Regulators, customers and auditors want evidence

Date: November 5, 2025 Author: Editor

Information Security & Compliance • Article

Regulators, customers and auditors want evidence

⏱️ Estimated reading time: 7 minutes

Implemented controls, treated risks, reported incidents and auditable logs are no longer optional.

Regulators, customers and auditors want evidence: implemented controls, treated risks, reported incidents and auditable logs.

What changed in 2025 (in 60 seconds)
  • DORA: the European regulation for the financial sector started to apply on 17 January 2025 (e.g. banks, insurers, asset managers, critical ICT providers), requiring records, resilience testing and third-party oversight.
  • CRA: the Cyber Resilience Act entered into force on 10 December 2024; most obligations apply from 11 December 2027, with reporting rules and other provisions already starting on 11 September 2026.
  • NIS 2 in Portugal: after delays, the Portuguese Parliament approved the transposition of the directive in September 2025 (awaiting promulgation and publication in the Diário da República).
  • Risk trend: supplier chain attacks continue to grow and remain an entry point into large organisations.
What “proving it” means in practice: 10 pieces of evidence an auditor will ask for
  1. A living asset inventory (including shadow IT and critical SaaS) and information classification.
  2. Vulnerability and patch management with SLAs by criticality + trend reports (backlog, average remediation time).
  3. Centralised security logs (SIEM/EDR) with defined retention and audit trails.
  4. Identity and access management (IAM) with universal MFA, event-based revocation and periodic reviews.
  5. Tested backups (quarterly restores) with logical immutability and isolation.
  6. Risk assessments and treatment plans with owners, deadlines and validation of effectiveness.
  7. Third-party due diligence with evidence: audit reports, certifications, security clauses and continuity plans.
  8. Incident response plans tested and NIS 2 reporting prepared (24h/72h/1 month).
  9. Ongoing training (phishing, social engineering, data protection) with participation and effectiveness metrics.
  10. Privacy in AI: DPIA, minimisation/anonymisation and a clear legal basis for personal data used in models.
Errors we still see (and how to fix them)
  1. Excellent policies on paper, weak execution → turn policies into verifiable controls (checklists and owners for each control).
  2. EDR/SIEM without full coverage → measure the % of endpoints/services covered and treat deviations as compliance incidents.
  3. “Critical” third parties without appropriate contracts → add security requirements, RTO/RPO, incident reporting and right-to-audit clauses.
  4. Ad hoc incident reporting → prepare pre-filled “NIS 2 kits”: 24h early warning template, 72h report and final report (1 month). ENISA
90-day plan to strengthen evidence of compliance

0–30 days: asset inventory and criticality; supplier map; DORA/NIS 2/ISO 27001 gap analysis.

31–60 days: close priority gaps (universal MFA, tested backups, EDR/SIEM coverage ≥ 95%); define patching SLAs.

61–90 days: audit simulation; incident exercise with NIS 2 reporting; KPI dashboard (remediation time, coverage, testing).

Recommended Behaviour courses (Information Security)

Behaviour develops courses that not only explain the standards, but also prepare you to apply, lead and audit with confidence:

Author: Behaviour
Published on: 5 November 2025
Copying or reproducing this article is not authorised.