Implementing regulatory compliance, whether it concerns the European NIS2 Directive, DORA, or standards like ISO 27001, is becoming a daily reality for more and more companies. While large corporations usually have dedicated GRC teams (Governance, Risk and Compliance), mid-sized businesses often start from scratch. And it is in these early stages that mistakes frequently occur, which can significantly increase costs, slow down progress, or even prevent organisations from meeting legal obligations.

Our experience shows that some mistakes tend to repeat over and over again. In this article, we highlight the most common ones and offer tips on how to avoid them or prevent them entirely.

1. Starting too late

Many companies postpone their initial steps with the idea that they will manage it once the regulation becomes legally binding or once they "have the capacity." But implementing something like NIS2 is not a matter of days. These regulations are complex and usually require a change to existing processes, as well as employee training. From the first analysis of current systems to the finalisation of compliant documentation, it can take several months.

It’s also worth noting that cybersecurity experts are in short supply. Companies that start late may face serious delays simply due to a lack of qualified support.

Pro tip: Start with a compliance gap analysis. It will show you which regulatory requirements you already meet and where the gaps are. Based on this, you can identify priorities and begin planning your implementation.

2. Lack of clear strategy and accountability

Compliance often sounds like a legal or technical issue, but in reality, it's a project that requires structure, coordination, and clear responsibilities. Without a solid strategy, companies tend to jump between tasks, rewrite documentation multiple times, and end up with a disorganised and inefficient implementation.

Pro tip: Create a basic roadmap. Assign responsibilities: who will manage the overall project, who will handle documentation, who will cover technical measures, and who will communicate with staff. Even a small team can be highly effective with clearly defined roles.

3. Lack of Cross-Departmental Collaboration

One of the most common mistakes is treating compliance as an IT issue. It’s not. NIS2 and similar regulations require a holistic approach: risk management, security policy, supplier governance, employee training, and incident response all play a role.

Pro tip: Involve stakeholders from across departments – IT, management, HR, legal. Everyone has a role in building and maintaining compliance. The earlier these perspectives are aligned, the less confusion there will be later in the process.

4. Failure to leverage modern technology

Many companies begin managing compliance using Excel spreadsheets – risk registers, task lists, documentation logs. While this might work initially, it becomes inefficient as the scope expands. Larger organisations and more complex requirements demand a more robust solution. Many tasks today can be easily automated.

Pro tip: Automation is no longer just for large enterprises. Tools like AuditMaster.ai can save you significant time and effort. More importantly, they give you visibility, version control, and everything you need in one place – ready for audits or incidents whenever they occur.

5. Underestimating the importance of audits

An audit is not a formality. If you cannot demonstrate that your security measures are not only in place but also regularly maintained and monitored, you may be found non-compliant. Solid documentation and clearly defined processes and responsibilities are critical.

Pro tip: Record key activities from day one – approvals of policies, training completion, internal reviews. Don't wait until the last minute.

How to approach compliance smartly?

Don’t treat compliance as a necessary evil. It is an investment in your company’s security, credibility, and long-term stability. Start early, plan strategically, involve the right people, and use modern tools that help you manage complex requirements with clarity and control.

If you don’t want to face this alone, the Whirr Crew team offers cybersecurity consulting services as well as outsourcing of key roles. We also developed the platform Auditmaster.ai, which makes the entire compliance journey more manageable.

Would you like to know what compliance could look like in your organisation? Get in touch with us.