How to Prepare for a Compliance Audit: A Step-by-Step Guide for EU-Regulated Businesses
Regulatory updates
Audit-readiness
In a PWC survey of compliance decision-makers, 55 percent cited completing a regulatory audit as one of their most significant challenges. And that number makes complete sense when you consider the complexity of the regulatory environment that EU businesses are operating in right now.
But a compliance audit does not have to be a crisis. It can actually be one of the most valuable things your business does all year, as long as you go in prepared.
This guide will walk you through everything you need to know, from understanding what a compliance audit actually is, to building the kind of ongoing compliance culture that makes the next audit feel routine rather than terrifying.
Whether you are in financial services, gaming, or any other regulated sector operating under EU law, this is written for you.
What Is a Compliance Audit?
Let's start at the beginning, because this matters.
A compliance audit is the process of independently evaluating an organization to ensure that external rules, regulations and laws are being followed. It is a structured, formal review of your business's adherence to whatever legal, regulatory, or internal standards apply to your operations.
Importantly, a compliance audit is not the same as an internal audit. The most critical difference is that external professionals execute compliance audits. Outsiders are involved because regulatory organizations do not automatically trust regulated entities to assess their compliance posture. Compliance audits are carried out by independent assessors and generate unbiased results.
That independence is what gives a compliance audit its credibility, both with regulators and with your own stakeholders.
There are several types of compliance audits relevant to EU businesses. GDPR audits examine how you collect, store, process, and protect personal data. AML (anti-money laundering) audits assess whether your financial crime controls are working. GDPR compliance audits ensure that organizations handling the personal data of EU residents adhere to GDPR requirements, covering data protection measures, consent mechanisms, and how the organization manages data subject rights requests such as access, rectification, and deletion of personal data. There are also cybersecurity audits under NIS2, operational resilience assessments under DORA for financial entities, and sustainability reporting audits under the CSRD, among others.
The scope depends entirely on your industry and the regulations that apply to you. Which brings us to an important first step.
Why Getting This Right Has Never Mattered More
Before we get into the how, let's be clear about the stakes. EU regulators are not softening their enforcement posture. They are intensifying it.
The seventh annual edition of DLA Piper's GDPR Fines and Data Breach Survey revealed another significant year in data privacy enforcement, with an aggregate total of €1.2 billion in fines issued across Europe in 2024. The total fines reported since the application of GDPR in 2018 now stand at €5.88 billion.
And it is not just the tech giants who are in the firing line. 2024 enforcement expanded notably in financial services and energy. The Spanish Data Protection Authority issued two fines totalling €6.2 million against a large bank for inadequate security measures, and the Italian Data Protection Authority fined a utility provider €5 million for using outdated customer data.
On the AML side, things are moving just as fast. In February 2025, the Estonian Money Laundering and Terrorist Financing Prevention Committee revoked the license of a digital exchange due to failures in customer due diligence, risk assessment, and transaction monitoring. In March 2025, a global neobank was fined €3.5 million by the Bank of Lithuania for deficiencies in its AML procedures.
License revocations. Multi-million euro fines. Personal liability investigations for company executives. These are the real consequences of being unprepared when a regulator comes knocking.
The good news is that preparation works. The businesses that fare best in compliance audits are not necessarily the largest or the best-resourced. They are the ones that treat compliance as a continuous process rather than a last-minute scramble.
Which EU Regulations Might Apply to Your Business?
This sounds obvious, but mapping your regulatory obligations formally is one of the most commonly skipped steps, and skipping it costs businesses dearly.
To determine if your company is aligned with EU requirements, you should review your sector and company size, since many directives establish differentiated requirements for SMEs, large companies, or specific sectors like energy, digital, finance, or health. You should also identify applicable directives and regulations according to your activity.
The EU regulatory landscape in 2026 is genuinely complex. Here are the key frameworks that may apply to your business:
GDPR, Regulation (EU) 2016/679: Applies to any organization that processes personal data of EU residents, regardless of where the organization is based. This is the baseline data privacy regulation that almost every EU-facing business must comply with.
EU AML Single Rulebook, Regulation (EU) 2024/1624: Applies to all Member States and aims to eliminate fragmentation by harmonizing AML obligations for financial institutions. It introduces stricter customer due diligence requirements, including reduced thresholds for occasional and cash transactions, and bans anonymous accounts for crypto-asset service providers.
NIS2 Directive, Directive (EU) 2022/2555: Establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU, including healthcare, finance, energy, transportation, digital services, and public administration. Non-compliance can result in fines of up to €10 million or 2% of annual global turnover. Member States had until October 2024 to transpose NIS2 into national law.
DORA, Regulation (EU) 2022/2554: The Digital Operational Resilience Act applies to all financial entities operating in the EU, including credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, and ICT third-party service providers. It entered into application on 17 January 2025 and ensures that these entities can withstand, respond to, and recover from ICT disruptions such as cyberattacks or system failures.
CSRD, Directive (EU) 2022/2464: The Corporate Sustainability Reporting Directive requires companies in the EU to validate the content of their sustainability reports through an annual audit. Obligations are being phased in across different company sizes through 2025 and 2026.
EU AI Act, Regulation (EU) 2024/1689: Entered into force on 1 August 2024, with different obligations taking effect in stages. AI Act prohibitions started to be enforced from 2 February 2025, requirements for general-purpose AI models took effect in August 2025, and most other obligations take full effect on 2 August 2026. Fines for serious violations can reach €35 million or 7% of global annual turnover.
Whistleblowing Directive, Directive (EU) 2019/1937: Required for organizations with 50 or more employees. Internal whistleblowing channels, confidentiality protections, and documented follow-up procedures are all required and are increasingly scrutinized during compliance audits.
Do not assume you know which frameworks apply without formally mapping them to your operations. Regulatory mapping should be a documented, repeatable exercise, not a one-off assumption.
The Step-by-Step Guide to a Compliance Audit
Step 1: Build or Appoint Your Compliance Team
You cannot run a compliance function alone, and you cannot outsource all accountability to a law firm. The compliance function needs to include at least one designated compliance lead, ideally a qualified compliance officer, who has the authority and resources to actually implement change. This person needs to be empowered by senior leadership, not just tolerated.
The compliance function should conduct its own resource assessments to preserve independence. These assessments should be documented to create an audit trail, for example by integrating into regular compliance reports to management, ensuring issues are discussed and decisions minuted.
One of the most important things your compliance lead needs to do is establish a working relationship with your internal audit function. If both compliance and internal audit investigate the same issues simultaneously without coordination, the organization risks duplicating work. A practical solution is to conduct regular operational meetings to align annual plans, share intelligence, and ensure that workstreams complement rather than duplicate each other.
If your organization does not yet have a dedicated compliance team, or if you operate across multiple EU jurisdictions, consider bringing in a specialist firm with EU regulatory experience.
Step 2: Map Your Applicable Regulations
Formally document every regulation that applies to your business, broken down by legal entity, jurisdiction, and business line. This is not a one-page summary. It should be a living document that should be updated every time your business model changes, every time a new regulation is enacted, and every time an existing regulation is amended.
Consider the following questions as you build this map.
Do you process personal data of EU residents?
Do you offer financial services or hold client money?
Do you operate in healthcare, energy, transport, or digital infrastructure?
Do you use or develop AI systems?
Do you have 50 or more employees and take actions that could affect people's rights or livelihoods?
Each yes leads to specific regulatory obligations that need to be documented and assigned an owner.
Step 3: Map Your Data, Systems, and Processes
Auditors will want to understand how your business actually operates, not just how your policies say it operates. This gap, between documented policy and lived reality, is where most compliance failures are found.
Understanding the key systems involved in your company's infrastructure and the critical systems necessary to provide services to your customers is essential before any audit. Additionally, the type of data you process, store, or transmit will play an especially critical role in determining which regulations apply to your organization.
To prepare properly, you should create data flow diagrams for each key business process. These show how data enters your organization, where it moves, who has access, and where it leaves or is deleted. Under GDPR especially, your ability to demonstrate data minimization and purpose limitation depends on having this documented.
Map your third-party relationships carefully. EU regulations increasingly require you to demonstrate that your suppliers, vendors, and data processors are also compliant. Under GDPR, if you share personal data with a processor who mishandles it, you can still face sanctions. Under DORA, the regulation covers a wide range of financial entities, requiring them to withstand, respond to, and recover from any disruption or threat involving ICT, including those originating from third-party providers.
Document your access controls in detail. Who in your organization has access to what data or systems? This is a fundamental audit question, and a lack of granular access controls is a red flag for almost every type of compliance auditor.
Step 4: Conduct a Pre-Audit Gap Analysis
A gap analysis is essentially an honest internal review of where your compliance program falls short before an external auditor finds those gaps for you. The process involves comparing your current practices against the requirements of the regulations that apply to you, identifying areas where you are meeting requirements, areas where you are partially meeting them, and areas where you have clear gaps.
Think of it this way. If you are subject to GDPR and you have not yet conducted a Data Protection Impact Assessment for your high-risk processing activities, that is a gap. If you are subject to AML requirements and your transaction monitoring system has not been reviewed in the last year, that is a gap. If your employees have not received compliance training in 18 months, that is a gap. If you are subject to DORA and you have not documented your ICT third-party risk register, that is a gap.
A gap analysis is only useful if you act on it. Every identified gap needs an owner, a remediation plan, and a realistic deadline. This documentation also demonstrates good faith to auditors, showing that you identified issues proactively and are working to resolve them. Carry out a full assessment of relevant regulations. Set out which areas of these regulations apply to your business and include separate sections in your audit documentation for each regulatory framework.
Step 5: Get Your Documentation in Order
If there is one practical thing that separates businesses that sail through compliance audits from those that do not, it is documentation. Being able to provide evidence for the processes you have in place and how you follow them is a vital step in meeting your compliance obligations.
What does good compliance documentation look like? It includes:
Policies and procedures that are current, formally approved, and accessible to staff. These should not live in a filing cabinet no one ever opens. They need to be reviewed at least annually and updated whenever relevant laws change.
Training records showing that staff have received, understood, and acknowledged their compliance obligations. This is especially important for AML, GDPR, and data security training.
Risk assessments that are documented, dated, and reviewed regularly. For financial institutions, this includes AML risk assessments. For data-heavy organizations, this includes DPIAs. For financial entities under DORA, this includes ICT risk assessments.
Incident logs showing how your organization has identified, responded to, and learned from compliance issues or data breaches. Under GDPR, data protection authorities can audit whether businesses have conducted Data Protection Impact Assessments for their high-risk processing activities.
Audit trails of access to sensitive systems and data. Who logged in, when, and what they did. This kind of technical logging is increasingly expected as a baseline across most EU compliance frameworks.
Third-party contracts and due diligence records. Evidence that you have vetted your suppliers for compliance risks and that your contracts contain the required data protection and compliance clauses.
A good rule of thumb: if you cannot show an auditor evidence that something happened, it might as well not have happened.
Step 6: Train Your People
Your policies are only as strong as your people's understanding of them. This is not a HR issue, it is a compliance issue.
Training and awareness is a critical component of compliance strategy. Ongoing training at all levels is needed to foster an ethical and preventive culture. Training should be role-specific, not generic. The person managing customer due diligence in your AML team needs different training than the developer building your customer-facing app. A one-size-fits-all annual e-learning module is rarely sufficient to demonstrate genuine compliance culture to an auditor.
For EU regulated businesses, consider training your teams on the specific regulations that apply to their role and what violations look like in practice. How to identify and escalate a suspicious transaction, a data breach, or a potential GDPR violation. Your whistleblowing procedures, which are required under EU Directive 2019/1937 for organizations with 50 or more employees. How to handle data subject rights requests under GDPR, including the timelines involved.
Critically, document all training. A record of who attended what training, when, is something auditors regularly ask for.
Step 7: Invest in the Right Compliance Software
This is the step that many businesses skip, and it is the one that makes everything else sustainable.
Here is the honest truth: humans cannot maintain continuous compliance alone. The volume of controls, evidence requirements, policy review cycles, regulatory updates, training records, risk assessments, and third-party due diligence activities that a compliance function needs to manage across even a mid-sized EU regulated business is simply too large and too time-sensitive for spreadsheets and email threads to handle reliably.
The European GRC platform market was worth USD 14.83 billion in 2024 and is expected to grow to USD 27.08 billion by 2033. The European Central Bank found that 80% of financial institutions rely on GRC software to meet stringent regulatory requirements like GDPR and AML directives. This is not a nice-to-have anymore. It is how regulated businesses stay operationally viable.
Continuous compliance automation addresses critical pain points including growing regulatory pressure where manual tracking fails to scale, audit readiness expectations from regulators and investors who expect real-time visibility, and cost and resource efficiency by eliminating duplicate effort and reducing audit preparation time.
What should you look for in a compliance software platform? The right tool should provide centralized policy management where every policy, procedure, and standard is stored, version-controlled, and accessible in one place. It should automate evidence collection so that audit trails, access logs, and control test results are captured continuously rather than assembled in a panic before a review. It should include real-time risk monitoring with alerts when controls are failing or approaching review deadlines. It should support multiple EU regulatory frameworks so that GDPR, AML, NIS2, and DORA requirements are managed in the same place rather than across separate systems. And it should provide a clear audit dashboard so that at any point, you can demonstrate your compliance posture to a regulator, a board member, or an investor without scrambling.
Continuous compliance monitoring tracks compliance constantly, identifying issues immediately versus traditional yearly audits that discover problems after they have already occurred and caused penalties. Automated tools track user activities, system changes, and data access in real time, reducing manual work. And proactive risk prevention catches compliance gaps and potential violations early, before they escalate into serious regulatory fines, legal penalties, or significant reputational damage.
This is precisely why speedyDD was built. Unlike generic GRC tools that were designed for large enterprises and retrofitted for the EU regulatory environment, speedyDD is purpose-built for complex and regulated EU businesses. It brings together due diligence workflows, ongoing compliance monitoring, evidence management, and audit-readiness tracking into a single platform that reflects how EU regulations actually work in practice. Whether you are managing GDPR data subject requests, AML customer due diligence records, or third-party risk documentation under DORA, speedyDD gives your compliance team the structure and automation to stay continuously audit-ready, not just audit-prepared.
Step 8: Run an Internal Mock Audit
Before an external auditor arrives, simulate the audit experience internally. Ask a senior compliance officer or an external consultant to review your documentation, interview key staff, and test your systems as if they were the regulator.
The questions they should be asking mirror what a real auditor will ask. Can you demonstrate that your policies are actually followed? Can you produce evidence of the controls you claim to have? Can staff accurately describe their obligations? Are your records consistent, current, and accessible? Are your compliance software systems generating the kind of continuous evidence trail that demonstrates ongoing adherence, not just point-in-time snapshots?
The point is not to create panic. The point is to surface problems while you still have time to fix them. If any compliance issues are detected in your mock audit, you will want a plan in place to correct them fast. Know ahead of time how you will prioritize, manage, delegate, and execute resolution. Executive management must be on board with correcting any issues detected, because the tone at the top will set the stage for how others act in the organization.
Step 9: Engage With Your Auditor Early
This is one of the most practically useful things you can do and most organizations miss it.
Opening up conversations with your assessors early about the uniqueness of your organization, including any recent changes, will help your chosen firm plan better for your audit kickoff meeting.
Find out in advance what documentation they will want to see. Understand the timeline and who in your organization needs to be available. If there are areas of your business that are unusual, complex, or recently changed, bring these up proactively. Auditors respond better to transparency than to surprises.
For regulatory audits triggered by a supervisory authority, this principle applies with even more care. Read any advance communications carefully, take note of the specific areas of focus, and prepare targeted evidence packs that directly address the questions being asked. This is where having a well-organized compliance software platform pays off immediately, because pulling together a targeted evidence pack takes hours rather than weeks.
Step 10: Build Continuous Compliance Into Your Operations
Here is the mindset shift that makes the biggest long-term difference: stop thinking about compliance as audit preparation and start thinking about it as a permanent operational discipline.
Compliance must be constantly evaluated, with mechanisms to detect non-compliance. Control and audit procedures should be updated periodically. This means building compliance monitoring into your day-to-day workflows. Automated alerts when policies are due for review. Regular controls testing, not just before an audit. Real-time transaction monitoring for AML-obliged entities. Continuous evidence collection so that when an audit comes, you are not scrambling to reconstruct months of documentation.
A proactive approach, which includes anticipating legislative developments and understanding regulators' expectations, is key to meeting compliance requirements efficiently. The EU regulatory landscape will continue to evolve. The new AMLA commenced operations on 1 July 2025, with full supervisory powers to be phased in by 2028, and will directly oversee high-risk financial institutions and coordinate with national supervisors, particularly in cross-border cases. On 20 January 2026, the European Commission proposed targeted amendments to the NIS2 directive to increase legal clarity and simplify compliance with EU cybersecurity rules, easing compliance for an estimated 28,700 companies including 6,200 micro and small-sized enterprises.
The businesses that will handle these changes most effectively are the ones that have already built compliance into the fabric of how they operate, not bolted it on as an afterthought.
Requirements for an Excellent Compliance Audit Outcome
Let's be specific and detailed about what auditors are actually evaluating, because understanding this shapes everything above. Auditors are not simply checking whether you have the right policies written down. They are evaluating whether your compliance controls are genuinely effective and consistently applied. A well-executed audit not only identifies compliance risks but also strengthens organizational processes, builds stakeholder confidence, and ensures accountability.
The requirements for an excellent compliance audit outcome go significantly deeper than most organizations realize. Here is what each dimension actually involves in practice.
The first requirement is comprehensive, current, and honest documentation. This means your policies must reflect what you actually do today, not what you did when they were last written two years ago. Auditors are trained to identify divergence between written procedure and operational reality, and that divergence is one of the most common audit findings. Each policy needs a review date, an owner, and evidence that the review happened. If your GDPR privacy notice says you delete personal data after 12 months but your database retention settings are configured for five years, that is a finding. Documentation needs to be internally consistent across every function.
The second requirement is demonstrable and role-specific training. Generic annual e-learning completions are rarely sufficient on their own. Auditors want to see that staff in specific roles understand the specific obligations that apply to them, and that this understanding is tested and recorded. For AML-obliged entities, this means documented evidence that customer-facing staff understand red flags, escalation procedures, and record-keeping requirements. For GDPR, this means evidence that data controllers and processors understand lawful bases, consent requirements, and how to handle data subject rights requests within the required timeframes. For DORA, this means evidence that ICT and security staff understand incident classification, reporting timelines, and resilience testing requirements.
The third requirement is up-to-date, formally reviewed risk assessments. Risk assessments are not one-off documents. They are living records that should be reviewed whenever your business changes materially, whenever a new regulation is enacted, and on a scheduled basis regardless. An AML risk assessment that was completed three years ago and never touched since is almost certainly going to be a finding. The same applies to DPIAs under GDPR, ICT risk assessments under DORA, and cybersecurity risk assessments under NIS2. Auditors will check when the assessment was last reviewed, what triggered that review, who approved it, and whether the controls it recommended were actually implemented.
The fourth requirement is complete and verifiable audit trails. Technical audit logging is now a baseline expectation across most EU compliance frameworks. This means logs of who accessed which systems, when, what actions they took, and whether any anomalies were flagged and investigated. Under DORA, financial entities must maintain detailed records of ICT-related incidents and demonstrate that their incident response processes work. Under GDPR, access to systems containing personal data must be logged and those logs must be retained appropriately. Under NIS2, cybersecurity risk management measures must include mechanisms for detecting and reporting incidents. If your systems cannot generate these logs, or if your logs are not retained and reviewed, that is a material gap.
The fifth requirement is rigorous third-party due diligence. A significant proportion of compliance failures in EU regulated businesses originate from or are exacerbated by third parties. Your supplier or vendor does not reduce your regulatory obligation. You remain responsible for the compliance of any third party to whom you transfer personal data, financial crime risk, or ICT operational dependency. Auditors will ask to see your vendor due diligence procedures, the questionnaires or assessments you use, how frequently you reassess existing vendors, and what you do when a vendor fails your assessment. Under DORA, your register of ICT third-party service providers must be maintained and available to your competent authority on request.
The sixth requirement is a genuine compliance culture supported by leadership. This is the hardest thing to fake and the most visible to an experienced auditor. Compliance culture is evidenced by the tone at the top: do board minutes reflect discussion of compliance risks? Does senior management receive and act on compliance reports? Are compliance concerns raised and escalated without fear? Is the compliance function adequately resourced and independent? Are identified issues remediated promptly, and are the same issues recurring year on year? Auditors will often speak to staff at various levels to assess whether the compliance culture described in your documentation matches the organizational reality they encounter.
The seventh requirement is a clear and tested incident response and escalation process. Every EU regulated business needs a documented process for what happens when something goes wrong. Who gets notified internally? What is the timeline for escalating to a regulator? Who communicates externally? Under GDPR, data breaches must be notified to the competent supervisory authority within 72 hours of becoming aware of the breach where feasible. Under DORA, major ICT-related incidents must be reported to competent authorities following a specific classification and reporting timeline. Under NIS2, significant incidents must be reported within defined timeframes including an early warning within 24 hours. These processes need to be tested, not just written down. Auditors may ask whether you have ever run a tabletop incident exercise, and what you learned from it.
Regular compliance audits demonstrate a commitment to ethical practices and regulatory adherence, building trust with stakeholders including customers, investors, and regulatory bodies. Audits also provide insights into areas where the organization can improve its processes and controls, leading to enhanced operational efficiency.
About speedyDD
At speedyDD, we work specifically with complex and regulated businesses that cannot afford to be caught off-guard when auditors come calling. Our mission is to help organizations operating in regulated industries achieve and maintain genuine audit-readiness, not just on paper, but in practice. We understand the pressure of EU compliance obligations and the operational reality that compliance work competes with everything else your team is trying to do. Whether you are preparing for a GDPR audit, an AML review, or a supervisory examination under any number of EU frameworks, speedyDD is built to help you maintain the kind of structured, evidence-based compliance posture that keeps regulators satisfied and your business protected.
Frequently Asked Questions About Compliance Audits
What is the difference between an internal audit and a compliance audit? An internal audit is conducted by your own team to assess operational processes and controls. A compliance audit is an independent, external evaluation of whether your organization meets specific regulatory or legal requirements. Internal audits are useful preparation tools, but they do not replace external compliance audits in the eyes of regulators.
How often should an EU regulated business conduct a compliance audit? The frequency depends on the organization's size, industry, and regulatory environment. Many organizations conduct audits annually or bi-annually. High-risk industries or those with frequent regulatory changes may require more frequent audits. Under some EU frameworks, audits are required at set intervals by law.
What happens if we fail a compliance audit? The consequences vary by regulation and jurisdiction, but can include formal reprimands, mandatory remediation plans, significant financial penalties, restrictions on data processing or business activities, and in serious cases, suspension or revocation of operating licenses. Under GDPR, fines can reach up to €10 million or 2% of global annual turnover, while fines for serious violations can reach up to €20 million or 4% of global annual turnover.
What is a compliance gap analysis and do we need one? A gap analysis compares your current compliance practices against the requirements of the regulations that apply to you. It identifies where you are compliant, where you are partially compliant, and where you have clear deficiencies. If you are preparing for any kind of regulatory audit, a gap analysis should always be your starting point. It gives you the time to fix problems before they become findings.
Do smaller EU businesses need to worry about compliance audits? Yes. While some regulations have thresholds based on company size or number of employees, many EU obligations apply regardless of size. GDPR applies to almost every organization that processes personal data of EU residents. NIS2 covers medium and large companies across many sectors. If you serve customers in the EU, process their data, or operate in a regulated sector, compliance obligations apply to you.
What documents should we have ready for a compliance audit? You should have your current compliance policies and procedures, staff training records, risk assessments and DPIAs where applicable, incident and breach logs, access control records and system audit trails, third-party contracts and vendor due diligence records, and any previous audit reports and evidence of remediation.
What is the EU AMLA and how does it affect compliance audits? The Anti-Money Laundering Authority (AMLA), established under Regulation EU 2024/1620, commenced operations on 1 July 2025. It will directly oversee high-risk financial institutions and coordinate with national supervisors, particularly in cross-border cases. AMLA will also issue technical standards and guidelines that firms must integrate into their compliance frameworks, with full supervisory powers phased in by 2028. For financial services businesses operating across multiple EU countries, AMLA represents a significant shift toward centralized oversight.
Can compliance audits be triggered without advance notice? Yes. While many scheduled audits provide advance notice, supervisory authorities in the EU have the power to conduct unannounced inspections in certain circumstances. This is one of the strongest arguments for maintaining continuous, year-round audit readiness rather than treating compliance as a pre-audit sprint.
What is DORA and who does it apply to? DORA, the Digital Operational Resilience Act, applies to all financial entities operating in the EU, including third-party ICT service providers, and became enforceable from January 2025. It requires firms to comply with strict ICT risk management and operational resilience requirements, including regular cybersecurity stress tests and vulnerability assessments.
How do we demonstrate compliance culture to an auditor? Compliance culture is demonstrated through evidence of genuine organizational commitment, not just policy documents. This includes board-level oversight of compliance, senior management participation in compliance decisions, documented training programs with completion records, whistleblowing channels that are actually used and taken seriously, and a track record of self-identifying issues and remediating them proactively.
