Note: Nothing herein shall constitute legal advice, compliance directives, or otherwise. Customers and prospective customers should consult an attorney and/or other compliance professional regarding their organizations’ compliance obligations, including, without limitation, the regulations described herein.
We’re seeing a convergence of cyber defense forces unlike anything that came before it. Between ever-increasing data capture, escalating demand for insights, ballooning fraud and cybersecurity risks, and evolving regulatory controls, companies can feel stuck between a rock and a hard place. You need data to stay competitive – but every insight adds a layer of liability.
As newly enacted regulations like DORA and the EU AI Act, and updates to standards like PCI DSS and HIPAA continue to roll out, mid-market companies are finding themselves caught in the crosshairs. Their environments are often complex enough to attract scrutiny, but not always resourced enough to keep up – especially those with data spread across multiple jurisdictions.
Let’s talk about the challenges and what it takes to stay on top of this layered global regulatory landscape in 2025 and beyond.
The Challenge: Big Expectations, L imited Resources
For mid-market businesses, the pressure is on data managers: executives want insights, regulators want visibility, customers want resilience, fraudsters want access, and data managers just want to keep the lights on. With limited budgets and lean security teams, there’s only so much they can do.
Adding to the challenge is the fact that regulation isn’t always clear-cut. Take the EU AI Act: it’s already under fire for vague, impractical language that turns compliance into a game of juggling risks and degrees of liability more than a clear-cut achievement.
Companies with a digital footprint across regions like the U.S., EU, and beyond can find themselves facing conflicting or overlapping laws. Without the budget to keep attorneys on retainer by region or to staff cyber defense offices around the globe, it can feel like a losing battle. But all hope is not lost. Data and IT leaders can impart practical strategies to balance the tension and stay abreast of relevant changes with a bit of forethought and strategic prioritization. Let’s talk about it.
Culture as the First Line of Defense
In 2025, it has never been clearer: cyber defense and regulatory compliance are everyone’s responsibility, not just IT and data teams. Breach after breach has proven that no matter how robust the technical controls are, your people remain both your greatest vulnerability and your first line of defense.
Basic compliance must be woven into organizational culture, not just to prevent attacks, but to soften the blow when human error occurs. Humans will always make mistakes, so the goal is not just to prevent attacks, but to reduce the risk of mistakenly violating increasingly strict global data laws when the inevitable occurs.
To get full-company buy-in on organizational cyber defense and resilience strategies, a top-down and cross-functional approach is essential. This is especially important in global organizations where regional cultures may discourage admission of mistakes.
In many jurisdictions, delayed breach reporting can trigger regulatory penalties. Without a self-reporting structure championed by leadership, organizations become more vulnerable to attackers and regulatory enforcement.
When breaches and mistakes go unreported across time zones or are buried by fear of blame, everyone (except hackers) loses. Culture, not just controls, can be the difference between early detection and disaster, or quiet recovery and costly non-compliance.
So how do you embed compliance into daily operations and reinforce your second, third, and fourth lines of cyber defense?
Embedding Compliance into Daily Operations
Global compliance is no longer a static set of checkboxes – it’s a moving target. Today, staying ahead means building resilience into your operations, policies, strategy, and infrastructure.
New requirements will continue to emerge, existing regulations will evolve to meet the moment, and each jurisdiction will define success in each of these differently – sometimes in ways that conflict. For mid-market companies with globally distributed regulatory obligations, the goal is not and cannot be perfection. Instead, it’s to stay informed, properly prioritized, and flexible.
It’s important to understand that not all compliance requirements are created equal – some require infrastructure change, others force operational changes, and some can be met by following the intent of the regulation instead of the letter.
Here are some ways to get tactical about compliance, no matter how distributed your obligations are:
Prioritize with a Regulatory Risk Matrix
Every law can be ranked on factors like enforcement timelines, geographic scope (i.e., whether it is a local or global law), potential penalties, and required operational disruption. By graphing these on a matrix, you can easily prioritize where it makes more sense to allocate resources based on what matters most to your organization and exposure risk.
Consider Modularity
Each compliance tool is a “building block” that contributes to the whole picture. Instead of trying to tack on additional policies or tools for every new law, take a modular approach. Stand up core, reusable policies (e.g., breach reporting, audit trails, access controls) that can be tailored and customized by region without having to start over every time something new pops up.
Streamline with Strategic Automation
Mid-market businesses need their already under-resourced IT and data leaders focused on growth and innovation as much as possible. Getting bogged down with manual regulation tracking and reactive updates stretches already thin teams even further.
That’s why leveraging strategic automation and trusted intelligence resources is critical. Tools that monitor regulation changes, flag updates by region, and align documentation and workflows free up time and reduce error, helping organizations maintain compliance at scale across jurisdictions without derailing innovation.
Closing Thoughts: Compliance as a Strategy
If one thing is certain, the complexities aren’t going anywhere. Data volumes will continue to rise. Hackers will grow more sophisticated. Regulatory frameworks will evolve in speed, scope, and enforcement pressure.
For mid-market companies, the competitive edge will belong to those who treat compliance as a fundamental part of their operations, culture, and decision making, ensuring a regulatory focus from the ground up.
In today’s patchwork of global rules, resilience isn’t just about checking the right boxes. It’s about building an organization that’s agile, aware, and ready for what’s next.
About the Author
Kevin Landt is VP of Product for Cybersecurity Solutions at Thrive, where he brings over 20 years of technology experience to helping mid-size organizations manage their security risk. He was previously VP of Product Management at Cygilant (acquired by SilverSky Security) and held product leadership roles at Opsgenie (now part of Atlassian), Relativity, the market leader in eDiscovery, and Kanguru Solutions, an encryption and mobile device management provider. Kevin has a BS in Computer Systems Engineering from Boston University and earned his MBA at Babson College.
More information is available at the company website at Thrive
