“Merely introducing new rules without a cultural shift in how companies prioritize and implement robust security measures can render these updates ineffective,” said Borja Rodriguez, manager of threat intelligence operations at cybersecurity vendor Outpost24. “Companies must not only comply with the rules but also embed cybersecurity into their core operations and invest in proactive strategies.”
Imposing stricter rules and fines could “unintentionally provide leverage to ransomware groups,” as these fines are often cited in ransom demands to pressure organizations into paying, Rodriguez warned.
“To mitigate this, the government should consider balancing enforcement with incentives for genuine improvement in cybersecurity posture, such as funding, support programs, or recognition for achieving high security standards,” Rodriguez said.
