Evolution of digital compliance: Implications for EHS and sustainability

Guest blog by Stephen Scott, Practice Director specialising in cybersecurity and information risk, BSI Consulting

The digital threat landscape has grown exponentially over the last 10 to 20 years and shows no sign of slowing down, so much so that annually released threat reports are now predicting emerging threats up to 2030.

The expansion of malware variants, sophisticated phishing attacks, rise of insider threats, and targeted cyberattacks threatening critical infrastructure such as energy, healthcare, and transportation are becoming more prevalent due to factors including geopolitical events, hacktivism, and financial greed.

A cyberattack on the US healthcare technology company Change Healthcare in February 2024 caused a major disruption to it and its connected organizations. The attack serves as a stark reminder of the vulnerabilities and implications we face across workplaces in all sectors as well as the societal and economic impacts.

Amid this growing threat, the expansion of the server world is outpacing our capacity to secure it and the sensitive data it holds. As organizations grapple with protecting large sums of sensitive personal and business information while upholding adherence to security and privacy standards and regulations, business resilience has become a critical focal point for ensuring the integrity of digital ecosystems. Additionally, the advent of cloud computing has made data cheaper to store and easier to access and transmit, resulting in the mass proliferation of digital data across organizations on a global basis.

Timeline

In response to the changing threat landscape, the evolution of compliance across the cyber and privacy realm has undergone a huge transformation. This change has been shaped by numerous factors, including technological advancements, regulatory shifts, and business ambition coupled with a less risk-averse entrepreneurial mentality.

Nowadays, if you are not growing as a business year on year, you are viewed as going backwards. Shareholders, boards, and investors want to see continued profits and, in most cases, do not have awareness or an understanding of the dangers of growing a business at speed without building in security, privacy, and resilience by design.

While digital compliance can be traced back to the early stages of the internet, where security concerns laid the groundwork for foundational principles, the last few years have seen the release of a variety of new regulations, directives, revisions of standards, and frameworks.

More specifically, the development of EU and US regulatory risk-based frameworks has ushered in a new era of accountability, requiring organizations to adopt strict compliance measures to mitigate risks, maintain resilience, and most importantly, protect stakeholders' interests and data. Some of these include:

EU General Data Protection Regulation (GDPR)
Directive (EU) 2022/2555 (known as NIS2)
Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554
US Health Insurance Portability and Accountability Act (HIPAA)
US Sarbanes-Oxley Act (SOA)

Today, more sophisticated data breaches and cyberattacks reinforce the need for even stronger guardrails and trust within the digital space. As governments worldwide enact stringent data-protection laws and impose hefty fines for noncompliance, with citizens being granted the right to receive compensation, organizations are compelled to adopt a complex web of regulations spanning multiple jurisdictions.

Whether driven by fear of reprimand for noncompliance, supplier due diligence requirements, or organizational objectives, business leadership teams have started to see the value in adopting a best practice as well as in investing in capabilities to meet the requirements set out in the regulatory directives. Consequently, the emphasis has shifted towards maintaining resilience through risk management, transparency, and accountability, underscoring the importance of a proactive rather than reactive approach to compliance.

Being compliant at a point in time does not mean that you will have this status in the future. Ongoing investment in both technology and resourcing is required to continually improve while maintaining a level of compliance. This level of compliance mitigates risk to an acceptable level for the business, its customers, and in the case of an operator of essential services, its supervisory authority.

As organizations embrace digital transformation initiatives like cloud computing, the internet of things (IoT), and artificial intelligence into their operations, the need for cybersecurity and privacy measures become more crucial. Frameworks such as NIST Cybersecurity and standards like ISO 27001 and PCI DSS provide an organization with a structured, repeatable, and methodical approach to build a multi-layered robust defense capability that enhances resilience and digital trust.

What’s interesting is that these frameworks and standards have all been evolving in their own way in line with the threat landscape, albeit a couple of years behind. Both the ISO27001 and PCI standards have been refreshed and now include more up-to-date guidance relating to controls such as threat modelling, web application scanning, and cloud computing to name but a few.

The NIST Cybersecurity Framework has been overhauled to include a completely new function relating to “Govern,” which effectively provides clear guidance to management on practices relating to governing their security posture in a formalized and structured manner (Read more on NIST v2.0 in NIST Cybersecurity Framework: What's new in v2.0).

Additionally, to provide guidance to organizations who are already or intending to utilize or develop AI (Artificial Intelligence) capabilities, the ISO42001 standard has been released to provide a management system framework so that best practice controls can be implemented through the project and/or operational lifecycle of the software adoption and integration.

All in all, it can be said that the standard bodies and regulators have somewhat stepped up the mark and have produced some solid mandates and guidance for the wider business community. However, the big question remains: Will the supervision of the adoption and adherence to these regulations be enough to make a difference and mitigate risk presented by the ever-evolving threat landscape? The jury is still out!

Interconnected

While these resources are extremely helpful and should be considered for adoption, we must not forget that compliance evolution goes beyond far beyond digital and IT (Information Technology) resilience, resonating with broader EHS and sustainability themes, especially considering how major cloud hosting providers manage emissions in their data centers, requiring:

Broader commitments: While businesses strive to uphold trust in the digital space, a commitment to ethical practices, environmental stewardship, and social responsibility must also be demonstrated.
Synergies: The principles of compliance, transparency, and accountability that underpin digital trust find resonance in EHS and sustainability initiatives, creating cooperation between seemingly unrelated areas.

Climate change, resource depletion, and societal inequalities are forcing all industries to address EHS and sustainability challenges. Regulatory mandates, stakeholder expectations, and market forces compel businesses to integrate EHS and sustainability considerations into core operations, from supply chain management to product design and beyond.

Compliance, therefore, becomes not merely a legal obligation but a strategic imperative, guiding organizations towards responsible and sustainable practices.

Greater insights

Leveraging technologies such as data analytics, IoT sensors, and blockchain can enhance transparency, traceability, and accountability across all EHS and sustainability initiatives, helping navigate the complex regulatory landscape and stakeholder expectations. Compliance creates opportunity and becomes a catalyst for innovation, driving continuous improvement and advancing responsible stewardship.

The convergence of digital trust with EHS and sustainability highlights the connection of global challenges and the necessity for collective action. Just as collaboration and cooperation are essential in addressing cybersecurity threats and building digital resilience, they are equally essential in tackling EHS and sustainability issues.

Through forging partnerships across sectors, sharing best practices, and driving collective impact, organizations can amplify efforts towards becoming more resilient, equitable, and sustainable.

The evolution of compliance within the digital world offers valuable lessons and opportunities for EHS and sustainability professionals—but this is only the beginning. By embracing the principles of compliance, transparency, and accountability, organizations can navigate the nexus between digital trust, EHS, and sustainability, driving positive outcomes for people, planet, and prosperity.

Watch the Evolution of Compliance webinar recording. Listen on Spotify.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more