Structured IT decisions for regulated organisations

Security

How to choose an EDR or XDR platform in 2026

EDR decisions fail on alignment, not on product features. Decide the criteria first.

Security

How to choose an IAM, IGA and PAM stack

Treat IAM, IGA and PAM as three decisions, not one.

Infrastructure

How to make a sovereign cloud migration decision

Start with what sovereignty means for this workload, not with vendor shortlists.

Infrastructure

How to decide on IT outsourcing, a structured framework

Outsourcing failures are decision failures. Structure the decision first.

Compliance

How to reach NIS2 readiness as a mid-market or enterprise operator

NIS2 readiness is ten decisions. Run each one structured, link them to board sign-off.

Compliance

How to reach DORA readiness as a financial entity

DORA is five pillars, each a cluster of decisions. Every cluster needs its own evidence trail.

Compliance

How to implement the EU AI Act by 2 August 2026

The AI Act fails on a missing AI inventory, not on the legal text. One documented decision per system.

Compliance

ISO 27001:2022 recertification: a structured migration and renewal guide

The 11 new 2022 controls are the recertification truth. Decide each one separately and document it.

Security

SIEM platform and SOC build: a structured decision guide

SIEM, SOC operations and log scope are three decisions, not one.

Backup, Recovery and Disaster Recovery

Choosing a backup and DR solution under NIS2, DORA and BAIT

A 2026 backup decision is a ransomware decision. Immutability and tested recovery are non-negotiable dealbreakers.

Security operations and Managed Detection & Response

SOC vs MDR: build vs buy under NIS2 and DORA

Building a SOC pays off from around 5000 endpoints and a mature detection-engineering culture. Below that, MDR or hybrid is almost always more economical.

Privileged Access Management

Choosing a PAM tool: vault, session recording, JIT under NIS2 and DORA

The PAM market splits three ways: enterprise on-prem/hybrid (CyberArk, BeyondTrust, Delinea), cloud-native (HashiCorp, AWS, Azure PIM), DevOps vaulting (HashiCorp, Doppler, Akeyless).

Identity and Authentication

Planning an MFA rollout: phishing-resistant authentication under NIS2 and DORA

Weak MFA (SMS, TOTP) is not enough in 2026. Phishing-resistant MFA is mandatory for privileged access.

Cloud Security Posture and CNAPP

Choosing CSPM or CNAPP: consolidating the cloud-security stack

The 2026 CNAPP market has consolidated into 5-7 real platforms. Tool-sprawl reduction beats best-of-breed.

Productivity suite

Microsoft 365 or Google Workspace: a structured 2026 decision

M365 wins in regulated and enterprise. Workspace wins in engineering cultures and mid-market. Hybrid is the most expensive variant.

ERP modernisation

Choosing an ERP: SAP S/4HANA, Microsoft Dynamics, Oracle, Infor, open source

In the mid-market the 2026 ERP decision is rarely 'SAP or not' but 'RISE with SAP vs Microsoft Dynamics 365 vs Infor'.

Penetration Testing

Choosing a pentest vendor: TLPT, red team, classical pentest

Define the discipline first, then pick the vendor. TLPT needs TIBER-EU experience, red team needs an own C2 capability.

Compliance

Preparing for the Cyber Resilience Act: CRA compliance for manufacturers of products with digital elements

CRA is not an IT security project, it is a product compliance decision. Scope, class and conformity route must come before engineering decisions.

Compliance

Building the DORA register of information: completeness, classification, supervisory reporting

The register of information is a supervisory artefact. Completeness before tool choice, classification before detail.