Regulatory requirements are crucial. 

Companies should keep in mind the legal and regulatory requirements when adopting security measures, developing their cybersecurity policy and responding to cyberattacks. 

When conducting investigations, regulators will most likely consider these matters in assessing the level of compliance and cybersecurity maturity of a company. 

Take as an example an Incident Response Policy. Even if not expressly indicated as mandatory under the GDPR, the recent guidance of the EDPB on how to manage data breaches makes express reference to a company Data Breach Handling Policy. So this is a requirement that data protection authority will most likely scrutinise in case of a breach. 

Learn more on this topic by reading the key takeaways from our "Not If But When" Global Cybersecurity Update in our Deciphering Data Webinar Series and this article on cybersecurity risk management by my colleagues Paul Glass and James Parker.