Regulations, Directives, Certifications, and Standards: A Clear Guide to Cybersecurity Governance

Why These Distinctions Matter

When an organisation is told it must "comply with ISO 27001" or "meet NIS2 requirements," the natural instinct is to treat every framework the same way: as a checklist to complete. But regulations, directives, certifications, and standards are fundamentally different instruments. They differ in who creates them, how they are enforced, what happens if you ignore them, and whether you have a choice in the first place.

Confusing a voluntary standard with a binding regulation — or treating a certification as proof of regulatory compliance — can lead to costly blind spots. This guide provides a clear, fact-based explanation of each category, drawn entirely from authoritative legal and institutional sources.

Regulations: Binding Law, No Exceptions

A regulation is a legislative act that is directly and immediately enforceable as law. In the European Union, Article 288 of the Treaty on the Functioning of the European Union (TFEU) defines it precisely:

"A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States."

This means a regulation does not need to be translated into national law. The moment it takes effect, it applies uniformly across all 27 EU Member States. Organisations cannot selectively adopt parts of it, and Member States cannot modify its provisions.

In the United States, federal statutes such as HIPAA are enacted by Congress, with detailed implementing rules (the Privacy Rule, Security Rule) issued by executive agencies under the authority that Congress grants. The mechanism differs from the EU model, but the core characteristic is the same: they are mandatory, enforceable, and carry penalties for non-compliance.

How Regulations Are Enforced

Enforcement varies by jurisdiction. In the EU, national authorities (such as Data Protection Authorities for GDPR) monitor compliance and impose sanctions, while the European Commission acts as the overall guardian of EU treaties. In the US, agencies like the HHS Office for Civil Rights enforce HIPAA through investigations, audits, and civil or criminal penalties.

Key Regulations at a Glance

GDPR (Regulation EU 2016/679) governs the processing of personal data for all organisations operating within or serving the EU. Two penalty tiers exist: up to EUR 10 million or 2% of turnover for administrative violations, and up to EUR 20 million or 4% of turnover for violations of core data processing principles.

DORA (Regulation EU 2022/2554) targets financial entities and their critical ICT service providers with prescriptive requirements for ICT risk management, incident reporting within 24 hours, and digital resilience testing.

HIPAA (Public Law 104-191) protects health information in the United States. Civil penalties are tiered by negligence level (USD 100 to USD 50,000 per violation), with criminal penalties reaching USD 250,000 and up to 10 years of imprisonment for knowing misuse.

CRA (Regulation EU 2024/2847) establishes cybersecurity requirements for all products with digital elements placed on the EU market — estimated to cover approximately 90% of digital products. Three penalty tiers apply based on violation severity.

Directives: Binding Goals, Flexible Implementation

An EU directive is a different type of legislative act. The same TFEU Article 288 defines it as:

"A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods."

The critical distinction is that a directive sets the destination, not the route. Each Member State must achieve the required outcomes but has discretion in how it translates the directive into national law — a process called transposition. Directives typically include a transposition deadline, after which Member States must have enacted appropriate national legislation.

This is why, for example, NIS2 looks different in the Netherlands (the Cyberbeveiligingswet) than it does in Germany or France. The security outcomes must be equivalent, but the specific legal mechanisms, reporting structures, and supervisory arrangements may vary.

The Transposition Process

1. The EU adopts the directive and sets a transposition deadline (typically 18–24 months)
2. Each Member State drafts national legislation to achieve the directive's objectives
3. Member States notify the European Commission of their transposition measures
4. The Commission verifies completeness and correctness
5. If a Member State fails to transpose on time, the Commission may initiate infringement proceedings before the Court of Justice of the European Union

Key Examples of Directives

NIS2 (Directive EU 2022/2555) — Adopted December 2022, with a transposition deadline of October 17, 2024. The successor to the original NIS Directive of 2016, NIS2 significantly broadens the scope of EU cybersecurity obligations to 18 critical sectors. Penalties for essential entities reach up to EUR 10 million or 2% of global annual turnover. Notably, NIS2 introduces personal accountability for management bodies — board members can be temporarily disqualified from leadership roles for gross negligence in cybersecurity governance.

NIS1 (Directive EU 2016/1148) — The original Network and Information Security Directive, adopted in 2016. It was the first comprehensive EU-wide cybersecurity legislation. NIS1 was repealed and replaced by NIS2 on October 18, 2024.

Regulation vs. Directive: Side-by-Side

Standards: Voluntary Frameworks, Until They Are Not

A standard is an established set of guidelines or requirements developed through expert consensus. Standards are created by recognised standards bodies — such as ISO (International Organization for Standardization), NIST (National Institute of Standards and Technology), or the PCI Security Standards Council — and are voluntary by default.

The critical nuance is that standards can become effectively mandatory through three mechanisms:

1. Regulatory reference: When a regulation or directive cites a standard as an acceptable or recommended implementation approach. For example, NIS2 Preamble 79 references the ISO/IEC 27000 series as an appropriate mechanism for implementing cybersecurity risk management measures.

2. Contractual obligation: When business partners, customers, or industry bodies require compliance with a standard as a condition of doing business. PCI DSS is the clearest example: it is not a law, but any organisation processing payment card transactions is contractually required to comply through their agreements with payment card brands.

3. Harmonised standard designation: In EU law, the European Commission can request European Standards Organisations (CEN, CENELEC, ETSI) to develop standards that support specific EU legislation. These "harmonised standards" create a presumption of conformity — organisations that follow them are automatically presumed to meet the relevant regulatory requirements.

Who Creates Standards?

ISO (International Organization for Standardization) — A global body with members from 175 national standards bodies. Standards are developed through a consensus-based process involving technical committees of subject matter experts. The process from proposal to publication typically takes approximately three years. A Draft International Standard requires approval by two-thirds of participating members.

NIST (National Institute of Standards and Technology) — A US government agency under the Department of Commerce. NIST develops cybersecurity frameworks and guidelines through public workshops and stakeholder consultation. NIST frameworks are explicitly voluntary, though some become mandatory when referenced in federal contracts or executive orders.

PCI Security Standards Council — Founded in 2006 by five major payment card brands (Visa, Mastercard, American Express, Discover, and JCB). The Council develops and maintains the PCI Data Security Standard. Enforcement is carried out by the card brands themselves through contractual agreements with merchants and payment processors.

Key Examples of Standards

ISO/IEC 27001:2022 — The international standard for Information Security Management Systems (ISMS). Originally published in 2005 (derived from British Standard BS 7799), revised in 2013, and most recently in 2022. It defines 93 controls across four domains: organisational, people, physical, and technological. ISO 27001 is voluntary, but increasingly referenced by EU regulations such as NIS2 and DORA as evidence of appropriate security measures.

PCI DSS v4.0.1 — The Payment Card Industry Data Security Standard, originally released as v1.0 in December 2004. Applies globally to all organisations that store, process, or transmit payment card data. While not a law, non-compliance can result in monthly penalties of USD 5,000 to USD 100,000 imposed by card brands, increased transaction fees, and potential termination of the ability to process card payments.

NIST Cybersecurity Framework v2.0 — Released in February 2024, updating the original 2014 framework. Version 2.0 added a sixth core function — Govern — to the existing Identify, Protect, Detect, Respond, and Recover functions. The framework is designed for organisations of any size and sector. While purely voluntary, it has become the de facto baseline for cybersecurity programme maturity assessment in many industries, particularly in the United States.

Certifications: Independent Proof of Compliance

A certification is a formal, third-party verification that an organisation meets the requirements of a specific standard or framework. The distinction between a standard and a certification is fundamental:

• A standard defines what an organisation should do
• A certification provides independent evidence that the organisation actually does it

Certification requires assessment by an independent, qualified auditor (or assessment body) who evaluates the organisation's practices against the standard's requirements and issues a formal certificate upon successful completion. Certificates are typically time-limited and require periodic renewal through surveillance audits.

The Certification Ecosystem

The credibility of a certification depends on the accreditation of the body that issues it:

• Accreditation bodies (such as UKAS in the UK, ANAB in the US, or RvA in the Netherlands) formally recognise that certification bodies operate according to international standards
• Certification bodies (also called registrars) conduct the actual audits and issue certificates
• The International Accreditation Forum (IAF) maintained a Multilateral Recognition Arrangement ensuring that accredited certifications are recognised across borders. As of January 2026, IAF merged with ILAC to form the Global Accreditation Cooperation

Key Examples of Certifications

ISO 27001 Certification — An organisation implements the ISO/IEC 27001 standard, then engages an accredited certification body to conduct an initial audit. If the organisation passes, it receives a certificate valid for three years, subject to annual surveillance audits. As of 2024, there are approximately 96,709 ISO 27001 certificates worldwide, growing at roughly 20% per year.

SOC 2 — Developed by AICPA (American Institute of Certified Public Accountants), SOC 2 assessments evaluate an organisation's controls against five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy (each optional based on scope). SOC 2 comes in two forms: Type I (point-in-time assessment of control design) and Type II (assessment of control operating effectiveness over a period of at least six months). Technically, SOC 2 produces an attestation report rather than a certificate — the distinction matters in the assurance profession.

CMMC (Cybersecurity Maturity Model Certification) — Codified in US federal regulation 32 CFR Part 170, CMMC became effective in December 2024. It is mandatory for all Department of Defense contractors and subcontractors. CMMC operates at three levels: Level 1 (self-assessment against the basic safeguarding requirements in FAR 52.204-21), Level 2 (third-party assessment against 110 security requirements from NIST SP 800-171), and Level 3 (government-led assessment for handling high-sensitivity CUI). Failure to achieve the required CMMC level means an organisation cannot bid on or win DoD contracts.

Certification Does Not Equal Regulatory Compliance

A common and potentially dangerous misconception: holding a certification does not automatically mean an organisation is compliant with every regulation that references the underlying standard. For example:

• An ISO 27001 certificate demonstrates that an organisation has implemented an Information Security Management System meeting the standard's requirements
• NIS2 references the ISO 27000 series as an appropriate implementation mechanism
• However, ISO 27001 certification alone is not sufficient for full NIS2 compliance, because NIS2 imposes additional obligations (such as specific incident reporting timelines, supply chain security requirements, and management liability) that go beyond the scope of ISO 27001

Certification is a strong foundation and provides significant evidence of mature security practices, but it must be supplemented with regulation-specific controls and processes.

Compliance, Certification, and Attestation: Three Different Things

These three terms are frequently used interchangeably, but they represent distinct concepts that matter in practice:

Compliance is the ongoing state of meeting mandatory requirements — whether imposed by law (GDPR, NIS2), contract (PCI DSS through merchant agreements), or internal policy. It is not a one-time achievement: compliance must be maintained continuously, and the organisation is responsible for demonstrating it at any point.

Certification is a time-bound, third-party verification that an organisation meets the requirements of a specific standard. A certification body issues a formal certificate after a successful audit. The certificate has a defined scope (which systems and processes were assessed) and a defined validity period (typically three years for ISO 27001, with annual surveillance audits).

Attestation is a professional opinion about specific claims, typically issued by an independent auditor such as a CPA. The auditor evaluates evidence and states whether management's representations are accurate. SOC 2 reports are attestations — a CPA firm attests to the operating effectiveness of controls, but does not issue a "certificate." This is a meaningful distinction in the assurance profession: an attestation is an opinion, not a stamp of approval.

How Standards Become Mandatory: The Regulatory Reference Mechanism

One of the most important dynamics in cybersecurity governance is the mechanism by which voluntary standards become effectively mandatory. This happens through incorporation by reference — a legislative technique where a regulation explicitly cites a standard.

In the EU, this operates through the concept of harmonised standards under Regulation (EU) 1025/2012. When the European Commission publishes references to specific standards in the EU Official Journal, organisations that implement those standards receive a presumption of conformity with the corresponding regulatory requirements. The burden shifts: rather than proving compliance from scratch, the organisation is presumed compliant unless evidence demonstrates otherwise.

This approach offers several advantages:

• Flexibility: Organisations can choose alternative approaches if they can demonstrate equivalent compliance
• Adaptability: Standards can be updated without changing legislation
• Expertise: Standards bodies bring specialised technical knowledge that legislators may lack
• International alignment: Referencing international standards (like ISO) promotes global consistency

Real-World Example

NIS2 (Directive 2022/2555) references the ISO/IEC 27000 series in Preamble 79 as an appropriate basis for cybersecurity risk management. While NIS2 does not mandate ISO 27001, the practical effect is clear: organisations in scope increasingly pursue ISO 27001 certification as the most straightforward path to demonstrating NIS2 compliance. ISO 27001 has become the de facto gateway — even though alternative approaches are technically permitted.

The Complete Reference Table

The table below classifies every major cybersecurity governance instrument by its legal nature, who created it, whether compliance is optional, and what enforcement looks like in practice.

ISO 27001 is voluntary unless referenced by a regulation (e.g., NIS2) or required by contract. *CMMC is mandatory only for DoD contractors and subcontractors.

The Evolving Landscape

The cybersecurity governance landscape is growing rapidly. According to UNCTAD and IAPP data, 144 countries had enacted comprehensive data protection laws by the end of 2024 — up from 120 in 2017. The ISO Survey shows ISO 27001 certifications worldwide have grown from approximately 31,910 in 2018 to 96,709 in 2024, a compound annual growth rate exceeding 20%.

Key Milestones

Several trends are shaping the future:

Management accountability is expanding. Both NIS2 and DORA hold board members and senior management personally liable for cybersecurity failures — including potential disqualification from leadership roles. This shifts cybersecurity from a technical concern to a board-level governance responsibility.

Supply chain security is becoming a regulatory requirement, not just a best practice. DORA mandates oversight of critical ICT third-party providers, CRA requires security throughout the product lifecycle, and NIS2 explicitly addresses supply chain risk in its security requirements.

Regulatory convergence is increasing. Organisations operating across multiple jurisdictions face overlapping requirements from GDPR, NIS2, DORA, and sector-specific regulations. The trend is toward integrated compliance programmes that map common controls across frameworks rather than managing each regulation in isolation.

At Orizon, we help organisations navigate this complexity by building unified compliance programmes that distinguish between what is legally required, what is contractually expected, and what is strategically valuable — ensuring that every investment in governance serves multiple objectives simultaneously.

Sources and Further Reading

This article draws on the following authoritative sources:

• TFEU Article 288 — EUR-Lex
• GDPR (Regulation EU 2016/679) — EUR-Lex
• NIS2 (Directive EU 2022/2555) — EUR-Lex
• DORA (Regulation EU 2022/2554) — EUR-Lex
• CRA (Regulation EU 2024/2847) — EUR-Lex
• HIPAA — HHS.gov
• ISO/IEC 27001:2022 — ISO.org
• PCI DSS — PCI Security Standards Council
• NIST CSF 2.0 — NIST.gov
• SOC 2 Trust Services Criteria — AICPA
• CMMC Program — DoD CIO
• ISO Survey (certification statistics) — ISO.org
• Global data protection laws — UNCTAD
• EU Harmonised Standards — European Commission