What is IT Regulatory Compliance
IT regulatory compliance refers to the set of processes by which an organization ensures that its information system adheres to the laws, regulations, and standards that apply to it—covering data protection, cybersecurity, resilience, and the governance of artificial intelligence use.
Two concepts are often confused. Regulatory compliance refers to obligations imposed by law, the breach of which can trigger sanctions. Normative compliance (such as ISO 27001) is voluntary, providing a framework of best practices and a demonstration of seriousness. Both reinforce each other: adopting a recognized reference framework greatly facilitates regulatory compliance.
Compliance is not a static state. It is a continuous process: laws evolve, the information system changes, new processing activities appear. Therefore it requires documentation, regular controls, and the ability to demonstrate at any moment that obligations are met.
It also differs from mere information security, though the two are complementary. Security focuses on the concrete protection of systems; compliance focuses on proving that this protection meets defined requirements. One can be technically secure without being compliant (due to missing documentation), and conversely, check boxes without real protection. A robust approach aligns both: effective measures and their formalization.
Overview of Applicable Frameworks
Today, the landscape of IT compliance in France and Europe is shaped by several texts and standards. They split into legal obligations (GDPR, NIS2, DORA, AI Act) whose non‑compliance carries penalties, and voluntary referentials (ISO 27001) that serve as a framework of best practices. Understanding this articulation is the first step to building a coherent approach.
The GDPR
The General Data Protection Regulation, in force since 2018, governs the processing of personal data. It requires a legal basis for each processing activity, respect for individuals’ rights, data security, and the notification of breaches to the CNIL, which recorded 5,629 notifications in 2024.
NIS2
The NIS2 directive (2022/2555), currently being transposed in France through the resilience bill adopted by the Senate in March 2025, imposes a baseline of cybersecurity for a broad set of “essential” and “important” entities. It requires risk management measures, incident notification deadlines (24 hours, 72 hours, up to one month), and accountability for senior leadership.
DORA
The DORA regulation (2022/2554) has applied to the financial sector since January 17, 2025. It imposes digital operational resilience: management of technology-related risks, resilience testing, oversight of critical IT service providers, and incident reporting.
The AI Act
The AI Act (EU Regulation 2024/1689) is the first comprehensive global framework dedicated to artificial intelligence. Built on a risk-based approach, it bans certain practices from February 2025 and regulates general-purpose models. Its application to high-risk systems is expected to be partially delayed to late 2027 under the Digital Omnibus reform launched in 2026.
The AI Act distinguishes four levels of risk: unacceptable (prohibited practices), high (strict documentation, human oversight, risk management), limited (transparency obligations, such as signaling that an AI is being interacted with), and minimal (free use). This tiered logic requires companies to map their AI systems and assess the risk of each rather than thinking at the organizational level alone.
ISO/IEC 27001
The international standard to reference, ISO 27001, specifies the requirements for an information security management system (ISMS). Though voluntary, it provides a solid foundation that covers a large portion of regulatory expectations and reassures customers and partners.
Who is Affected
The scope of entities subject to these regimes has widened considerably. GDPR applies to any organization processing personal data, regardless of size. NIS2 now targets roughly 10,000–15,000 entities in France, based on a combination of two criteria: size (more than 50 employees or €10 million in turnover) and sector (18 listed sectors, from energy to healthcare to digital).
DORA applies to financial actors (banks, insurers, payment service providers) but also to their critical IT suppliers. The AI Act, finally, covers any supplier or deployer of AI systems whose activity touches the European market, including non-European firms. An effect along the supply chain practically extends these obligations to many subcontractors.
Governance and Accountability Challenges
The most significant shift introduced by these new texts is to elevate compliance into the realm of governance. Under NIS2, executives must approve and oversee risk management measures, and they bear personal responsibility. Compliance is no longer delegated solely to a support function: it becomes a matter for top management and board oversight.
This shift calls for a dedicated organization: appointing a responsible officer (DPO for GDPR, NIS2 risk lead), cross‑functional involvement of lines of business, coordination between the legal team, the CSIRT/CISO, and the IT department. Maintaining evidence in documentation—registers, impact assessments, audit proofs—becomes central because, in an inspection, what is not documented is deemed not to exist.
In the era of AI and data proliferation, governance goes beyond defensive compliance. It becomes a foundation of trust: an organization that can demonstrate mastery over its data and systems gains a commercial and competitive advantage that goes beyond merely avoiding penalties.
This trust also extends to employees and citizens. Respect for GDPR signals fair handling of personal data; NIS2 ensures continuity of essential services; compliance with the AI Act guarantees a controlled and transparent use of artificial intelligence. In a context where public trust in digital technologies is increasingly fragile, making compliance a visible commitment becomes a differentiator, not merely an obligation to minimize risk.
This content is published by Mentioned