For Chief Information Officers across Europe, the digital transformation journey presents a complex balancing act. The escalating landscape of cyberthreats, coupled with increasingly stringent EU regulations, demands a robust approach to both compliance and resilience. Yet, the imperative to innovate and drive business value through digital initiatives remains paramount. How can CIOs effectively navigate this intricate environment, ensuring adherence to evolving legal frameworks and bolstering defences against sophisticated attacks, all without stifling the momentum of crucial digital transformation projects?
Our EU CIO Editor puts this critical question to six leading voices in the European technology landscape. Join us as we unpack the key considerations for ensuring compliance, building resilience and fostering innovation as integral components of a successful digital transformation strategy in the European Union.
Q: In the context of tightening EU regulations and increasing cyberthreats, how can CIOs ensure compliance, resilience and innovation without slowing down Digital Transformation initiatives?
Martin Schirmer, GVP NEMEA at Cloudera, says:
CIOs are under growing pressure to accelerate digital transformation while navigating an increasingly complex regulatory and threat landscape. Technologies like AI are unlocking powerful new ways to automate, analyse and innovate, but their deployment comes with high stakes. In this climate, innovation can’t be allowed to outpace governance.
With new regulations such as the EU AI Act and DORA coming into effect, the risks extend beyond fines or audits. A single misstep in security or compliance can damage operational resilience, erode customer trust and stall strategic momentum. With the uncertainty surrounding today’s digital economy, trust is everything. That’s why cybersecurity, compliance and governance can’t be treated as afterthoughts. CIO’s must ensure they must be worked into the innovation process from the outset.
The good news for CIOs is that compliance doesn’t have to slow innovation down. In fact, it can be a catalyst for better, more sustainable progress. CIOs who embrace security and governance as core components of their digital strategy set their organisations up for long-term success. This mindset shift can turn regulatory requirements into a booster for innovation, not a roadblock.
One of the biggest challenges CIOs face as a result of these new technologies is the explosion of data across environments. AI relies on vast amounts of data that is created, stored and processed across on-premises systems and multiple cloud platforms. Managing this complex and fragmented landscape securely and consistently is no small feat – which is why a unified data platform is becoming increasingly essential. By providing a single, secure layer to manage, govern and access data, these platforms help simplify compliance, enable real-time decision-making, and reduce the risk of data silos or policy gaps.
However, the path to resilience and innovation isn’t just technical – it’s also cultural. The most successful CIOs empower people, as well as platforms. That means fostering openness to change, promoting collaboration between generations and cultivating an environment where data is seen as a shared strategic asset – not just a technical concern. Unlocking AI’s full potential starts with democratising access to quality, trusted data and embedding a governance mindset across teams.
Ultimately, success comes down to building and maintaining trust. If CIOs ensure security and governance are embedded into every new process and technology rollout, they can remain compliant, confidently push forward with innovation, and continue to transform at speed.
Nick Harris, CISO of Assured, says:
CIOs are stuck in a three-way tug of war. Cyberthreats are more advanced. Regulators are tightening the screws and with different EU countries interpreting DORA differently and the UK’s Cyber Security and Resilience Bill around the corner, the board still expects digital transformation to move faster than ever. Can the CISO have the answer? Always, security should be the focus; but compliance can be the outcome (not the goal) and unlock these challenges.
So how can we do that without causing friction to business?
Assess once, report many
Use tooling that maps your controls across NIS2, DORA, GDPR the UK Cyber Security and Resilience Bill and whatever lands next. This way you assess a control once and report many times. When a new regulation drops, it can be added to your current control mapping, without needing to start from scratch. Audit fatigue is real and I feel for IT control owners having to share evidence repeatedly. Smart GRC platforms let you prove once, report many times.
Model the real threats
Threat modelling to determine how best to frame the security is essential and should cover business attractiveness to attackers as well as regulatory risk, operational downtime, reputational damage and third-party exposure. Your model needs to factor brand impact and customer churn to tell the whole story.
Drop the tech. Focus on value
The board does not care about patch cycles or CVSS scores. They care about how risk affects delivery, growth and reputation. This is your chance to show cybersecurity as a revenue generator as well as loss preventer. Granted its more applicable to B2B but consumers can care about trust in their data and frame the conversation around:
- Regulatory fine avoidance (e.g. ‘This investment helps prevents £17 million in potential GDPR exposure’)
- Operational continuity (e.g. ‘This reduces the risk of supply chain downtime which would delay delivery by two weeks and cause £2 million of lost revenue’)
- Revenue protection (e.g. ‘A breach here risks losing our top five enterprise customers worth £8.5 million annually’)
Cut friction, not corners
Security that slows people down gets bypassed. Prioritise controls that work behind the scenes or enhance user flow. Single sign-on. Windows Hello so you can go passwordless. Device trust. Automated policy enforcement. This gives teams the freedom to move fast without leaving the door open.
Done right, security keeps you safe and the side-effect of compliance shows you’re consistent, prepared and serious. It makes conversations with the board easier. It strengthens customer confidence. It gives transformation a solid foundation.
The organisations that get this right are not the ones slowing down to tick boxes. They are the ones moving faster because security is part of the engine, not something strapped on the back.
Matt Riley, Director for Information Security, Sharp UK/Europe, says:
In the context of tightening EU regulations and increasing cyberthreats, CIOs face the challenging task of ensuring compliance, resilience and innovation without slowing down digital transformation initiatives. The key to achieving this balance lies in putting people first. Team members can ultimately be a company’s strongest assets or weakest links. Without their buy-in, ensuring compliance and resilience while encouraging innovation is an impossible task.
People often do what they want to do, not necessarily what they need to do. Therefore, a CIO’s role is about building a culture where people want to contribute to compliance and resilience. This involves highlighting the importance of processes and procedures and telling relatable stories that resonate with team members. For instance, recent events involving companies like M&S and Co-Op serve as powerful examples of how cyber incidents can impact individuals and their roles. By sharing these stories, CIOs can help build a sense of ‘want’ rather than just ‘need’ among team members. Once this culture is in place, people become proactive in their approach, which leads to a speeding up of digital innovation. They understand the reasons behind the necessary steps and can contribute to the success of the initiatives and this proactive mindset is crucial for navigating the complexities of increasing regulations and cyberthreats.
With the growing number of regulations, it is also essential to demonstrate the positives and tell related stories. For example, CIOs can highlight how being early adopters of new regulations can provide a competitive advantage over competitors. This positive approach helps in gaining buy-in for the necessary changes and investments in technology, training, and leveraging cloud solutions.
A practical example of this approach can be seen in our marketing team at Sharp. They engage, are willing to learn – and take a proactive approach, making innovation quicker and easier while still complying with various pieces of legislation. This demonstrates that with the right culture and mindset, compliance and resilience can go hand in hand with innovation.
Investing in employee training and awareness is another critical step as human error remains one of the leading causes of cybersecurity breaches. In fact, according to Sharp’s own research of over 11,000 employees in Europe, including 1,000 in the UK, almost half (43%) haven’t had any form of cybersecurity training over the past year and 16% have never received any at all, highlighting its importance. To mitigate this risk, CIOs must prioritise employee training and awareness programmes.
Overall, CIOs can ensure compliance, resilience and innovation without slowing down Digital Transformation initiatives by putting people first. Building a culture where team members want to contribute to compliance and resilience, sharing relatable stories, and demonstrating the positives of new regulations are key strategies. With this approach, technology, training, and leveraging cloud solutions can follow, making it easier to gain buy-in and achieve success.
Paul Inglis, General Manager of EMEA at Ping Identity, says:
As cyberattacks grow in frequency and sophistication, and as regulations – particularly across the EU – become more demanding, CIOs are under mounting pressure. For organisations in high-risk sectors like financial services, manufacturing and healthcare, achieving compliance while maintaining innovation is no longer optional – it’s a strategic imperative. The key lies in strengthening digital operational resilience.
Central to this strategy are Identity and Access Management (IAM) and Zero Trust security models. These have evolved from technical solutions into strategic enablers. IAM not only secures access to sensitive systems but also supports compliance through real-time monitoring and incident response. When combined with a Zero Trust approach – based on the principle of ‘never trust, always verify’ – they help organisations adapt to the new threat landscape and regulatory environment.
The increasing reliance on digital systems has amplified both efficiency and risk. In sectors like financial services, even brief downtime can be disastrous – causing unauthorised access, customer lockouts, or data breaches that erode trust and invite regulatory scrutiny. In this high-stakes context, regulatory frameworks like the EU’s Digital Operational Resilience Act (DORA) are both a challenge and an opportunity: a catalyst for organisations to build resilience, maintain customer confidence and accelerate digital transformation.
Converged IAM solutions are particularly well-suited to this task. By embedding identity and access controls into the core of digital infrastructure, they enhance both security and compliance. For example, DORA mandates timely reporting of IT incidents. IAM systems with behavioural analytics and threat detection can identify suspicious activity – such as credential misuse or unusual login patterns – then trigger automated responses, notify internal teams and regulators and generate full audit trails. This proactive posture not only meets compliance requirements but also strengthens operational readiness.
Moreover, IAM and Zero Trust frameworks provide a foundation for scalable, future-proof security architecture. As organisations continue to expand cloud adoption, integrate AI tools, and enable remote workforces, secure identity becomes the linchpin of safe and agile operations. For CIOs, aligning cyber resilience strategies with regulatory obligations is no longer just about protection – it’s a driver of trust, innovation, and long-term business growth.
Tom Ashcroft, CISO of Unit4, says:
In a world with AI being pushed on all fronts further increasing the rate of change, CIOs across Europe face a multifaceted challenge: driving digital transformation while ensuring compliance with tightening regulations which are all designed to force companies to act on increasing cyberthreats.
Work as a cohesive collective across your entire organisation to embed compliance into transformation from the start
Legal teams must be scanning the horizon and understand what is coming next. CIOs need to form tight alliances across all departments to ensure that information is converted into actionable items. Compliance should never be treated as a check-box exercise or an afterthought. It must be integrated into every stage of digital initiatives.
Embrace Secure-by-Design architectures
To counter rising cyberthreats while maintaining transformation speed, CIOs must modernise infrastructure, understand their unique attack chains and apply tailored security principles. There is no universal solution – each environment has its own weaknesses. Strong foundations remain key: know your estate and manage assets to ensure clear roles, responsibilities and ownership. A business-aligned risk management process provides direction.
Leverage automation and AI for risk and compliance – but make sure the brakes work before going too fast
Automation is a CIO’s ally in managing complexity. AI-driven governance, risk and compliance (GRC) platforms can continuously monitor for regulatory changes and detect early signs of non-compliance or threat exposure. Automated controls validation, data mapping and policy enforcement reduce manual overheads while improving accuracy and audit readiness. However, with AI it is paramount to ensure the basics are in place first with correct Access Control, Data Labeling, Data Loss Prevention and overarching Governance to ensure that no sensitive data is exposed.
Drive innovation through controlled experimentation
Digital transformation need not be stifled by regulation; if anything, smart governance can be a catalyst. CIOs should foster a culture of innovation within ‘safe zones’ such as sandboxes, digital twins, or isolated cloud environments. These controlled environments allow rapid experimentation without introducing undue risk. Innovations can be iteratively hardened and scaled once they meet compliance and security thresholds.
Build Cyber Resilience as a strategic capability
Cyber-resilience is no longer a defensive posture but a business enabler. CIOs must invest in adaptive capabilities like cyberthreat intelligence, incident simulation and cross-functional crisis playbooks. It is important resilience capabilities get as much attention as Defence-as-Breaches need to be considered a when, rather than an if.
Prioritise data governance and ethics
As transformation initiatives become increasingly data-driven, CIOs must address ethical data use and privacy. A well-governed data architecture with clear ownership, lineage, and purpose limitations supports compliance while enabling trusted analytics and AI.
CIOs who proactively align transformation with regulation and resilience will gain competitive advantage. By embedding compliance, embracing security, and empowering innovation, they can lead their organisations with confidence through the twin challenges of tightening EU oversight and a relentless cyber threat landscape.
Richard Ford, Chief Technology Officer at Integrity360, says:
CIOs face the challenge of maintaining compliance and resilience without slowing digital transformation. It comes amid rising regulatory pressure and an evolving cyber threat landscape. The solution lies in reframing cybersecurity as a core enabler of innovation and not an obstacle.
Regulatory compliance has long been one of the key drivers in cybersecurity, in many cases shaping cybersecurity programmes in order to gain and maintain compliance. Sometimes treated as a box ticking exercise, compliance frameworks should form the minimum standard of what we do. Regulatory frameworks, such as DORA and NIS2, have been put in place to harmonise the approach to cyber security across the EU and ensure a healthy level of security maturity and build resilience to attack.
Alongside compliance demands, organisations face relentless cyberthreats. High-profile attacks; particularly in sectors like retail – highlight the scale and impact of breaches. Cyber-resilience must be built into the business from the start, not bolted on later. That means embedding controls early in the design process and ensuring they evolve as the organisation and its technology stack grows.
The key is implementing controls as frictionlessly as possible. Not just to enable digital transformation efforts but also to discourage users circumventing them and introducing risk. CIOs and security leaders need to encourage working together with stakeholders to understand what they need to achieve, their outcomes, rather than security being siloed and blindly enforced. Security must be the enabler for organisations to help deliver on these outcomes, not a blocker. That is what frictionless security means.
Everyone needs to understand their accountability. Secure-by-design must be the cornerstone of any initiative building cyber resilience into the solution from the ground up. The retrofitting of security controls is a sure-fire way to add friction and either slow or impede efforts to transform.
With the availability of cloud platforms, and the ease of implementing them, the threat of shadow IT and supply chain risks is on the rise. This puts not only data at risk, as it walks out of the organisation into third party platforms, but also the risk of compromise. Third party platforms and integrations are one of the top risks we should be concerned about. Third parties need to be managed, assessed and their risk mitigated.
AI represents a similar dilemma. It offers significant productivity benefits but also presents new security concerns. Tools like ChatGPT can help users and IT teams alike, but if misused, they can expose sensitive data. Too often, users don’t realise that uploading internal information can put it in the public domain. Organisations must provide clear guidance, training and security controls that enable the secure use of AI while protecting corporate data.
CIOs can maintain momentum in digital transformation by embedding compliance and resilience into the fabric of their strategies. By leveraging automation, aligning with business goals and fostering a security-first culture, they can turn regulatory pressure and rising threats into opportunities for sustainable, secure innovation.
Ellen Benaim, CISO of Templafy, says:
Culture is at the heart of any successful digital transformation. When CIOs build a culture where security, innovation, and compliance are seen as partners rather than obstacles, everything moves faster, and more securely. Embedding security from the start gives product and engineering teams the freedom to innovate with confidence. It’s not about saying ‘no’ to new ideas, but about creating the conditions for those ideas to scale safely. One of the most effective ways to do this is by embedding security champions within delivery teams and fostering open, cross-functional collaboration between IT, privacy, legal and business leaders.
With EU regulations like NIS2 and DORA raising expectations, compliance can’t just be a checkbox exercise anymore. It has to be continuous, embedded, and visible. That’s where automation plays a vital role. Automating compliance reporting, KPIs and audit evidence gives leaders real-time insight and helps teams stay focused on what matters: building and delivering value. Whether it’s automating DPIAs or incident response workflows, the right tooling can make compliance a background process, not a blocker.
At the same time, we have to be clear-eyed about the threat landscape. AI-powered attacks are making credential theft, phishing and lateral movement faster and harder to spot. It’s not a matter of if you’ll be targeted – it’s when. That’s why resilience needs to be baked in from the beginning. An ‘assume breach’ mindset means your recovery plans need to be tested, your playbooks rehearsed and your executive teams looped in. Incidents aren’t edge cases anymore – they’re part of the business reality. Being ready to respond is as important as trying to prevent them.
We also need to ensure that any regulation and security measures supports growth to allow for innovation and development for digital translation initiatives. Cybersecurity should be integrated seamlessly into the business growth strategy, enabling secure innovation throughout the development process. By embedding security into the design and development of new technologies early on, adopting scalable cloud-based protections and fostering a culture of security awareness across all departments can mitigate risks without stifling progress. Close collaboration between IT and the business department is essential to ensure that security frameworks support, rather than obstruct, the deployment of new digital tools, platforms, and processes.
As organisations modernise, security has to scale with them. That means embracing identity-first strategies like Conditional Access, zero-trust architecture and zero-touch provisioning. Done right, these approaches don’t slow teams down, they actually improve the user experience and reduce complexity. People want to get their work done securely, from wherever they are. Our job is to make that seamless.
In the end, getting this right isn’t about choosing between compliance, resilience, or innovation – it’s about making sure they move forward together. The companies that will thrive in this new era are the ones that treat trust as a product feature, not just a policy. When you build a culture of security, automate the right things and plan for disruption, you can move fast and stay safe.
