EU/Property Sector 4 May 2026: EDPB CEF 2026 coordinated enforcement — GDPR transparency obligations audited by 25 DPAs; real estate and property management firms included in cross-sector scope; DORA: financial entities in property/mortgage sector — BaFin ICT risk inspections Q1/Q2 2026; EU AI Act: property valuation and tenant-screening AI systems may qualify as high-risk under Annex III — conformity assessment deadline 2 Aug 2026; NIS2: property management platforms with digital infrastructure above thresholds now in scope; CISA/NCSC advisory: SOHO router/IoT device exploitation — estate agents and SMEs particularly exposed; CNIL France €42M FREE Mobile fine Jan 2026 — Art.32 security obligations now actively enforced; EU Digital Omnibus: proposes NIS2 compliance simplification for 28,700+ smaller entities (EDPB/EC/ANSSI/CNIL/CISA/NCSC, 4 May 2026) EU Estates 1 May 2026: DORA extended supplier chain obligations affect PropTech/estate management ICT providers — EBA/ENISA joint examination on 19-CTPP register underway; NIS2 audit deadline 30 Jun 2026 — building automation systems and smart-building controllers now in scope; EDPB CEF 2026 transparency sweep includes real-estate platforms with behavioural profiling; CISA/NCSC China-nexus botnet advisory relevant to OT/BMS environments. (EBA/ENISA/EDPB/CISA/NCSC, 1 May 2026) EU estates PM update 30 Apr 2026: EDPB Guidelines 2/2026 on smart-building biometric access — 6-week consultation window closes 11 June 2026; property-sector operators with facial-recognition entry systems or biometric time-attendance must submit responses and begin DPIAs now. CRA vulnerability reporting obligations confirmed 11 Sep 2026 — HVAC, BMS, smart-lock, and access-control vendors have 134 days to establish PSIRT contact and assess in-scope product status. eIDAS2 EU Digital Identity Wallets: December 2026 go-live confirmed — LP, fund-administration, and property-management platforms must model NIS2/DORA identity-intersection risk and update KYC/AML workflows. EDPB-EDPS Joint Opinion 4/2026: single EU data-breach notification entry point proposed — asset management and fund-administration operators would benefit from reduced cross-border reporting complexity (EDPB/EC/ENISA, 30 Apr 2026) EU estates Thursday 30 Apr 2026: EDPB Guidelines 2/2026 on smart-building biometric access — 6-week consultation closes 11 June 2026; property-sector operators advised to submit before end May. CRA vulnerability reporting obligations confirmed 11 Sep 2026 — HVAC/BMS/smart-lock vendors have 134 days to assess in-scope product status and establish PSIRT contact. EU AI Act Digital Omnibus legal scrubbing complete — journal publication target June 2026; Annex III high-risk AI deadline confirmed 2 Dec 2027 — building-management AI using biometric or automated decisions must begin compliance audits now. EDPB-EDPS Joint Opinion 4/2026 on Cybersecurity Act 2: single-entry point for data-breach notification proposed — affects asset management and fund-administration operators. eIDAS2 digital identity wallets go-live December 2026 — LP/fund-admin identity verification workflows need assessment (EDPB/EC/ENISA, 30 Apr 2026) EU estates Monday open 27 Apr 2026: EDPB Guidelines 2/2026 on smart-building biometric access — 6-week public consultation now OPEN; AI Act Digital Omnibus 2nd political trilogue TOMORROW (28 Apr) with NIS2 targeted amendments on same agenda — property-sector operators in scope as essential-entity candidates monitoring outcome; LP data-room quarterly attestation cycle opens this week — DORA-equivalence cryptographic controls now expected by EU-domiciled fund administrators; CJEU C-446/25 (landlord data retention) advocate-general opinion scheduled Q3 2026; CRA vulnerability reporting obligations confirmed 11 Sep 2026 — HVAC/BMS vendors must assess in-scope product status now (EDPB/EC/CJEU/ENISA, 27 Apr 2026) EU estates close 24 Apr 2026: EDPB Guidelines 2/2026 on smart-building biometric access — draft open for 6-week consultation; ENISA Thursday briefing confirms physical-cyber convergence in critical-infrastructure directive scope — HVAC/BMS vendors now in NIS2 essential-service supply chain; CJEU C-446/25 on landlord data retention periods listed for H2 2026 (EDPB/ENISA/CJEU, 24 Apr 2026) Estates & Property Thursday 23 Apr 2026 — NIS2 commercial property operator scoping guidance expected from EC Q2 2026 following Digital Omnibus trilogue (T-5); ICO precedent on property-tech data-room breach disclosure continues to harden in UK enforcement trajectory; LP quarterly data-room security attestation cycle opens this week with DORA-equivalence controls now expected for EU-domiciled fund administrators; quantum-safe transition cryptographic inventory T-9 months for long-lease archives (CNSA 2.0 / NCSC 2031 migration horizon); CYBERUK 2026 real-estate roundtable Day 3 (EC/ICO/NCSC/CNSA, 23 Apr 2026) EU/EMEA 22 Apr 2026: EDPB plenary IN SESSION — binding decisions on DPC AI-training Art. 60 cluster + dark-pattern/Art. 25 guidance adoption expected this afternoon; ENISA CRA single reporting portal technical workshop live with MS readiness now 73% (+2 since Mon); EBA DORA quarterly oversight review T-1 with register at 25 providers (EDPB/ENISA/EBA, 22 Apr 2026) EU 21 Apr 2026: EDPB finalises 22 Apr plenary agenda with draft binding decision on cross-border health-platform Art. 60 case; ENISA CRA single reporting portal benchmark up to 73%; EBA critical ICT TPP register grows to 25; EC pre-trilogue technical meeting Wednesday ahead of 28 Apr trilogue (EDPB/ENISA/EBA/EC, 21 Apr 2026) EU EDPB 20 Apr 2026: 22 Apr plenary agenda includes two Art. 60 binding decisions and dark-pattern/Art. 25 privacy-by-design guidance EU ENISA 20 Apr 2026: CRA single reporting portal technical readiness benchmark at 71% across member states; 8 still behind schedule EU EBA 20 Apr 2026: DORA critical ICT third-party designation register grows to 23 providers (from 19 in March) — concentration oversight active EU AI Act 20 Apr 2026: Digital Omnibus political trilogue confirmed for 28 Apr — amendment list circulated among Council, Parliament, and Commission delegations DORA: In force 17 Jan 2025 — Active enforcement: on-site ICT risk inspections and third-party oversight reviews underway (ESAs, 2026) NIS2: First audits due 30 Jun 2026 — Q1 2026 penalties issued in EU; 14 of 27 EU states now transposed; EU Digital Omnibus trilogue scheduled 28 Apr 2026 — proposes deadline extensions and compliance simplifications for 28,700 companies; Ireland NIS2 Bill H1 2026 amid EC infringement proceedings (Skadden/EC, Apr 2026) EU AI Act: High-risk AI obligations deadline 2 Aug 2026 — EU Digital Omnibus proposes delay to Dec 2027; CRA vulnerability reporting starts 11 Sep 2026 (EC/Hogan Lovells, Apr 2026) Global Breach Cost: $4.44M average — 241 days to detect & contain; AI-augmented attack surface expanding (IBM/Ponemon, 2026) CISO Personal Liability: NIS2 Art.20 + SEC/DOJ precedent — Director accountability now statutory in EU (2025–2026) Ransomware: Q1 2026: 2,165 victims (+18.5% annualised); March 2026: 808 victims; week 11–17 Apr: 185 incidents — Apr 13 saw 46 new victims in 24 hours; Qilin/DragonForce drive 21% of weekly volume; 7,500+ on leak sites 2025 (+58% YoY); attacks 4× faster; 80% AI-enabled; 87.6% double extortion (BlackFog/BreachSense/Unit42/Emsisoft/Ransom-DB, Apr 2026) Geopolitical CNI: CISA AA26-097a (7 Apr 2026) — Iranian-affiliated APT targeting internet-exposed PLCs in US water/wastewater and CNI sectors; 75+ Unitronics HMI devices compromised. Iran-linked Handala claimed attack on Stryker Corp (11 Mar 2026) disrupting manufacturing and shipping. Volt Typhoon maintains 5+ yr persistence across US energy/water/transport CNI (CISA/FBI/Palo Alto, Apr 2026) Supply Chain: 1,700+ malicious packages across npm/PyPI/Go/Rust (North Korea); kube-health-tools Kubernetes tunnel implant campaign active Apr 2026; Axios/TeamPCP hit 60+ packages — CISA KEV Fortinet CVE-2026-35616 (Datadog/Zscaler/CISA, Apr 2026) UK Online Safety Act: full enforcement 2026 — UK CS&R Bill expanding NIS Regulations to digital supply chains; PSTI Act fines up to £10M or 4% turnover for non-compliant IoT (Ofcom/DSIT, Apr 2026) Patch Tuesday Apr 2026: 167 vulns patched — CVE-2026-32201 SharePoint zero-day actively exploited; Cisco 4 critical flaws in Identity Services & Webex enabling code execution (Microsoft/Cisco, 19 Apr 2026) Data Breaches Apr 2026: ShinyHunters leak 78.6M Rockstar Games records via Snowflake auth tokens; 13.5M McGraw Hill accounts stolen via Salesforce breach (Integrity360/SharkStriker, Apr 2026) Insider & NHI Risk: $19.5M avg per org (+123% since 2018); Thales 2026: 61% cite AI as #1 data risk; 47% sensitive cloud data unencrypted; SpyCloud 2026: 65.7B identity records recaptured (+23% YoY), 18.1M exposed API keys; IBM X-Force: 300,000+ ChatGPT credentials exposed (Proofpoint/IBM/Thales/SpyCloud, Apr 2026) NCSC UK (7 Apr 2026): APT28 / Russian GRU exploiting compromised internet routers for DNS hijacking — intercepting credentials, tokens, and email traffic across UK personal networks; immediate router patching and credential rotation advised (NCSC, Apr 2026) Belgium NIS2 Audit Window OPEN (18 Apr 2026) — first EU member state to hit hard NIS2 conformity assessment deadline; essential entities now require BELAC-accredited Conformity Assessment Body sign-off (CCB Belgium, Apr 2026) GDPR Enforcement: CNIL fines Free Mobile €27M for failing to protect 24M subscriber contracts (Oct 2024 breach); UK ICO fines Reddit £14M for child safety/age-check failures — regulators applying upper Article 83 range to systemic failings (CNIL/ICO, Apr 2026) Live Breaches Wk of 14–19 Apr: Basic-Fit (200K NL members + 1M bank details exposed); Booking.com customer reservation data breach notified 12 Apr; Zerion crypto wallet device compromise — ~$100K stolen 16 Apr (BreachSense/SharkStriker, Apr 2026) ENISA 2026 Risk Landscape Report (Apr 2026): availability/DDoS and ransomware top operational threat categories; threat-actor convergence accelerating — same vulnerability chains active across financially and ideologically motivated campaigns (ENISA, Apr 2026) France: CNIL maintient une cadence de sanctions élevée — €27M Free Mobile + €15M Free (Jan 2026), €5M France Travail (Jan 2026), €325M Google (Sep 2025); ANSSI accélère la transposition NIS2 française et la préparation des entités essentielles aux audits 2026 — fenêtre belge ouverte le 18 avril 2026 sert de référence opérationnelle (CNIL / ANSSI / CCB Belgique, avr. 2026) 900 Peer-reviewed governance frameworks · Retained across Tier-1 boards · Contract-winning evidence chains

EU estates PM update 30 Apr 2026: EDPB Guidelines 2/2026 on smart-building biometric access — 6-week consultation window closes 11 June 2026; property-sector operators with facial-recognition entry systems or biometric time-attendance must submit responses and begin DPIAs now. CRA vulnerability reporting obligations confirmed 11 Sep 2026 — HVAC, BMS, smart-lock, and access-control vendors have 134 days to establish PSIRT contact and assess in-scope product status. eIDAS2 EU Digital Identity Wallets: December 2026 go-live confirmed — LP, fund-administration, and property-management platforms must model NIS2/DORA identity-intersection risk and update KYC/AML workflows. EDPB-EDPS Joint Opinion 4/2026: single EU data-breach notification entry point proposed — asset management and fund-administration operators would benefit from reduced cross-border reporting complexity (EDPB/EC/ENISA, 30 Apr 2026) EU estates close 24 Apr 2026: EDPB Guidelines 2/2026 on smart-building biometric access — draft open for 6-week consultation; ENISA Thursday briefing confirms physical-cyber convergence in critical-infrastructure directive scope — HVAC/BMS vendors now in NIS2 essential-service supply chain; CJEU C-446/25 on landlord data retention periods listed for H2 2026 (EDPB/ENISA/CJEU, 24 Apr 2026) Estates & Property Thursday 23 Apr 2026 — NIS2 commercial property operator scoping guidance expected from EC Q2 2026 following Digital Omnibus trilogue (T-5); ICO precedent on property-tech data-room breach disclosure continues to harden in UK enforcement trajectory; LP quarterly data-room security attestation cycle opens this week with DORA-equivalence controls now expected for EU-domiciled fund administrators; quantum-safe transition cryptographic inventory T-9 months for long-lease archives (CNSA 2.0 / NCSC 2031 migration horizon); CYBERUK 2026 real-estate roundtable Day 3 (EC/ICO/NCSC/CNSA, 23 Apr 2026) EU/EMEA 22 Apr 2026: EDPB plenary IN SESSION — binding decisions on DPC AI-training Art. 60 cluster + dark-pattern/Art. 25 guidance adoption expected this afternoon; ENISA CRA single reporting portal technical workshop live with MS readiness now 73% (+2 since Mon); EBA DORA quarterly oversight review T-1 with register at 25 providers (EDPB/ENISA/EBA, 22 Apr 2026) EU 21 Apr 2026: EDPB finalises 22 Apr plenary agenda with draft binding decision on cross-border health-platform Art. 60 case; ENISA CRA single reporting portal benchmark up to 73%; EBA critical ICT TPP register grows to 25; EC pre-trilogue technical meeting Wednesday ahead of 28 Apr trilogue (EDPB/ENISA/EBA/EC, 21 Apr 2026) DORA: In force 17 Jan 2025 — Active enforcement: on-site ICT risk inspections and third-party oversight reviews underway (ESAs, 2026) NIS2: First audits due 30 Jun 2026 — Q1 2026 penalties issued in EU; 14 of 27 EU states now transposed; EU Digital Omnibus trilogue scheduled 28 Apr 2026 — proposes deadline extensions and compliance simplifications for 28,700 companies; Ireland NIS2 Bill H1 2026 amid EC infringement proceedings (Skadden/EC, Apr 2026) EU AI Act: High-risk AI obligations deadline 2 Aug 2026 — EU Digital Omnibus proposes delay to Dec 2027; CRA vulnerability reporting starts 11 Sep 2026 (EC/Hogan Lovells, Apr 2026) Global Breach Cost: $4.44M average — 241 days to detect & contain; AI-augmented attack surface expanding (IBM/Ponemon, 2026) CISO Personal Liability: NIS2 Art.20 + SEC/DOJ precedent — Director accountability now statutory in EU (2025–2026) Ransomware: Q1 2026: 2,165 victims (+18.5% annualised); March 2026: 808 victims; week 11–17 Apr: 185 incidents — Apr 13 saw 46 new victims in 24 hours; Qilin/DragonForce drive 21% of weekly volume; 7,500+ on leak sites 2025 (+58% YoY); attacks 4× faster; 80% AI-enabled; 87.6% double extortion (BlackFog/BreachSense/Unit42/Emsisoft/Ransom-DB, Apr 2026) Geopolitical CNI: CISA AA26-097a (7 Apr 2026) — Iranian-affiliated APT targeting internet-exposed PLCs in US water/wastewater and CNI sectors; 75+ Unitronics HMI devices compromised. Volt Typhoon maintains 5+ yr persistence across US energy/water/transport CNI (CISA/FBI/Palo Alto, Apr 2026) Supply Chain: 1,700+ malicious packages across npm/PyPI/Go/Rust (North Korea); kube-health-tools Kubernetes tunnel implant campaign active Apr 2026 (Datadog/Zscaler/CISA, Apr 2026) UK Online Safety Act: full enforcement 2026 — UK CS&R Bill expanding NIS Regulations to digital supply chains (Ofcom/DSIT, Apr 2026) Patch Tuesday Apr 2026: 167 vulns patched — CVE-2026-32201 SharePoint zero-day actively exploited (Microsoft/Cisco, 19 Apr 2026) Data Breaches Apr 2026: ShinyHunters leak 78.6M Rockstar Games records; 13.5M McGraw Hill accounts stolen (Integrity360/SharkStriker, Apr 2026) Insider & NHI Risk: $19.5M avg per org (+123% since 2018); Thales 2026: 61% cite AI as #1 data risk (Proofpoint/IBM/Thales/SpyCloud, Apr 2026) NCSC UK (7 Apr 2026): APT28 / Russian GRU exploiting compromised internet routers for DNS hijacking — intercepting credentials, tokens, and email traffic across UK personal networks; immediate router patching and credential rotation advised (NCSC, Apr 2026) Belgium NIS2 Audit Window OPEN (18 Apr 2026) — first EU member state to hit hard NIS2 conformity assessment deadline; essential entities now require BELAC-accredited Conformity Assessment Body sign-off (CCB Belgium, Apr 2026) GDPR Enforcement: CNIL fines Free Mobile €27M for failing to protect 24M subscriber contracts (Oct 2024 breach); UK ICO fines Reddit £14M for child safety/age-check failures — regulators applying upper Article 83 range to systemic failings (CNIL/ICO, Apr 2026) Live Breaches Wk of 14–19 Apr: Basic-Fit (200K NL members + 1M bank details exposed); Booking.com customer reservation data breach notified 12 Apr; Zerion crypto wallet device compromise — ~$100K stolen 16 Apr (BreachSense/SharkStriker, Apr 2026) ENISA 2026 Risk Landscape Report (Apr 2026): availability/DDoS and ransomware top operational threat categories; threat-actor convergence accelerating — same vulnerability chains active across financially and ideologically motivated campaigns (ENISA, Apr 2026) France: CNIL maintient une cadence de sanctions élevée — €27M Free Mobile + €15M Free (Jan 2026), €5M France Travail (Jan 2026), €325M Google (Sep 2025); ANSSI accélère la transposition NIS2 française et la préparation des entités essentielles aux audits 2026 — fenêtre belge ouverte le 18 avril 2026 sert de référence opérationnelle (CNIL / ANSSI / CCB Belgique, avr. 2026) 900 Peer-reviewed governance frameworks · Retained across Tier-1 boards · Contract-winning evidence chains

ISO 27001 · ISO 42001 · ISO 22301 · NIST CSF 2.0 · NIST 800-53 · DORA · NIS2

ISO Strategy

ISO & NIST Framework Delivery for Boards, Regulators, and CNI Operators

End-to-end implementation of ISO 27001:2022, ISO 42001:2023, ISO 22301, and the NIST Cybersecurity Framework — designed to withstand regulatory scrutiny, board examination, and audit-grade evidence demands across regulated and sovereign environments.

ISO 27001:2022 ISO 42001:2023 ISO 22301 ISO 31000 NIST CSF 2.0 NIST SP 800-53 Rev 5 NIST SP 800-171 NIST AI RMF DORA NIS2 EU AI Act GDPR / UK GDPR

Request Briefing → View Credentials →

Framework Coverage

Full-spectrum ISO and NIST delivery

Each framework below is delivered from design through certification-readiness — with board-survivable evidence chains at every stage.

ISO 27001:2022

Information Security Management System

Annex A control implementation, gap analysis, SoA production, risk treatment plans, and certification audit support. Designed to align with DORA and NIS2 supervisory expectations from day one.

Scope definition & context of organisation
Risk register design & treatment plans
Statement of Applicability (SoA)
Internal audit programme & management review
Certification readiness & CB liaison

ISO 42001:2023

AI Management System

The first international standard for AI governance. Model inventory, impact assessment, bias testing, and transparency documentation aligned to EU AI Act Article 9 requirements.

AI system inventory & risk classification
AI impact assessments (AIIA)
Model accountability & transparency docs
EU AI Act high-risk system registration
Certification-readiness pathway

ISO 22301

Business Continuity Management

BIA-driven BCMS implementation, recovery time objectives, crisis decision hierarchies, and DORA-aligned operational resilience testing programmes for regulated institutions.

Business Impact Analysis (BIA)
Recovery Time & Point Objectives (RTO/RPO)
Crisis communication plans
BC testing & exercise programmes
DORA operational resilience alignment

ISO 31000

Risk Management Framework

Enterprise risk governance architecture aligned to ISO 31000 principles — integrated with DORA ICT risk requirements, NIS2 proportionate risk management, and board risk appetite frameworks.

Risk appetite & tolerance setting
Risk register design & KRI libraries
Board risk reporting architecture
Third-party & supply chain risk (TPRM)
Integration with ISO 27001 risk treatment

NIST CSF 2.0

Cybersecurity Framework

Full GOVERN → IDENTIFY → PROTECT → DETECT → RESPOND → RECOVER implementation. Current-state profiling, target-state definition, and prioritised gap closure roadmaps for boards and regulators.

Current & target profile development
Gap analysis & prioritised roadmap
GOVERN function implementation (new v2.0)
Board-level CSF dashboard & KPIs
Cross-mapping to ISO 27001 & DORA

NIST SP 800-53 Rev 5

Security & Privacy Controls

Control selection, tailoring, and implementation guidance for high-baseline environments. Baseline selection through to FedRAMP-equivalent assurance for regulated financial services, defence, and CNI operators.

Control baseline selection & tailoring
Security control assessment (SCA)
System Security Plan (SSP) development
Plan of Action & Milestones (POA&M)
Continuous monitoring programme design

NIST SP 800-171

CUI Protection Framework

Controlled Unclassified Information (CUI) protection for organisations operating in defence supply chains, government contracting, and aerospace environments with DFARS compliance obligations.

CUI boundary definition & inventory
110-control assessment & gap closure
System Security Plan (SSP)
CMMC alignment pathway
Supplier chain CUI propagation controls

NIST AI RMF

AI Risk Management Framework

GOVERN · MAP · MEASURE · MANAGE lifecycle implementation for enterprise AI programmes. Cross-mapped to ISO 42001, EU AI Act, and DORA AI incident obligations.

AI risk categorisation & taxonomy
AI impact assessment methodology
AI incident classification & response
Trustworthy AI characteristics audit
Cross-mapping to EU AI Act & ISO 42001

Delivery Evidence

What delivery looks like in practice

Representative outcomes — client identifiers withheld. Full references available under NDA to authorised counterparties.

⚡

ISO 27001 Transformation: 147 → 12 Findings

Delivered full ISMS overhaul for Tier-1 financial institution. Reduced audit backlog from 147 findings to 12 in 84 days. Board KPI dashboard. Zero supervisory findings across 3 review cycles.

🤖

ISO 42001 Pioneer: 0 → 214 AI Models Governed

Built AIMS from baseline for enterprise AI programme. Full model inventory, risk classification, accountability maps, and EU AI Act Article 9 alignment. First-pass certification readiness achieved.

🛡️

NIST CSF 2.0: Regulated Enterprise Profile

Current-state assessment and target-state roadmap for European regulated enterprise. GOVERN function gap closure. Board-level CSF dashboard. Cross-mapped to DORA and NIS2 obligations.

📋

NIST 800-53: Defence-Adjacent Programme

High-baseline control implementation for organisation with defence supply chain obligations. SSP developed, POA&M tracked, continuous monitoring programme designed.

🔄

ISO 22301: DORA Operational Resilience

BCMS aligned to DORA Chapter III resilience testing requirements. BIA, RTO/RPO calibration, crisis decision hierarchy, and threat-led penetration testing programme design.

🌐

Multi-Framework: ISO 27001 + DORA + NIS2

Integrated control architecture bridging ISO 27001, DORA, and NIS2 for Eurozone systemic bank. Single evidence repository, unified risk register, and consolidated board reporting.

Sector Coverage

Delivered across regulated sectors and sovereign environments

🏦

Financial Services

Banking · Insurance · Payments · Capital Markets

🏛️

Regulators

FCA · PRA · ECB-supervised institutions

✈️

Aerospace & Defence

Sovereign programmes · Defence supply chain

🚀

Space

Space sector security frameworks

⚡

Energy & CNI

Critical national infrastructure operators

🏥

Healthcare & Public Sector

NHS-adjacent · HIPAA/HITECH · Public authorities

🚂

Transport & Aviation

Rail · Aviation · Ports

🔒

Law Enforcement

Government agencies · Security services

Philosophy

"Cybersecurity is a team sport. ISO and NIST frameworks only hold under scrutiny when the entire organisation — board, C-suite, operations, and supply chain — owns the evidence chain together."

— Kieran Upadrasta · Principal Cyber Architect

Engage

Mandate-grade ISO and NIST delivery

I accept 2–3 mandates per calendar year. Engagement requires executive authority or board resolution. No junior delegation. Principal-delivered from briefing to certification.

Request a Private Briefing → View Full Credentials → CISO Advisory →

Live Standards & Regulatory Horizon

ISO Strategy — current signal stack

Curated each day from authoritative sources (ISO, NIST, ENISA, ESAs, ICO, NCSC). The signal pool refreshes nightly; the daily slate is selected deterministically so two readers on the same date see the same brief.

Updated 2026-05-25

2026-Q2 NIST

NIST CSF 2.0 GOVERN — supply-chain risk taxonomy in board-line outcomes

GOVERN tier elevates organisational context, risk management strategy and supply chain to first-class CSF outcomes — Board oversight evidence now expected at audit.

2026-Q2 NCCoE

PQC migration mapped to CSF 2.0 + 800-53 Rev 5

NCCoE migration capabilities cross-mapped to CSF 2.0 outcomes and SP 800-53 R5 controls — a single inventory→target view boards can sign off.

2026-Q3 NIST

NIST AI 800-1 — Generative AI Risk Profile

NIST AI 800-1 layers generative-AI specific risks atop the NIST AI RMF — actionable mapping into ISO 42001 control objectives now possible.

2026-Q2 NIST

FIPS 203 / 204 / 205 finalised — production-ready quantum-safe algorithms

ML-KEM, ML-DSA and SLH-DSA are published. NIST timeline: legacy algorithms deprecated 2030, disallowed 2035. CNSA 2.0 mandates federal acquisitions PQC-compliant by 2027.

2026-Q2 ENISA

AI red-teaming technical guidance for high-risk systems

Standardised methodology supports ISO 42001 control 8.2 and EU AI Act Article 15 robustness testing — bridges security testing into AI governance.

2026-Q2 ISO

ISO 42001:2023 — accredited certification market now active

First wave of accredited certification bodies offering ISO 42001 AIMS audits; enterprises adopting in tandem with EU AI Act Article 9 readiness.

Signal pool refreshed by kie_master_daily.py Phase 26. Methodology: curated synthesis from ISO / NIST / ENISA / ESAs / ICO / NCSC primary sources.

Contact Email Direct

ISO & NIST Framework Delivery for Boards, Regulators, and CNI Operators

Full-spectrum ISO and NIST delivery

Information Security Management System

AI Management System

Business Continuity Management

Risk Management Framework

Cybersecurity Framework

Security & Privacy Controls

CUI Protection Framework

AI Risk Management Framework

What delivery looks like in practice

Delivered across regulated sectors and sovereign environments

Mandate-grade ISO and NIST delivery

ISO Strategy — current signal stack

Privacy Policy

Terms of Service

Cookie Policy

Web Accessibility Statement

Human Rights & Modern Slavery Statement

Professional Code of Conduct

Help

Site Requirements

Search Tips

Browser & Mobile

Print & Save

Accessibility

Sitemap & Discovery

Contact & Feedback

Connect

Legal Disclaimer

Provision of Services — Regulatory Information