Insight
We publish rarely, and only when we have something considered to say.
The view we hold
Across the United Kingdom, the European Union and the United States, the rules that govern sensitive data and operational resilience are multiplying — GDPR, NIS2 and DORA in Europe; HIPAA and a widening patchwork of state privacy law in the United States; the UK’s own regime alongside.
Read separately, each looks like a fresh programme to run. Read together, they converge on a single obligation: demonstrable, board-level control over the data and systems an organisation cannot afford to lose.
A board does not need a compliance programme for every regime. It needs one defensible position that answers to all of them. That is the view we hold, and the lens through which we read each new development.
How we write
Our writing takes two forms: an annual outlook on what boards should watch across these jurisdictions, and short notes written when the regulation actually moves. Both are given freely. There is nothing to subscribe to, and nothing to exchange for your details.
The first outlook is in preparation.