Journal Entry N° 007 18 February 2026 · 7 min read

Simplifying the Weight of Tech Compliance

Rising EU tech regulation becomes manageable only when companies simplify control evidence. The answer is practical: in-control statements, one common controls framework, and a test-once-comply-many model that reduces duplicated compliance work

boardsleadershipai
Cover image for Simplifying the Weight of Tech Compliance

Y · Why this matters. At altitude, the first question is Y: why are we here, and what happens if we do nothing? Bobbert argues that the surge in EU tech regulation is becoming a growth problem as well as a control problem. If companies keep treating compliance as paperwork bolted onto operations, supervisory bodies will drown in reviews and firms will keep carrying duplicated effort, scarce talent, and rising fines.

What the article finds. The article says the core problem is not the existence of regulation but the way compliance is evidenced and supervised. Enterprises now face overlapping obligations across GDPR, NIS2, DORA, and other frameworks. Supervisors face the same overlap, plus a shortage of skilled people. Bobbert’s answer is to shift from paper-heavy proof to proactive in-control statements that show whether controls, processes, capabilities, and structures are actually working.

He then adds a second move: test once, comply many. Because frameworks overlap, one parent control set can be mapped to multiple child requirements. Test the common control once, and much of the evidence burden falls away. The article argues that this should sit inside a top-down governance model, treating cyber reporting more like financial reporting, with accountability, periodic reporting, and board ownership.

Three takeaways.

  • Map overlapping regulations into one common controls framework before launching more local compliance work.
  • Require in-control statements that shift proof of compliance from the supervisor to the company.
  • Run tech compliance as an executive reporting discipline, not a legal afterthought.

The route. The route is an executive argument built from current EU regulation, supervisory practice, prior privacy research, and analogies to financial reporting reform. Its value lies in showing a usable operating model, not just another complaint about red tape.

Read the original https://www.linkedin.com/pulse/how-companies-can-deal-increase-eu-tech-regulations-yuri-bobbert-n0jge/

https://isaca.nl/how-companies-can-deal-with-the-increase-of-eu-tech-regulations/

Published 18 February 2026 Prof. Dr. Yuri Bobbert