Prove your security measures work — the way NIS2, DORA, and GDPR now require
Three regulations, one demand: evidence that your controls are effective, not just that you have them. Here's how to prove it for the layer that's hardest to measure — how your people actually behave.
Compliance moved from "do you have it" to "does it work"
NIS2, DORA, and GDPR each now expect you to show that your security measures are effective — tested, measured, and reviewed over time. Policies, training records, and tool licences answer a question regulators have stopped asking. The question now is whether any of it changed behaviour. For your technical controls, you can measure that. For your people, most teams still can't — and that's the gap that turns an audit into a finding.
Completion rates aren't effectiveness
A finished course proves attendance. A phishing-simulation click rate proves one moment on one email. Neither shows whether your people handle real risk more safely than they did last quarter. Effectiveness is a trend in behaviour: more people using MFA, fewer risky sharing actions, faster improvement after you act. That trend is the evidence every one of these regulations is now asking to see.
See the full activity metrics vs. behavioural evidence comparisonProve it from data you already generate
Your people work in Microsoft 365 every day, and their security behaviour is already in that signal. Praxis Navigator turns it into rolling baselines and before-and-after evidence — the proof that your measures work, in the language auditors and boards accept. You connect once. You see months of history from day one. You prove what's improving.
The plan
Connect — Connect Microsoft 365 in 15 minutes. No sales call, no project.
See — See behavioural baselines immediately, including months of history.
Prove — Show before-and-after evidence that your measures are working.
Peer-reviewed field research
29–55%
of the variation in phishing susceptibility is attributable to organizational-level factors, not individual ones.
Measured across 83,269 employees in 510 organizations, using their real responses to phishing campaigns.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
Industry forecast
Gartner expects that by 2030, the major cybersecurity control frameworks will judge human risk by measurable behaviour change rather than training completion.
Gartner, cybersecurity trend guidance.
Peer-reviewed field research
When employees believed their colleagues were already handling security well, they became more susceptible to phishing, not less — a boomerang effect. A clear, salient security policy could likewise increase casual link-clicking.
From the same field study of 83,269 employees across 510 organizations.
Petrič, G., & Roer, K. (2022). The impact of formal and informal organizational norms on susceptibility to phishing. Telematics and Informatics, 67, 101766. Licensed under CC BY 4.0.
One requirement, three regulations
Whichever regime brought you here, the obligation rhymes. See how NIS2, DORA, and GDPR each frame the same demand — and what satisfies it.
NIS2 requires you to test whether your awareness and training are effective, and to run a documented process that assesses whether your risk-management measures work. Applies to essential and important entities across 18 sectors.
DORA requires financial entities to monitor the effectiveness of their digital operational resilience strategy, and makes security awareness and resilience training compulsory for every employee and board member. Applies to EU financial entities.
GDPR Article 32 requires a process for regularly testing, assessing and evaluating the effectiveness of your security measures. Applies to any organization processing personal data.