It is obvious to everyone that digital security and data protection are important, and few understand this better than the operators and infrastructure providers who work with these systems every day. But there is a growing feeling that the EU, through its regulations, is actively pushing businesses away.
The sheer madness surrounding GDPR, NIS2, DORA, country-specific cybersecurity laws, data-center regulations, and multiple national data protection authorities has created an environment of extreme bureaucracy. In practice, this translates into enormous time consumption, excessive costs, and the need to maintain permanent in-house staff such as lawyers, GDPR specialists, CISOs, compliance managers, and external consultants. The whole system is designed so that the focus is not on the outcome itself, but on the procedures used to achieve it.
What makes the situation even worse is that many requirements which, at the EU level, are presented as high-level guidelines or relatively light recommendations are later transformed by national legislators into rigid, over-enforced laws. These laws are implemented in a way that effectively forces companies either to bluff their compliance on paper or, if they attempt to fully comply in practice, to become slow, inefficient, and ultimately uncompetitive.
At times, it almost feels as if this regulatory framework is being designed primarily for military use cases and for businesses directly serving defense and critical state infrastructure-where such levels of control and rigidity may be justified. For most commercial businesses-and especially for SMBs—this regulatory model is not just disproportionate, it is fatal.
What we are witnessing is an artificially inflated compliance industry that absorbs resources without creating real business value. Instead of enabling innovation, these regulations slow companies down, reduce agility, and significantly hurt operational efficiency.
On top of that, an unreasonable amount of internal time is consumed by staff who must continuously fill out endless questionnaires, assessments, and compliance forms. These are brought in by almost every third customer, often with little or no connection to real operational risks or practical reality. Entire teams are forced to focus on paperwork rather than actual delivery, engineering, or customer value.
At times, it even becomes necessary to carefully evaluate which clients you want to work with and which you don’t-simply because some customers introduce a disproportionate regulatory burden and legal exposure.
Take colocation providers, hardware renting companies, or cloud pure infrastructure providers as an example. Even when the provider has no access to customer data, they are still required to sign countless declarations, appendices, amendments, and regulatory commitments-often assuming responsibility for matters that are only marginally related to their actual services.
This topic alone could easily fill an entire book.
Subscribe & Share now if you are building, operating, and investing in the digital infrastructure of tomorrow.
#Cybersecurity #DataProtection #GDPR #NIS2 #DORA #EURegulation #ComplianceOverload #DigitalInfrastructure #SMBs #EuropeanBusiness #TechPolicy #OperationalReality
https://www.linkedin.com/pulse/eu-compliance-machine-who-does-really-protect-andris-gailitis-9yybf