Cybersecurity compliance for small and mid-market organisations has never been harder to navigate. The frameworks have multiplied, the requirements have expanded, and the expectation that your organisation can meet them has grown regardless of whether you have a dedicated compliance team, a security analyst, or even a second IT person. For the IT Manager at a 200-person company who is also running the helpdesk, patching servers, and managing the Microsoft tenant, compliance can feel like a second full-time job that you didn’t sign up for.
But there is an important nuance: the frameworks are not getting harder by choice. They are getting harder because the threat is genuinely worse. The problem is not the frameworks themselves. It is the structural gap between what they now require and what most mid-market IT teams are resourced to deliver.
The Threat Landscape Drove the Frameworks Here
ISO 27001, NIS2, Cyber Essentials: these frameworks exist to protect organisations from real and growing risks. That purpose matters, and it is worth stating clearly before discussing why meeting them is so difficult. They are not bureaucratic obstacles. They are responses to an attack environment that has changed significantly in the past five years.
NIS2, which became enforceable across EU member states in October 2024, is the clearest example. It was created because the 2016 NIS Directive was no longer sufficient. Critical infrastructure is being targeted more frequently and with more sophistication. Research published by Harvard Business Review in 2024 found that AI-generated phishing emails achieved a 54% click-through rate compared to just 12% for human-written messages, making AI-crafted attacks more than four times as effective as traditional ones.[1] Attacks have expanded beyond email to Microsoft Teams, SMS, and voice. The frameworks updated because the threat amplified.
ISO 27001's requirement for ongoing, evidenced security awareness training is grounded in the same logic. The research on behaviour change under phishing conditions is unambiguous: a once-a-year session has no lasting protective effect. According to research first established by Hermann Ebbinghaus and replicated in a 2015 study published in PLOS ONE, people forget approximately 70% of new information within 24 hours without reinforcement.[2] The framework caught up with the science. The manual tools most teams use to deliver training have not.
So the compliance burden is growing for good reason. The difficulty is that the assumption baked into these frameworks, that the organisation responsible for meeting them has dedicated resources to do so, has not been revisited to account for the reality of a 200-person manufacturing company with two IT staff.
The Structural Gap Is Widening
In sectors like manufacturing and retail, where IT-to-employee ratios commonly run as high as 1:200 or more, a single IT Manager may be responsible for the security, infrastructure, and compliance needs of an entire organisation.[3] That is not a team built to absorb growing compliance requirements. And the situation is not improving.
IT staffing across the industry saw stagnation in 2024, with the sector treading water for close to the entire year after a long run of reliable growth, according to Staffing Industry Analysts.[4] Heading into 2026, the hiring environment has been characterised as "low-hire, low-fire": employers are cautious, headcount decisions face tighter scrutiny, and teams are absorbing more responsibility without growing.[5] Globally, 49% of SMBs report a skills shortage in emerging technology areas, and cybersecurity and compliance sit squarely in that category.[6]
The compliance burden is expanding in one direction. The teams responsible for meeting it are staying flat. The gap between the two is where the problem lives.
Five years ago, a mid-market company in the UK might have had one compliance framework to consider. Today, the same organisation may be managing ISO 27001 requirements from a customer contract, NIS2 obligations if they fall within its scope, Cyber Essentials as a baseline expectation from their insurance provider, and UK GDPR data protection obligations. Each framework has overlapping but not identical requirements. Each requires evidence. None of them was designed to interoperate cleanly with the others.
Manual Compliance Cannot Keep Pace
The issue most IT teams run into is not that compliance is conceptually difficult. The requirements, when you strip away the framework language, usually come down to the same things: make sure your people know how to recognise a threat, document that you have done so, and be able to prove it when someone asks.
The problem is how teams try to meet those requirements in practice. The most common approach looks something like this: an annual training session, often a video or a slideshow, followed by an email asking staff to confirm they watched it, tracked in a spreadsheet, with completion chased manually by the IT Manager or an admin assistant. Once a year, this evidence is compiled and presented to an auditor or attached to a customer security questionnaire.
This approach fails on almost every dimension that matters. It does not produce lasting behaviour change. It does not reflect how modern attacks work. And it does not generate the kind of continuous, documented evidence that frameworks like NIS2 and ISO 27001 now require.
The compliance burden also grows in proportion to how manual your process is. The more you rely on spreadsheets, email chasing, and manual report compilation, the more time compliance takes, and the more fragile it becomes when someone is on holiday, leaves the company, or simply does not respond to the reminder.
What Audit-Ready Evidence Looks Like
One of the most common misconceptions about compliance is that auditors are looking for a clean bill of health. They are not. They are looking for evidence of a documented, ongoing, and improving programme. That means completion records showing who completed training and when, simulation data demonstrating your organisation is testing staff regularly, policy acknowledgment logs proving employees have read and confirmed key policies, and ideally a trend line showing improvement over time.
An organisation that can walk into an audit with six months of simulation data showing a declining click rate, a policy acknowledgment log showing 94% completion, and a training completion report generated automatically is in a very different position to one that can produce a spreadsheet and a PDF of last year's training deck.
The former has a credible, auditable training programme. The latter might be compliant on paper, but would not survive scrutiny, and offers no real protection against the threats the frameworks were designed to address.
The Path Forward Is Automation, Not More Effort
The structural problem with compliance for teams of this size is not effort or expertise. It is that the manual approach was never designed to scale alongside a threat landscape that keeps evolving, and it has been stretched well beyond what it can reasonably support.
The organisations that manage compliance most effectively are the ones that have stopped treating it as a separate workload and started treating it as a byproduct of running a good security programme. When training runs automatically and continuously, when policy acknowledgments are tracked without anyone chasing them, and when audit-ready reports can be generated in a single click, compliance stops being a burden and starts being something your organisation simply has.
That shift does not require a bigger team. It requires the right infrastructure.
Pistachio Practice was built for this problem. It runs continuous phishing simulations and micro-learning automatically, without requiring campaign management from your team. The Policy Management feature handles policy distribution and acknowledgment tracking, and one-click reports generate the evidence trail you need for ISO 27001, NIS2, and Cyber Essentials audits. Setup takes 10 minutes via Microsoft Entra ID.
If your organisation is facing a compliance deadline or an upcoming audit, email contact@pistachioapp.com to book your demo.
