance is only a baseline, while security is an ongoing process, requiring continuous effort. Getting certified is key, but going forward, it won’t be enough to convince the regulators, nor will it protect company assets. It’s best to get ahead, as ‘doomsday’ prepping is always better than damage control.”
