Newsletter Article

GLOBAL UPDATE: LOGGING, TRACEABILITY AND RESPONSE ARE CONVERGING

Snare Insider Newsletter Series Article

Make sure you Subscribe

Cybersecurity and AI regulations differ by jurisdiction, but their operational expectations are increasingly similar. Organisations must be able to monitor activity, preserve evidence, explain decisions, report incidents, and demonstrate that security controls are functioning as intended.

NIS2: stronger expectations for MSSPs and digital providers

The EU’s NIS2 Directive (Directive (EU) 2022/2555) implementing requirements apply detailed cybersecurity measures to organisations including managed service providers, managed security service providers, cloud computing providers, data centre providers, content delivery networks and trust service providers.

The requirements include monitoring and logging capabilities, with the availability of those logging systems monitored independently from the environments they observe. For MSSPs, this raises the standard beyond simply receiving customer logs, providers must demonstrate the resilience, integrity and availability of the logging service itself.

EU AI Act: transparency obligations arrive next month

EU AI Act (Regulation (EU) 2024/1689) transparency obligations for high-risk systems take effect from 2 August 2026. Under the May 2026 political agreement on AI Act simplification, deadlines for certain systems have moved later, but the underlying direction has not changed: AI systems must become more transparent, governable and auditable.

Article 12 is the specific provision to know. It requires high-risk AI systems to “technically allow for the automatic recording of events (logs) over the lifetime of the system,” covering risk identification (referencing Article 79), post-market monitoring (Article 72) and deployer-side operational monitoring (Article 26(5)).

Article 26(6) sets the retention floor: automatically generated logs must be kept for a period appropriate to the system’s intended use, and at least six months, unless another law requires longer.

Non-compliance with record-keeping sits in the second of three penalty tiers under Article 99, up to €15 million or 3% of global annual turnover, whichever is higher.

DORA: operational evidence for financial services

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is now embedded within the European financial services environment. Its supporting technical standards provide detailed requirements for reporting major ICT incidents, assessing third-party dependencies, and maintaining operational resilience. Financial institutions must be able to move quickly from detection to classification, evidence collection, reporting and recovery.

The common global direction

Across these frameworks, logging is expected to support four outcomes:

  • Detection, identify suspicious or abnormal activity
  • Investigation, reconstruct what happened and determine impact
  • Reporting, provide timely, defensible information
  • Assurance, prove that controls, systems and decisions operated correctly

This is increasing both the strategic value and the total volume of security data.

The Snare perspective

Multi-framework compliance usually gets solved the expensive way, a separate export, a separate retention policy, a separate audit trail for every regulator a business answers to. That approach doesn’t scale as the list grows from one or two frameworks to five or more, and it’s exactly the scenario NIS2, DORA, the EU AI Act and SEC disclosure are now creating simultaneously for organisations operating across jurisdictions.

The alternative is a single collection and retention layer that routes evidence to whatever destination each obligation requires;

  • a 72-hour NIS2 notification,
  • a 4-hour DORA classification,
  • a materiality file for the SEC, an AI system’s Article 12 log

without standing up a parallel pipeline for each one.

That’s the architecture argument running through this entire issue: collect once, route by purpose, and let the reporting clock you’re racing determine where the evidence goes, not how it was captured. For the full side-by-side of what each framework actually requires, see the companion Compliance Matrix referenced at the end of this issue.

Snare Solutions
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.