Compliance Became a Live Infrastructure Problem on Friday -- Most Businesses Are Still Running It Like a Spreadsheet

· 4 min read · continuous compliance
Compliance Became a Live Infrastructure Problem on Friday -- Most Businesses Are Still Running It Like a Spreadsheet

On April 18, 2026, NIS2 enforcement went live across the European Union. Three days later, a major compliance auditor announced native integration with a hyperscale cloud provider's compliance manager, pulling evidence from 35+ integrations automatically. The message was clear: compliance is an infrastructure function now, not a quarterly project.

Most businesses missed the memo. A survey of 670 business leaders across nine EU countries found that only 16% of in-scope organizations are actually compliant. Eleven percent didn't even know NIS2 applied to them. And 40% of compliance teams are still tracking controls in spreadsheets.

That gap between what regulators now expect and how most companies actually operate is where the risk lives.

What changed on Friday

NIS2 replaces the original Network and Information Systems Directive with significantly broader scope and sharper teeth. It covers essential and important entities across energy, transport, health, digital infrastructure, and -- this is the new part -- managed service providers serving those sectors. If you're an MSP with EU clients, you're in scope regardless of your size or where you're headquartered.

The penalties follow the GDPR model. Fines up to 10 million euros or 2% of global turnover for essential entities. Personal liability for senior management. And there's precedent: Dutch authorities already fined a telecom 525,000 euros under the original NIS directive for slow incident reporting. NIS2 raises those stakes significantly.

Germany's BSI registration deadline for essential and important entities hit this month. Belgium has been enforcing since October 2024. This isn't theoretical anymore.

The spreadsheet problem

Here's what 40% of compliance teams are actually doing: maintaining a spreadsheet of controls, updating it before an audit, scrambling to collect evidence from six different systems, and hoping nothing changed between the last review and the auditor's visit.

That worked when compliance meant passing an annual check. NIS2 requires continuous risk management, incident reporting within 24 hours, and supply chain security assessments. You can't do continuous anything with a quarterly spreadsheet.

The numbers tell the story. 47% of organizations failed a formal audit two to five times in the past three years. 85% say compliance has grown more complex in three years. And NIS2 compliance costs SMEs between 50,000 and 300,000 euros, with 71% of enterprise companies spending over 100,000 per year on audits alone (Deloitte 2024 NIS2 Readiness Survey, Kiteworks).

The budget constraint is real. But most of that cost comes from the gap between how infrastructure is built and what compliance requires. If your systems weren't designed to produce compliance evidence, you're paying consultants to reverse-engineer it every audit cycle.

Compliance-as-code is moving, but slowly

Only 46% of CISOs have started implementing compliance-as-code, according to the 2025 State of Continuous Controls Monitoring Report. The infrastructure-as-code security market is growing at 20.8% CAGR to 7.6 billion dollars by 2033. Demand is real. Adoption is lagging.

The recent auditor-cloud integration announcement pointed at the actual shift happening. Their CEO said it directly: "Cloud modernization only works when security, compliance, and trust are engineered into the program, rather than bolted on later." That's the key phrase. Engineered in, not bolted on.

A standalone compliance monitoring tool watches your infrastructure and generates evidence reports. That's useful. But if the infrastructure underneath wasn't built with compliance signals in mind, you're monitoring a non-compliant foundation and producing pretty reports about it.

The real shift is compliance becoming an infrastructure property, not a software layer sitting on top.

Why this is actually a market access story

Here's the angle most coverage misses. 75% of surveyed businesses see competitive advantage in compliance. Government contracts now require demonstrated cybersecurity maturity. Insurance carriers are tightening requirements -- major insurers routinely deny coverage to companies without MFA, endpoint detection, and incident response plans (Allianz Risk Barometer 2025).

The businesses that treat compliance as infrastructure capability aren't just avoiding fines. They're qualifying for contracts, insurance policies, and partnerships that their spreadsheet-driven competitors can't access.

NIS2 is accidentally creating a managed services boom. The 66% of organizations that can't manage compliance in-house aren't going to build that capability from scratch at 50,000 to 300,000 euros per implementation. They're going to buy infrastructure that comes with compliance built in.

What "built in" actually looks like

When compliance is an infrastructure property rather than an audit exercise, a few things change.

Security controls exist at the server level, not in a policy document. Default-deny firewall policies, automated patching, encrypted secrets management, access logging -- these produce compliance evidence as a byproduct of normal operation. You don't collect evidence before an audit. The evidence collects itself.

Incident detection and reporting timelines become a function of monitoring automation, not human observation. NIS2's 24-hour reporting window is impossible to hit consistently if your detection depends on someone noticing something in a dashboard.

Supply chain risk -- one of NIS2's biggest new requirements -- gets addressed through infrastructure isolation. Dedicated resources per client, no shared tenancy across customer environments, controlled access boundaries. The architecture itself is the compliance control.

LTFI builds managed infrastructure this way. Every client deployment runs on isolated, hardened servers with automated security controls, continuous monitoring, and 30+ verification checks per deployment. Compliance signals are a property of the infrastructure, not a report generated after the fact.

That's the difference between a business that needs a 300,000 euro NIS2 project and one that inherits continuous compliance from the infrastructure it already runs on.

The window is closing

The FedRAMP 20x initiative in the US is pushing the same direction: machine-readable compliance evidence instead of narrative audit documents. 76% of CISOs say regulatory fragmentation is already impacting their ability to maintain compliance across jurisdictions (WEF Global Cybersecurity Outlook 2025).

This isn't a single regulation to comply with. It's a structural shift in how regulators, insurers, and enterprise buyers expect technology to work. The organizations that build on infrastructure designed for continuous compliance will spend their time winning contracts. The ones running spreadsheets will spend it explaining audit failures.

If your infrastructure doesn't produce compliance evidence by design, it's time to talk about infrastructure that does. Get your assessment and see where you stand.