“Compliance tired”: the new risk that awaits the RSSI

Faced with an avalanche of regulations, cybersecurity managers are struggling to maintain the balance between compliance and operational security. Behind the expected rigor of the texts, a silent risk sets in: that of regulatory exhaustion.

NIS2, Dora, GDPR, AI Act, CER, Military Programming Law, etc. The list of texts framing cybersecurity continues to lie down. For RSSIs, this normative inflation results in a constant tension between compliance requirement And execution. A phenomenon that several professionals now name “Fatigue compliance”.

A stack of texts, a dispersion of efforts

The ambition of the European Union is clear: to build a robust cybersecurity base on the scale of the internal market. But for organizations, each text introduces new obligations, new perimeters, new deadlines. RSSI must arbitrate: what text to treat as a priority? What checks to implement? What budgets allocate?

This dispersion creates a Fragmentation of effortsto the detriment of global vision. “We spend more time identifying what is required than to secure the systems themselves,” says an RSSI of an operator of vital importance.

Permanent under -voltage teams

Beyond regulatory management, the entire cybersecurity value chain is under pressure. Teams must Document proofs of conformityparticipate in the audits, follow the normative updates, while maintaining the level of operational vigilance. The load is continuous, often without human reinforcement.

This dynamic creates a wear effect. The risk is not only organizational, it becomes human: loss of meaning, disengagement, turnover. Some experienced RSSIs leave their posts for more technical or less exposed functions.

A paradox: more conformity, less security

By dint of multiplying reports, gap matrices, control grids, companies branch towards surface cybersecurity. Compliance becomes an end in itself, to the detriment of the effective reduction in risks.

“The real danger is to believe that we are protected because we are in conformity,” explains an ANSSI expert. Gold, Compliance does not protectshe supervises. It does not replace detection, resilience, the intelligence of the threat.

Rethink compliance as a steering lever

To avoid regulatory fatigue, some companies restructure their approach:

- They create dedicated regulatory monitoring cellsdistinct from RSSI.
- They adopt unified frameworks (Ex: ISO 27001/NIST/NIS2/Dora) to avoid duplicates.
- They integrate compliance into a Risk governance strategyand not as a legal silo.

The stake is clear: transform compliance into Cyber piloting toolnot in administrative burden.

The role of institutions: to clarify, prioritize, accompany

Faced with this growing fatigue, national authorities have a role to play. It is no longer just a question of producing texts, but of:

Clarify the perimeters applicable
Prioritize obligations According to profiles of actors
Equip the RSSIsvia operational standards, diagnostic tools, or targeted training

The NIS2 directive provides for the implementation of objectives and reference measures at the national level. They still have to be readable, compatible with the realities on the groundand supported by suitable means.

A call to balance

Cybersecurity is not a perpetual compliance exercise. It is based on control of systems, knowledge of vulnerabilities, reaction capacity. If the regulatory pressure becomes too strong, it riskssecurity posture Instead of strengthening it.

The role of the RSSI is not to manage texts, but to protect the business. Imposing an uninterrupted regulatory agenda for him is risking diverting it from its main mission. In a world where attacks are faster than decrees, efficiency will always take precedence over completeness.