Summary
- IO says 85% of respondents felt prepared for new rules, but only 35% regarded their compliance model as fully scalable.
- The research covers 251 UK cybersecurity managers and senior practitioners.
- The findings reinforce the established difference between passing the next assessment and maintaining reusable operational controls.
UK organisations may feel broadly prepared for another wave of cybersecurity, data, and AI regulation while lacking compliance systems capable of absorbing those requirements without repeated manual projects, according to research published by governance provider IO.
IO, formerly known as ISMS.online, says 85% of respondents expressed confidence about upcoming regulatory obligations, but only 35% believed their existing compliance model was fully prepared and able to scale.
A further 50% said their approach was mostly ready but would require adjustment, while 15% expected more substantial changes. One-third of respondents considered human oversight necessary when complex regulation had to be interpreted.
The research covers 251 UK cybersecurity managers and senior practitioners, giving the findings a defined professional sample while leaving them subject to the normal limitations of vendor-sponsored polling. The percentages indicate how respondents view their own programmes rather than independently measuring the effectiveness of those controls.
Readiness depends on the question being asked
An organisation can be prepared for a known deadline in the narrow sense that it has assigned a project, hired advisers, or completed a gap assessment. A scalable model requires reusable controls, clear ownership, reliable evidence, continuous monitoring, and processes capable of accommodating overlapping requirements.
That distinction helps explain the contrast between high general confidence and much lower confidence in the underlying operating model. Teams may believe they can complete the next project while recognising that every additional framework produces another spreadsheet, evidence request, policy review, and audit cycle.
The regulatory workload is cumulative. UK organisations can encounter data-protection law, operational-resilience rules, customer security requirements, and standards such as ISO 27001, while businesses operating in the EU may also face NIS2, DORA, the AI Act, and the Cyber Resilience Act depending on their activities.
Those requirements overlap without becoming interchangeable. A control governing supplier access may support several frameworks, while each regime can still impose different scope, reporting, documentation, and accountability duties. Scalable compliance means mapping common controls once and reusing evidence without pretending that every legal obligation is identical.
Software cannot interpret the organisation on its own
Compliance platforms can collect evidence, monitor configurations, map controls, and alert teams when a document or system changes. They are less dependable when deciding how an ambiguous rule applies to a particular product, operating model, contractual relationship, or risk appetite.
Experienced practitioners remain necessary to interpret exceptions, examine whether an automated recommendation fits the organisation, and recognise when formal conformity would still leave an operational weakness. Their judgement connects the language of a framework with the way a service actually works.
Executive accountability also matters because compliance decisions involve cost and trade-offs. A security team can identify that a supplier lacks sufficient assurance, but someone with commercial authority must decide whether to delay the contract, accept the exposure, or fund another route.
The IO results reinforce an established market direction rather than showing that scalable compliance has suddenly become a new concern. Organisations have spent years trying to move from annual audit work towards continuous controls and integrated risk management, while expanding cyber and AI rules increase the cost of leaving that transition incomplete.
Standards can provide useful structure. ISO 27001 supports an information-security management system, while related standards address privacy, continuity, and AI management. Certification records that a system has been assessed at a point in time, however, rather than guaranteeing that controls remain effective or can absorb new requirements without additional work.
The supplier’s commercial interest should also remain visible because IO sells technology and services designed to make compliance processes more adaptable. That does not invalidate the research, but it makes sample disclosure, questionnaire wording, and evidence from outside the vendor’s own market proposition particularly important.
Operational readiness can be tested through a practical sequence: identify the obligation, assign an owner, alter the relevant control, produce reliable evidence, and continue operating without rebuilding the programme. Companies that can complete that sequence will still need software and skilled people, but they will spend less time recreating the same assurance work under a different framework name.










