Regulatory convergence puts pressure on GRC leaders to rethink governance

In association with Riskonnect

Organisations across Europe face a rapidly evolving regulatory landscape that is reshaping how governance, risk and compliance (GRC) functions operate in practice. As frameworks such as NIS2, DORA and the EU AI Act begin to take effect, risk leaders must contend not only with increasing regulatory scrutiny but also with the growing interconnection between regulatory regimes.

For many organisations, this represents a shift away from traditional compliance approaches based on discrete rules and siloed responsibilities. Instead, companies are being forced to rethink how risk oversight, accountability and decision making operate across the enterprise.

Sherry Dillon, executive product leader at Riskonnect, believes the most significant change is not simply the volume of regulation but the way different frameworks now intersect.

“The regulatory rigour is definitely increasing, but the bigger shift is that the environment itself is changing,” she says. “We are moving away from isolated compliance regimes into a much more interconnected model. Frameworks like DORA, NIS2 and the EU AI Act overlap in areas such as third party oversight, incident reporting and board accountability. These are no longer separate checklists, they are part of an integrated regulatory environment.”

Overlapping regulations create new complexity

This convergence creates fresh challenges for organisations attempting to interpret and implement multiple frameworks simultaneously. Even where requirements appear to overlap, the practical steps required to comply with each regime may differ.

For GRC teams already under pressure, this environment is exposing weaknesses in how some organisations approach risk governance.

“One of the biggest pressure points right now is third party and supply chain risk,” Dillon explains. “Regulations like NIS2 and DORA push accountability outward across an organisation’s entire ecosystem, not just within internal operations. Many companies built their third party risk management programmes for periodic due diligence, not for the level of continuous oversight regulators are now expecting.”

Regulators are also demanding faster responses when incidents occur, requiring organisations to escalate decisions and assess risks within tight reporting timelines.

“Regulators are looking for timely and defensible decisions,” Dillon says. “That means organisations need clear escalation paths and the ability to make risk decisions quickly. When timelines tighten under frameworks like DORA and NIS2, it often exposes gaps in internal processes that might previously have gone unnoticed.”

From compliance checklists to risk prioritisation

At the same time, technology and innovation are creating more complex challenges.

“AI governance is challenging because it is new territory for everyone,” Dillon notes. “The EU AI Act is pushing organisations to build expertise very quickly. Teams are having to develop the technical fluency and governance frameworks needed to manage these risks in a proactive way.”

Yet Dillon warns that organisations risk falling into a compliance trap if they approach each new regulation independently.

“There is a real danger that organisations approach regulation as a checklist exercise,” she says. “Different departments run their own compliance activities in isolation, which leads to duplication and fragmented oversight.”

Instead, she argues that more mature organisations are starting with the underlying risks and mapping where regulatory requirements converge.

“The organisations that handle this best start with impact rather than the regulation,” Dillon explains. “They map where regulatory obligations overlap, for example around data protection, supply chain resilience or operational continuity. By identifying those convergence points, they can prioritise the risks that matter most instead of trying to tick every box independently.”

Board accountability rises

Another major shift is taking place at board level. Regulators increasingly expect senior leaders to take an active role in overseeing cyber resilience, operational risk and technology governance.

“The relationship between GRC teams and boards is evolving,” Dillon says. “Boards are no longer just receiving dashboards and reports. They need to understand the trade offs involved in risk decisions and be actively involved in them, particularly because some frameworks introduce personal accountability for directors.”

This means GRC teams must rethink how they communicate risk information to leadership.

“Boards need information that helps them make decisions, not just data,” Dillon adds. “GRC teams should be presenting options and explaining the implications of those choices, rather than simply reporting metrics.”

As regulatory expectations intensify, Dillon says organisational readiness varies widely. Some firms are embedding governance, risk and compliance into strategic decision making, while others still treat it primarily as a reporting function rather than a tool to support leadership decisions.