8 Regulations
→ ENISA.europa.eu
RegNorth · EU Regulatory Intelligence

Your Guide to the
EU Compliance Landscape

RegNorth is your practitioner-built navigator for EU cybersecurity law. Click any regulation to explore timelines, compliance steps, and actionable guidance — built by a security professional, for security professionals.

8Regulations
2014–2027Timeline
40+Compliance Steps
🛡️NIS2 Active
DORA Compliant
📋8 Regulations
📡
ENISA-Sourced Data
Instant Compliance Guidance
🗓️
Full Regulatory Timelines
🔍
Built by a Security Expert
🏛️
EU & US Frameworks
EU IT Regulations
Regulatory Timeline
Compliance Guidance
Sukesh Barua — Founder & Information Security Expert
Sukesh Barua
Experienced in Information Security, IT Compliance & Financial Compliance
// Creator & Owner · RegNorth

Built by a Practitioner,
for Practitioners

Hello — I'm Sukesh Barua, an information security professional with deep, hands-on experience navigating the intersection of regulatory compliance, cybersecurity governance, and enterprise risk management. This portal was born from years of working in the trenches of compliance audits, policy reviews, and risk assessments — and the recurring frustration of not having a single, clear, practitioner-focused reference for the fast-evolving EU regulatory landscape.

My background spans financial sector compliance, cybersecurity policy, and enterprise risk frameworks. I have led and supported compliance programmes across highly regulated industries, working with auditors, regulators, and senior leadership to translate complex legal requirements into actionable security controls. I built this resource to make that same clarity available to every compliance and security professional navigating EU regulations.

SOX 404 Audit NIST CSF Cybersecurity Policy Third-Party Risk FINRA Compliance SEC Compliance Information Security
Areas of Expertise
📋
SOX 404 Audit
Extensive experience in Sarbanes-Oxley Section 404 internal control evaluations — designing control frameworks, coordinating with external auditors, and managing management's assessment of ICFR (Internal Control over Financial Reporting) for IT general controls and application controls.
🛡️
NIST CSF Mastery
Deep proficiency in the NIST Cybersecurity Framework — conducting maturity assessments, building target state profiles, mapping controls to the Identify / Protect / Detect / Respond / Recover functions, and communicating risk posture to executive stakeholders.
📜
Cybersecurity Policy Review
Drafting, reviewing, and rationalising enterprise information security policy suites — from acceptable use and access control policies through incident response and data classification frameworks — aligned to regulatory requirements and industry standards.
🔗
Third-Party Risk Assessment
End-to-end third-party risk management programmes covering vendor due diligence, security questionnaire design, on-site assessments, continuous monitoring frameworks, and contractual security requirements for critical and high-risk suppliers.
📊
FINRA Compliance
Practical experience with FINRA regulatory requirements in the broker-dealer environment — including cybersecurity obligations under FINRA Rule 4370 (BCP), data protection requirements, and coordination with FINRA examination processes for IT and security controls.
SEC Compliance
Practical experience with U.S. Securities and Exchange Commission (SEC) compliance requirements — including cybersecurity disclosure obligations under the SEC's 2023 Cybersecurity Risk Management rules, incident reporting mandates for public companies, and aligning IT security controls with SEC examination expectations.
About This Portal

The RegNorth platform was designed with one purpose: to give information security and compliance professionals a fast, reliable, practitioner-oriented reference for the EU's growing body of cybersecurity regulation. Every regulation is curated from official ENISA and EU legislative sources, with compliance guidance written from the perspective of someone who has actually implemented these controls in real organisations.

This is a living resource. As EU regulations evolve — and they evolve quickly — the portal will be updated to reflect the latest implementing acts, ENISA technical guidance, and enforcement trends. It is not a substitute for qualified legal advice, but it is the starting point I wish I had had throughout my career.

Have a question or want to collaborate? Whether you're navigating a compliance programme, preparing for a regulatory audit, or building a cybersecurity policy framework — feel free to reach out.

Get in Touch →
🔍 Knowledge Hub

IT Audits & Information Security

A practitioner's reference to core IT audit methodologies, information security domains, and the frameworks that underpin modern cybersecurity compliance programmes.

Core Information Security Domains
🔐
Access Control & Identity
Managing who can access what — the foundation of every information security programme. Covers authentication, authorisation, and privilege management.
  • Role-Based Access Control (RBAC) design
  • Multi-Factor Authentication (MFA) implementation
  • Privileged Access Management (PAM)
  • Periodic access reviews and recertification
  • Identity Governance & Administration (IGA)
🛡️
Security Risk Management
Identifying, assessing, and treating cybersecurity risks in a structured and repeatable way — aligned to NIST CSF, ISO 27005, and regulatory requirements.
  • Risk identification and threat modelling
  • Qualitative and quantitative risk assessment
  • Risk treatment (mitigate, accept, transfer, avoid)
  • Risk register maintenance and reporting
  • NIST CSF maturity assessment
🚨
Incident Response
Preparing for, detecting, containing, and recovering from cybersecurity incidents — with regulatory notification obligations under NIS2, DORA, and GDPR.
  • Incident Response Plan (IRP) development
  • SIEM alerting and triage workflows
  • NIS2 / DORA / GDPR notification timelines
  • Post-incident root cause analysis
  • Tabletop exercises and simulation drills
🔗
Third-Party Risk Management
Managing cybersecurity risks introduced by vendors, suppliers, and cloud service providers — a mandatory requirement under NIS2, DORA, and the Cyber Resilience Act.
  • Vendor due diligence and security assessments
  • Security questionnaire frameworks (SIG, CAIQ)
  • Contractual security requirements and SLAs
  • Continuous monitoring and annual reviews
  • DORA ICT third-party risk management
☁️
Cloud Security
Securing cloud environments across IaaS, PaaS, and SaaS — aligned to the EU Cloud Security Certification Scheme (EUCS) and CSP shared responsibility models.
  • Cloud Security Posture Management (CSPM)
  • Shared responsibility model assessment
  • Data residency and sovereignty requirements
  • EU Cloud Security (EUCS) certification readiness
  • Zero Trust architecture principles
📋
Security Policy & Governance
Building and maintaining the policy framework that governs an organisation's information security programme — from acceptable use to data classification.
  • Information Security Policy Suite development
  • Data classification and handling frameworks
  • Security awareness training programmes
  • Board-level cybersecurity reporting
  • GRC platform implementation and management
🔄
Change Management
Ensuring all changes to IT systems, applications, and infrastructure are authorised, tested, and documented — a critical ITGC domain under SOX 404 and a key NIS2 risk management requirement.
  • Change Advisory Board (CAB) process design
  • Emergency change procedures and approval workflows
  • Segregation of duties between developers and production
  • Change documentation and audit trail requirements
  • Post-implementation review and rollback planning
💾
Backup & Recovery
Designing and auditing backup strategies and disaster recovery capabilities to ensure data availability and business continuity — mandatory under NIS2 and DORA business continuity obligations.
  • Backup policy design (RTO, RPO definition)
  • Backup integrity testing and restoration drills
  • Offsite and cloud backup validation
  • Disaster Recovery Plan (DRP) audit and testing
  • Business Continuity Plan (BCP) alignment
🩹
Patch Management
Maintaining a systematic process for identifying, testing, and applying security patches across all systems — a core technical control required by NIS2, DORA, and the Cyber Resilience Act.
  • Vulnerability scanning and patch prioritisation
  • Patch deployment timelines by severity (CVSS)
  • Exception handling and compensating controls
  • End-of-life software identification and remediation
  • CRA vulnerability disclosure and patching obligations
IT Audit Methodology
📊
SOX 404 IT Audit
Evaluating Internal Controls over Financial Reporting (ICFR) for IT General Controls and automated application controls under Sarbanes-Oxley Section 404.
  • IT General Controls (ITGC) evaluation
  • Change management control testing
  • Logical access control walkthroughs
  • Computer operations and job scheduling
  • Management's assessment coordination
🔎
Cybersecurity Audit
Independent assessment of an organisation's cybersecurity controls, policies, and practices against regulatory requirements and industry frameworks.
  • Gap analysis against NIS2 / DORA / GDPR
  • NIST CSF current-state assessment
  • Penetration testing coordination
  • Vulnerability management programme review
  • Security control design and effectiveness testing
🏦
Financial Compliance Audit
Assessing compliance with financial sector regulations — SEC cybersecurity rules, FINRA requirements, and DORA for firms operating in EU financial markets.
  • SEC Cybersecurity Disclosure Rule compliance
  • FINRA Rule 4370 (BCP) assessment
  • DORA ICT risk framework audit
  • Broker-dealer IT control evaluation
  • Regulatory examination preparation

Frameworks & Standards

NIST CSF 2.0
ISO/IEC 27001
ISO/IEC 27005
COBIT 2019
SOC 2 Type II
CIS Controls v8
NIST SP 800-53
ITIL 4
PCI DSS v4.0
ENISA Guidelines
SOX 404
FINRA Rules
SEC Cyber Rules
Zero Trust (NIST SP 800-207)
💡

Practitioner Perspective

Every framework, methodology, and control domain on this page reflects real-world audit and compliance experience — not textbook theory. The guidance here bridges the gap between what regulations require on paper and what effective implementation actually looks like inside an organisation. For tailored advice on your specific compliance programme, reach out via the page.

⚖️ Legal

Disclaimer & Privacy Policy

Important information about the nature of this website, the limitations of its content, and how we handle your data.

Last updated: May 2025  ·  RegNorth (regnorth.eu)  ·  Sukesh Barua

⚠️ Disclaimer

For informational purposes only. The content published on RegNorth (regnorth.eu) is intended solely for general informational and educational purposes. It does not constitute legal advice, regulatory advice, compliance advice, or any other form of professional advice.

The information on this website reflects the author's understanding of EU and international regulations as of the date of publication. Regulations, implementing acts, and official guidance are subject to change. RegNorth makes no warranty — express or implied — that the information is accurate, complete, current, or fit for any particular purpose.

No attorney-client or advisory relationship is created by accessing or using this website. You should always consult a qualified legal, regulatory, or compliance professional before making decisions based on any information found on this site.

No affiliation with ENISA or EU institutions. RegNorth is an independent, privately operated informational website. It is not affiliated with, endorsed by, or sponsored by the European Union Agency for Cybersecurity (ENISA), the European Commission, or any other EU institution or Member State authority.

To the fullest extent permitted by applicable law, the author and operator of RegNorth shall not be liable for any direct, indirect, incidental, consequential, or punitive damages arising from your use of or reliance on content published on this website.

📝 Intellectual Property

All original content on RegNorth — including written compliance guidance, editorial summaries, page structure, and design — is the intellectual property of Sukesh Barua and is protected under applicable copyright law.

You may share links to this website and quote brief passages for non-commercial purposes with appropriate attribution. You may not reproduce, republish, or redistribute substantial portions of this site's content without prior written permission.

References to ENISA, EU regulations, and regulatory frameworks are made for informational purposes only. All regulatory text, official publications, and legislative instruments remain the property of their respective issuing authorities.

🔒 Privacy Policy

We do not collect personal data. RegNorth is a static informational website. It does not use cookies, tracking pixels, analytics scripts, or any other technology that collects, stores, or processes personal data about visitors.

Specifically, RegNorth does not:

  • Use Google Analytics, Hotjar, or any third-party analytics service
  • Place advertising cookies or tracking cookies on your device
  • Collect your IP address, browser fingerprint, or device information
  • Require you to create an account or provide any personal information
  • Share any data with third parties

Contact via email. The contact button on this site opens your local email client via a mailto: link. Any email you choose to send goes directly to the site author's email. No data is processed or stored by this website as a result of that interaction — your email client and email provider handle that communication.

Hosting. This website is hosted on Strato (strato.com), a European hosting provider. Strato may process standard web server logs (including IP addresses) as part of normal hosting operations. Please refer to Strato's privacy policy for details on their data handling practices.

As this website does not collect personal data, it is not required to appoint a Data Protection Officer or maintain a Record of Processing Activities under GDPR Article 30. Should this change in the future, this Privacy Policy will be updated accordingly.

🏛️ Governing Law & Jurisdiction

This website is operated by Sukesh Barua, resident in Stallarholmen, Södermanland County, Sweden. This Disclaimer and Privacy Policy are governed by the laws of Sweden and, where applicable, European Union law.

Any disputes arising in connection with this website shall be subject to the exclusive jurisdiction of the competent courts of Sweden.

If you have any questions about this Disclaimer or Privacy Policy, you may contact the site author via the contact link on the About the Creator page.