Step 1: Conduct a current-state assessment
Compliance begins with a diagnostic: where do we really stand? This involves inventorying the data processing activities (GDPR data processing register), the systems and services of the information system, dependencies on suppliers, and the usages of artificial intelligence. The assessment almost always uncovers blind spots – shadow IT, undeclared processing, and critical vendors that are poorly identified.
The diagnostic then measures the gap between the current state and the applicable requirements. This maturity analysis, often supported by a framework such as ISO 27001 or the NIST CSF, prioritises the shortcomings. It helps determine whether the organization starts from far away or already has a reusable foundation, which conditions the scale of the project ahead.
A point of vigilance: the current-state assessment must cover vendors and the supply chain. Many organisations master their internal IT but remain unaware of the security level of their subcontractors, even as NIS2 and the DORA regulations require addressing it. Cataloguing critical suppliers, their access, and the data they process is therefore an integral part of the initial diagnostic.
Step 2: map obligations by regulation
Once the existing state is known, one must qualify the regulatory exposure: which texts apply, in what capacity, and with which precise obligations. A company can simultaneously fall under the GDPR (personal data), the NIS2 (if it meets the sectors and thresholds) and the AI Act (if it deploys AI systems).
The central methodological challenge is to identify the overlaps. Many requirements are common to several texts: securing access, logging, business continuity planning, incident management. Rather than treating each regulation in isolation, one builds a cross-regulatory compliance matrix that links each measure to the texts it satisfies. This approach avoids duplication and makes the security baseline a shared investment.
This mapping also clarifies the notification timelines, which differ by text: NIS2 requires an early alert within 24 hours followed by a notification within 72 hours, while the GDPR provides 72 hours for data breaches. Documenting who notifies what, to whom and within what timeframe is an obligation to prepare in advance, never in the heat of an incident.
A practical tool to structure this work is the cross-regulatory compliance matrix: rows list concrete security measures; columns list the applicable texts and standards; at each intersection, the degree of coverage. This view immediately highlights high-leverage measures (those that satisfy several texts) and any obligations still not covered, turning a confusing regulatory stack into a readable roadmap.
Step 3: define and execute a remediation plan
The remediation plan turns the diagnostic into a prioritized roadmap. Prioritisation is based on two axes: the risk level (a failing item that could lead to a major data breach takes precedence over a mere documentation point) and the effort required (some measures are quick and high-impact).
There are distinctly several horizons to consider:
- Immediate, high-leverage measures: multi-factor authentication, tested backups, updating the data processing register, designation of owners.
- Structural initiatives: information security policy for the information system (PSSI), business continuity and disaster recovery plans (BCP/DRP), access management, securing the supplier chain.
- Specific compliance measures: data protection impact assessments (DPIAs) for sensitive processing, and risk-based qualification of AI systems for the AI Act.
Execution benefits from being guided like a project: a responsible owner, milestones, progress indicators, and reporting to leadership. It is also an opportunity to use dedicated tools (GRC platforms) that automate the tracking of controls and the collection of evidence.
Change management is a success factor often underestimated. Compliance touches daily practices – password management, data handling, incident reporting – and therefore requires buy-in from the teams. Training staff, explaining the purpose of the measures, and involving business users from the design phase prevent compliance from being seen as an imposed constraint, or from being bypassed as soon as possible. A measure not applied in practice offers only surface-level compliance.
Step 4: document and audit continuously
Compliance is not declared, it must be proven. Documentation is therefore at the heart of the system: record of processing activities, security policy, incident management procedures, risk analyses, and contracts governing suppliers. In the event of a CNIL or ANSSI inspection, these elements constitute proof of compliance—and their absence is presumed to indicate non-compliance.
Audit as a ritual
A regular audit, internal or external, verifies that the measures in place remain effective and that new deviations have not appeared. Penetration testing and crisis management exercises complement this framework by stress-testing defenses under real-world conditions.
For organisations aiming for certification (ISO 27001) or subject to regulatory audits, this ritual is formalised: a preparatory dry-run audit, a certification audit, then annual surveillance audits. Anticipating these deadlines and keeping documentation up to date avoids the “race against the clock” effect that degrades quality and drives teams to scramble in the weeks before the auditor.
A cycle of continuous improvement
Because regulations evolve – the AI Act timetable being revised in 2026 – and the IT landscape changes, compliance sits within a cycle of continuous improvement, modelled on the ISO 27001 “plan, do, check, act” loop. A structured regulatory watch helps anticipate deadlines rather than endure them.
Ultimately, bringing a SI into compliance is not about piling up ad hoc responses to each regulation, but about establishing enduring governance of security and data. When well managed, this approach reduces the risk of penalties, strengthens resilience, and becomes a trust signal for clients and partners.
This content is published by Mentioned