{"id":27326,"date":"2026-05-12T11:23:07","date_gmt":"2026-05-12T09:23:07","guid":{"rendered":"https:\/\/pegamento.nl\/from-compliance-to-control\/"},"modified":"2026-06-03T15:26:00","modified_gmt":"2026-06-03T13:26:00","slug":"from-compliance-to-control","status":"publish","type":"page","link":"https:\/\/pegamento.nl\/en\/from-compliance-to-control\/","title":{"rendered":"From compliance to control"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"27326\" class=\"elementor elementor-27326 elementor-26646\" data-elementor-settings=\"{&quot;ha_cmc_init_switcher&quot;:&quot;no&quot;}\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-75c12569 e-flex e-con-boxed e-con e-parent\" data-id=\"75c12569\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;slideshow&quot;,&quot;background_slideshow_gallery&quot;:[{&quot;id&quot;:27328,&quot;url&quot;:&quot;https:\\\/\\\/pegamento.nl\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Remco-Shannon.webp&quot;}],&quot;background_slideshow_slide_duration&quot;:5000,&quot;background_slideshow_slide_transition&quot;:&quot;fade&quot;,&quot;background_slideshow_transition_duration&quot;:500,&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-7a499fdb e-grid e-con-full e-con e-child\" data-id=\"7a499fdb\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-187b23cf e-con-full e-flex e-con e-child\" data-id=\"187b23cf\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1851b61e elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"1851b61e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"p1\">Why modern security requires proof, ownership and consistency<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-6fd2eac e-con-full e-flex e-con e-child\" data-id=\"6fd2eac\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1e0e5222 elementor-align-left elementor-hidden-desktop elementor-hidden-tablet elementor-hidden-mobile elementor-widget elementor-widget-button\" data-id=\"1e0e5222\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/pegamento.nl\/wp-content\/uploads\/2025\/11\/De-renaissance-van-klantcontact-in-2030_webversie.pdf\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t<span class=\"elementor-button-icon\">\n\t\t\t\t<svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-chevron-right\" viewBox=\"0 0 320 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M285.476 272.971L91.132 467.314c-9.373 9.373-24.569 9.373-33.941 0l-22.667-22.667c-9.357-9.357-9.375-24.522-.04-33.901L188.505 256 34.484 101.255c-9.335-9.379-9.317-24.544.04-33.901l22.667-22.667c9.373-9.373 24.569-9.373 33.941 0L285.475 239.03c9.373 9.372 9.373 24.568.001 33.941z\"><\/path><\/svg>\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Download whitepaper<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1f4435e9 elementor-align-left elementor-widget elementor-widget-button\" data-id=\"1f4435e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"button.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-button-wrapper\">\n\t\t\t\t\t<a class=\"elementor-button elementor-button-link elementor-size-sm\" href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">\n\t\t\t\t\t\t<span class=\"elementor-button-content-wrapper\">\n\t\t\t\t\t\t<span class=\"elementor-button-icon\">\n\t\t\t\t<svg aria-hidden=\"true\" class=\"e-font-icon-svg e-fas-chevron-right\" viewBox=\"0 0 320 512\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\"><path d=\"M285.476 272.971L91.132 467.314c-9.373 9.373-24.569 9.373-33.941 0l-22.667-22.667c-9.357-9.357-9.375-24.522-.04-33.901L188.505 256 34.484 101.255c-9.335-9.379-9.317-24.544.04-33.901l22.667-22.667c9.373-9.373 24.569-9.373 33.941 0L285.475 239.03c9.373 9.372 9.373 24.568.001 33.941z\"><\/path><\/svg>\t\t\t<\/span>\n\t\t\t\t\t\t\t\t\t<span class=\"elementor-button-text\">Questions about customer contact?<\/span>\n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d9645e0 elementor-widget elementor-widget-heading\" data-id=\"1d9645e0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">From compliance to control<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b044ed3 e-flex e-con-boxed e-con e-parent\" data-id=\"b044ed3\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-0cc592f e-con-full e-flex e-con e-child\" data-id=\"0cc592f\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-545ab9b elementor-widget elementor-widget-shortcode\" data-id=\"545ab9b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\"><div class=\"_df_book df-lite\" id=\"df_26653\"  _slug=\"26653\" data-title=\"whitepaper-van-compliance-naar-controle\" wpoptions=\"true\" thumb=\"https:\/\/pegamento.nl\/wp-content\/uploads\/2026\/05\/Whitepaper-Van-compliance-naar-controle_thump-1-scaled.webp\" thumbtype=\"\" ><\/div><script class=\"df-shortcode-script\" nowprocket type=\"application\/javascript\">window.option_df_26653 = {\"outline\":[],\"backgroundColor\":\"#e6f5fa\",\"autoEnableOutline\":\"false\",\"autoEnableThumbnail\":\"false\",\"overwritePDFOutline\":\"false\",\"direction\":\"1\",\"pageSize\":\"0\",\"source\":\"https:\\\/\\\/pegamento.nl\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Whitepaper-Van-compliance-naar-controle.pdf\",\"wpOptions\":\"true\"}; if(window.DFLIP && window.DFLIP.parseBooks){window.DFLIP.parseBooks();}<\/script><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3beb8b9 e-flex e-con-boxed e-con e-parent\" data-id=\"3beb8b9\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-75a9dfe e-con-full e-flex e-con e-child\" data-id=\"75a9dfe\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-90c227b e-con-full e-flex e-con e-child\" data-id=\"90c227b\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-2e691f9 e-con-full e-flex e-con e-child\" data-id=\"2e691f9\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-8a1b586 e-con-full e-flex e-con e-child\" data-id=\"8a1b586\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-68a2ed9 elementor-widget elementor-widget-heading\" data-id=\"68a2ed9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Ready for the next step?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-11c9f3e elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"11c9f3e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p data-start=\"147\" data-end=\"326\">We are happy to help you with concrete answers or a solution that fits your organization.<\/p><ul data-start=\"370\" data-end=\"557\"><li data-start=\"370\" data-end=\"425\"><p data-start=\"372\" data-end=\"425\"><strong data-start=\"372\" data-end=\"394\">Personalized advice<\/strong> tailored to your situation<\/p><\/li><li data-start=\"426\" data-end=\"488\"><p data-start=\"428\" data-end=\"488\"><strong data-start=\"428\" data-end=\"454\">In-depth information<\/strong> not in the white paper<\/p><\/li><li data-start=\"489\" data-end=\"557\"><p data-start=\"491\" data-end=\"557\"><strong data-start=\"491\" data-end=\"525\">A no-obligation meeting<\/strong> with one of our specialists<\/p><\/li><\/ul><p data-start=\"559\" data-end=\"668\">Leave your details and we&#8217;ll get back to you soon. We look forward to thinking with you! <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-62d5203 e-con-full e-flex e-con e-child\" data-id=\"62d5203\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-6cdfea3 e-con-full e-flex e-con e-child\" data-id=\"6cdfea3\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-b34bf77 e-con-full e-flex e-con e-child\" data-id=\"b34bf77\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e491ea elementor-widget elementor-widget-html\" data-id=\"8e491ea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script charset=\"utf-8\" type=\"text\/javascript\" src=\"\/\/js.hsforms.net\/forms\/embed\/v2.js\"><\/script><script>hbspt.forms.create({\r\n    portalId: \"9343506\",\r\n    formId: \"b7249951-870a-4137-9485-b1e0714f32c4\",\r\n    region: \"na1\"\r\n  });\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4de87cb e-flex e-con-boxed e-con e-parent\" data-id=\"4de87cb\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2960f88 elementor-widget elementor-widget-text-editor\" data-id=\"2960f88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>If you want to read the knowledge document as plain text, you can do so below:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1c9ddac ha-has-bg-overlay elementor-widget elementor-widget-text-editor\" data-id=\"1c9ddac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3>Summarized in key points<\/h3><ul><li data-section-id=\"7kgk81\" data-start=\"0\" data-end=\"145\">Security is no longer a purely IT issue, but an organizational competency in which technology, processes, governance and administration come together.<\/li><li data-section-id=\"15u3heu\" data-start=\"147\" data-end=\"264\">The market is shifting from <strong data-start=\"173\" data-end=\"203\">having security measures<\/strong> to <strong data-start=\"209\" data-end=\"263\">being able to demonstrably prove that measures work<\/strong>.<\/li><li data-section-id=\"z1qce\" data-start=\"266\" data-end=\"388\">AVG, NIS2 and DORA increase the emphasis on accountability, governance, risk management and management responsibility.<\/li><li data-section-id=\"1cmpos2\" data-start=\"390\" data-end=\"549\">The biggest risks are often not in missing tooling, but in poor cohesion, fragmented ownership and weak processes such as off-boarding.<\/li><li data-section-id=\"1ntue8h\" data-start=\"551\" data-end=\"682\">Logging, access management and incident response have value only if they are usable, auditable and reconstructible in retrospect.<\/li><li data-section-id=\"53hf6i\" data-start=\"684\" data-end=\"857\" data-is-last-node=\"\">The most important lesson &#8220;after Odido&#8221; is that organizations must organize verifiable consistency among systems, people, processes, responsibilities and evidence.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4beee3c elementor-widget elementor-widget-text-editor\" data-id=\"4beee3c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Authors: <\/b><b>Remco Pabst, Business Consultant, and Shannon Breuer, Chief Information &#038; Security Officer (CISO), both working at Pegamento.<\/b><\/p><p><b><\/b><b><\/b><b>Date: May 2026<\/b><\/p><h2><b>From compliance to control<\/b><\/h2><ol><li>Executive summary<\/li><\/ol><p>The cyber incident at Odido in February 2026 shows why security can no longer be treated exclusively as an IT issue. Odido reported that personal data had been hit from a used customer contact system, even though operational services had not been disrupted and there was no indication at the time that passwords, call data or billing information had been involved. Strategically, this is relevant because an organization does not have to completely shut down to still face tough questions about access management, logging, retention periods, customer trust and managerial control.  <\/p><p>From Pegamento, we see that the central question in the market is shifting. The focus is no longer only on whether an organization has taken security measures, but mainly on whether it can show who had access, what actions were performed, what decisions were made, which measures demonstrably work and who is responsible for what. This shift aligns with broader developments in laws and regulations. In addition to integrity and confidentiality, the AVG also has the accountability principle. Organizations must therefore not only act compliantly, but also be able to convincingly substantiate this.    <\/p><p>This same movement is visible outside the privacy domain. NIS2 places cybersecurity more explicitly in the boardroom, with governance, risk management, notification obligations, supply-chain security and management responsibility as recurring themes. For the financial sector, DORA has applied since Jan. 17, 2025, and concretely links digital operational resilience to monitoring, testing, third-party risk and incident management. In the Netherlands, the Cyber Security Act was not yet in effect on April 20, 2026, but preparing for it is already a real organizational issue.   <\/p><table><tbody><tr><td width=\"605\"><p><strong>The core conclusion of this white paper is therefore simple but far-reaching: security is no longer a stand-alone IT issue, but an organizational competency that hinges on demonstrable cohesion between technology, processes and governance.<\/strong><\/p><\/td><\/tr><\/tbody><\/table><p>Organizations that take this shift seriously are investing not just in tooling, but in governable cohesion between identity, logging, off-boarding, awareness, contract agreements, incident response and management accountability. That lowers risk, increases auditability and reinforces trust with customers, partners, regulators and directors. <\/p><ol start=\"2\"><li>Introduction: the shift everyone feels<\/li><\/ol><p>Every market has tipping points: moments when an incident not only has technical or legal consequences, but raises a broader management question. The incident at Odido is such a moment. Not because one case would explain the entire market, but because events like this make visible how security issues arise in customer contact environments, process chains, supporting systems and governance choices &#8211; and thus not only in firewalls, networks or endpoints.  <\/p><p>For many organizations, this shift already feels intuitively recognizable. Clients are asking different due-diligence questions. Procurement and legal teams want more substantiation. Auditors are asking not just for policy documents, but for evidence. Regulators are looking not just at whether measures exist, but whether an organization can reconstruct its choices, risk considerations and actions.    <\/p><p>This white paper is written from that reality. Not as a product brochure, nor as incident analysis of one brand, but as strategic interpretation of a broader development Pegamento sees in practice: organizations become vulnerable when IT, Legal and Operations each approach security in part, but no one manages the whole. <\/p><ol start=\"3\"><li>Why this topic is relevant now<\/li><\/ol><p>There are three reasons why this issue is especially urgent now. The first reason is the changing threat landscape. Cyber incidents affect not only the technical environment, but often directly customer processes, data flows and chain dependencies. Good log information and a practiced incident response are therefore no longer a luxury, but preconditions for administrative grip.   <\/p><p>The second reason is the escalating impact of incidents. The IBM Cost of a Data Breach Report 2024 reported a global average data breach damage of USD 4.88 million. In addition, 70 percent of the organizations surveyed reported that their operations were significantly or at least noticeably disrupted. This underscores that cyber incidents are not just security problems, but business operations problems.   <\/p><p>The third reason is the administrative and legal aggravation of the issue. NIS2 raises the European bar for cybersecurity in critical and important sectors and makes it clear that administrators and senior management cannot remain aloof. For the financial sector, this reality already applies concretely through DORA. The implication is clear: security is increasingly being judged on demonstrable mastery, not just technical intent.   <\/p><ol start=\"4\"><li>Background and market context<\/li><\/ol><p>For years, security was translated primarily into technology. Firewalls, endpoint protection, SIEM, IAM, segmentation, monitoring, patching and cloud hardening were all necessary, but rarely sufficient. This technical focus was explicable at a time when the dominant question was: can we prevent attacks or detect them faster?  <\/p><p>Today, the bar has been raised. The question is no longer simply whether an organization has measures in place, but whether it can demonstrate their operation in conjunction with processes, responsibilities and decision-making. Accountability is thus not a semantic addition, but a fundamental change in the way organizations are judged.  <\/p><p>In addition, digital chains have become more complex. Identities run through central identity providers and through local exceptions. Applications access data through APIs. Employees work hybrid. Suppliers manage parts of the stack. Customer contact platforms are connected to CRM, ticketing, analytics and knowledge bases. This creates risk not only in &#8220;the infrastructure,&#8221; but precisely in the transition between systems, roles, rights, management processes and contractual responsibilities.      <\/p><ol start=\"5\"><li>What organizations often think security is and why that&#8217;s no longer enough<\/li><\/ol><p>Many organizations still think of security primarily in terms of technology, tooling, certification and checkoff compliance. This easily leads to an appearance of maturity. There is an IAM solution, so access is regulated. There is logging, so reconstruction is possible. There is awareness training, so the people factor is covered. There is policy, so governance exists.     <\/p><p>Practice shows a different picture. A central identity solution can coexist perfectly well with local exception accounts in applications. On paper, least privilege is set up, but in practice access persists after role changes or departures. Or there is logging on multiple layers, but the events are not correlated, timestamps are not harmonized and ownership for analysis is missing. Then there is data, but no evidence yet.    <\/p><p>The difference between &#8220;having measures&#8221; and &#8220;having control&#8221; is almost always in consistency. Security often fails not because of lack of a tool, but because of lack of ownership, lifecycle management, review and explainability. <\/p><ol start=\"6\"><li>What customers, regulators and stakeholders really want to know today<\/li><\/ol><p>The questions Pegamento sees in customer processes, audits and due diligence processes are rarely phrased in purely technical terms anymore. They usually revolve around control, demonstrability and accountability. <\/p><ul><li>Who has access to what data, on what basis and through what mechanism?<\/li><li>Can you reconstruct which user performed which action, at what time and in which system?<\/li><li>How are onboarding, job change and off-boarding set up, and what controls are in place for them?<\/li><li>Who owns process, system, risk assessment and exception?<\/li><li>How does the organization ensure safe behavior, reporting culture and escalation capability?<\/li><\/ul><p>These questions are strategically relevant because they all test the same thing: not whether an organization is theoretically secure, but whether it can explain its security managerially and operationally. That is the real difference between a technical security approach and a mature organizational approach. <\/p><ol start=\"7\"><li>Where things go wrong in practice<\/li><\/ol><p>7.1 Logging without context<\/p><p>Logging is essential, but logging without context provides a false sense of security. In many organizations, log data exists, but the connection between application, API, platform and identity is missing. This creates fragments of truth rather than a single manageable factual picture.  <\/p><p>A useful logging strategy therefore does not start with &#8220;log more,&#8221; but with three design questions: what decisions or actions should we be able to reconstruct later, what sources are needed to do so, and who is responsible for quality, correlation, retention and interpretation?<\/p><p>7.2 Off-boarding as a weak link<\/p><p>Off-boarding is still too often seen as an HR afterthought rather than a security moment. That&#8217;s risky. The weakness is rarely just in the primary account, but rather in local applications, group memberships, tokens, administrator roles, API keys, mobile access and exception rights.  <\/p><p>Organizations that approach off-boarding maturely make departure not a loose checklist at the end of a process, but a controlled chain with trigger, execution, verification and demonstrable closure.<\/p><p>7.3 Fragmented responsibility<\/p><p>Many organizations have expertise, but lack end-to-end ownership. IT manages systems. Legal sets requirements. Operations manages processes. HR processes personnel changes. Security monitors frameworks. But who is responsible for the demonstrable operation of the whole?      <\/p><p>Exactly in that in-between space arise the questions on which audits, incidents and customer investigations get bogged down: who decided that an exception was acceptable, who verified that an account was actually closed, and who monitors the relationship between contract agreements, logging, retention periods and access?<\/p><p>7.4 Awareness as a one-time action<\/p><p>Awareness is necessary, but annual training does not make an organization resilient. Employees must not only recognize risks, but also know what to do when in doubt. Awareness only really works when it becomes part of process design: clear verification steps, recognizable communication, simple reporting routes, limited authority and consistent leadership.  <\/p><ol start=\"8\"><li>The legal perspective: from compliance to accountability<\/li><\/ol><p>From a legal perspective, the key shift is that being compliant on paper is no longer enough. Organizations must be able to show why their setup is appropriate, how measures were chosen, how exceptions are controlled and how actual operation matches what is described in policies, contracts and procedures. <\/p><p>That makes accountability a practical organizational principle. It is not just about privacy documentation, but directly about architecture, access management, logging, retention periods, incident logging, vendor steering and decision-making. The legal risks of weak demonstrability are broader than fines alone. They also touch reputation, contractual relationships, evidentiary position and managerial credibility.   <\/p><p>This is precisely why the focus is shifting from &#8220;being compliant&#8221; to &#8220;being demonstrably compliant. Organizations must not only be secure, but be able to explain and prove that their measures are appropriate, current and governable. <\/p><ol start=\"9\"><li>The practice perspective: what security really looks like in systems, processes and chains<\/li><\/ol><p>In theory, security sounds uncluttered. In practice, it is layered. A user action rarely touches a single system. An employee logs in through an identity provider, uses a customer contact application, accesses data through an API and leaves traces in monitoring, ticketing and management environments. If those sources don&#8217;t come together logically, a reconstruction problem arises.    <\/p><p>The same is true for access management. The main identity may sit centrally, but rights also live in groups, application roles, local exceptions, vendor accounts, service identities and emergency accesses. As a result, &#8220;we have SSO&#8221; is not proof of control; at most, it is a part of it.  <\/p><p>Procedurally, the reality is equally unruly. A role change in HR does not automatically mean that rights are adjusted in all chains. A supplier can perform management while the client remains legally responsible. A temporary exception can become structural. A project may demand speed, causing governance to be treated as a closing item. Thought leadership therefore does not start with denying trade-offs, but with making them governable.     <\/p><ol start=\"10\"><li>Analysis: risks, bottlenecks and misunderstandings<\/li><\/ol><p>The biggest misconception in the market is that security fails primarily because of too little technology. Much more often security fails because of lack of coherence. Logging is confused with proof. Compliance is confused with documentation. Awareness is confused with assurance. Governance is confused with designating one responsible function with no mandate over the whole.     <\/p><p>A second misconception is that existing systems are obviously out of scope because they are legacy. In reality, legacy environments often actually increase the tension between speed, risk and demonstrability. Legacy systems do not require tolerance, but an explicit managerial consideration: mitigate, isolate, replace or phase out.  <\/p><p>A third misconception is that security ownership can, in practice, be placed entirely with IT. Legislation, customer demands and regulatory requirements show that this is not tenable. Cyber resilience touches governance, compliance, operations, procurement and supplier management equally.  <\/p><ol start=\"11\"><li>Analysis: opportunities, strategic options and organizational value<\/li><\/ol><p>The positive flip side is that the same development also offers opportunities. Organizations that can demonstrate security not only strengthen their resilience, but also their market position. Clients, partners and auditors experience demonstrable control as a sign of maturity and reliability.  <\/p><p>In addition, a mature security approach can increase operational agility. When identity lifecycle, logging, exception management and governance are well established, changes can occur faster and more securely. Security then becomes not a brake on innovation, but a condition for controlled acceleration.  <\/p><p>Finally, the quality of decision-making increases. Those with visibility into access, chains, critical processes and third-party dependencies make better choices about sourcing, platform selection, retention, monitoring, contracting and crisis response. This is precisely why modern regulation places so much emphasis on resilience and managerial grip.  <\/p><ol start=\"12\"><li>Practical applications and use cases<\/li><\/ol><p>Use case 1 &#8211; customer contact platform under due diligence<\/p><p>An organization uses multiple systems for customer contact, CRM and knowledge management. After a market incident, a large customer asks additional questions. Not about firewalls or certificates, but about access, logging, vendor roles, processor agreements and off-boarding.  <\/p><p>The organization with a mature model can show within a short time what roles exist, how access is granted, what administrator actions are logged, what exceptions exist, how long log data remains available, and what governance applies to role changes or departures. The organization without consistency is stuck with loose exports, policy documents and assumptions. <\/p><p>Use case 2 &#8211; employee leaves with broad operational access<\/p><p>Upon unexpected departure, a mature organization is not just disabling the primary account, but the entire identity lifecycle: SSO, local applications, administrator roles, group memberships, tokens, shared credentials, mobile access and physical access. The difference is in process discipline, automation and authentication. <\/p><p>Use case 3 &#8211; incident analysis without administrative confusion<\/p><p>When suspicious access to sensitive data is discovered, layered logging combined with clear team roles makes it possible to quickly determine which accounts were involved, which systems were affected, which notification pathways need to be activated and which communications are actually justified. Without that preparation, the exact opposite occurs: technical teams investigate, legal waits to be sure, operations wants to move on and management wants answers without a shared factual picture. <\/p><ol start=\"13\"><li>Pegamento vision: what organizations need to understand and do now<\/li><\/ol><p>Pegamento&#8217;s vision is that organizations must redefine security. Not as a collection of tools, but as manageable cohesion between identities, rights, processes, logging, decision-making and chain responsibility. <\/p><ul><li>Shift from perimeter thinking to identity thinking. Those who control access, control risk &#8211; provided exceptions and lifecycle processes are in scope. <\/li><li>Shift from logging as a technique to logging as evidence. Log only what can be interpreted, correlated and used later. <\/li><li>Shift from compliance on paper to accountability in practice. Documentation is credible only when it matches actual system behavior and process execution. <\/li><li>Shift from awareness as a campaign to awareness as a design principle. Build verification, reporting culture and safe defaults into processes. <\/li><li>Shift from implicit collaboration to explicit ownership. IT, Legal and Operations should work together, but with clear mandate and governance. <\/li><li>Shift from project-based improvements to structural governance. Resilience is not a temporary program but an ongoing governance task. <\/li><\/ul><p>For organizations that want to act now, the most important practical question is not which tool to purchase first, but what evidence will be needed tomorrow to explain to the customer, auditor, regulator or board how the organization maintains control.<\/p><ol start=\"14\"><li>Conclusion<\/li><\/ol><p>The lesson &#8220;after Odido&#8221; is not that organizations especially need more loose security measures. The real lesson is that modern security hinges on verifiable consistency. <\/p><p>Organizations get stuck when IT secures systems, establishes Legal frameworks and executes Operations processes, but no one is integrally responsible for demonstrable operation. Then the familiar gaps emerge: logging without usability, permissions without lifecycle, awareness without behavior, policy without proof and governance without ownership. <\/p><table><tbody><tr><td width=\"605\"><p><strong>The organizations that will make the difference in the coming years are not necessarily those with the most tooling, but those that can connect security to business operations. That is precisely where Pegamento&#8217;s vision of digital resilience lies at its core. <\/strong><\/p><\/td><\/tr><\/tbody><\/table><ol start=\"15\"><li>Sources and factual support<\/li><\/ol><p>Incident context and current events<\/p><p>Odido &#8211; Cyber incident information page (2026). Used for factual information about the cyber incident, reference to a customer contact system and public indication that operational services had not been affected. <\/p><p>Odido Newsroom &#8211; Odido informs customers of cyber attack (Feb. 12, 2026). Used as primary source for initial public interpretation of incident. <\/p><p>Privacy, accountability and demonstrability<\/p><p>European Commission &#8211; Data protection explained. Used for AVG principles, including integrity, confidentiality and accountability. <\/p><p>European Data Protection Board &#8211; Accountability Tools. Used to explain that organizations must take appropriate technical and organizational measures and be able to demonstrate that processing is compliant. <\/p><p>European Data Protection Board &#8211; Data protection by design &#038; by default: When to act and what to do (February 2026). Used for the ongoing duty to take appropriate action and focus on existing or obsolete systems. <\/p><p>Cyber regulation, governance and governance<\/p><p>European Commission &#8211; NIS2 Directive: securing network and information systems (Jan. 20, 2026). Used for scope, governance and management responsibility. <\/p><p>Digital Government &#8211; Cyber security law (March 5, 2026) and House of Representatives approves Cbw and Wwke (April 15, 2026). Used for Dutch status and expected implementation of the Cybersecurity Act. <\/p><p>De Nederlandsche Bank &#8211; DORA. Used for application date, content and supervisory dimension of DORA. <\/p><p>Logging, incident response and operational control<\/p><p>NCSC &#8211; The value of log information. Used for the need for log information to reconstruct events and user actions. <\/p><p>NCSC &#8211; Incident response plan, Incident response: where do I start? and Keep a grip on a cyber incident: use the Cyber Incident Log. Used for team roles, preparation and structured incident logging.  <\/p><p>NIST &#8211; SP 800-92 Guide to Computer Security Log Management. Used as an authoritative source for log management as an enterprise-wide discipline. <\/p><p>Identity, awareness and operational discipline<\/p><p>idmanagement.gov &#8211; Identity Lifecycle Management Playbook. Used for provisioning, change management and immediate withdrawal of access on exit. <\/p><p>NIST &#8211; SP 800-53 Revision 5.1, AC-2 Account Management. Used for account management in relation to personnel termination, inactivity and auditing. <\/p><p>NCSC &#8211; Security awareness and related phishing\/social engineering pages. Used for human factor, reporting behavior and securing cyber awareness. <\/p><p>Impact and business operations<\/p><p>IBM \/ Ponemon Institute &#8211; Cost of a Data Breach Report 2024 and IBM summary. Used for average global damage from a data breach and reported operational disruption. <\/p><ol start=\"16\"><li>Assumptions, limitations and concerns<\/li><\/ol><p>The content of this white paper is time-sensitive with respect to the status of the Odido incident, public information about it, and the progress of any follow-up investigation. New facts or technical findings may change the interpretation. <\/p><p>The status of the Dutch Cyber Security Act is also time-sensitive. As of April 20, 2026, the law was not yet in force. Final obligations, further elaboration and implementation dates may change due to parliamentary consideration and lower regulations.  <\/p><p>Some of the conclusions in this white paper depend on context, sector and architecture. Organizations in the financial sector are already dealing with DORA; other organizations will be assessed more heavily on AVG, contractual requirements, NIS2\/Cybersecurity Act or industry-specific standards. <\/p><p>Finally, this document is a strategic and editorial white paper, not an individual legal advice or technical security audit. Where industry-specific interpretation or concrete compliance review is required, further assessment on an organization-by-organization basis remains necessary. <\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cf2c108 elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"cf2c108\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h3 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tRemco Pabst, Business Consultant at Pegamento<br \/>Shannon Breuer, Chief Information &amp; Security Officer (CISO) at Pegamento\t\t\t\t\t<\/h3>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tsecurity * accountability * governance * access management * logging * evidence * AVG * NIS2 * DORA * management responsibility * customer trust * risk management * off-boarding * identity lifecycle * incident response * chain responsibility * vendor risk * auditability * compliance * demonstrability * process control * ownership * awareness * customer contact systems * digital resilience\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item \">\n\t\t\t\t\t<a class=\"elementor-cta__button elementor-button elementor-size-\" href=\"https:\/\/pegamento.nl\/en\/contact-2\/\">\n\t\t\t\t\t\tEnter the conversation\t\t\t\t\t<\/a>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-112652d4 e-flex e-con-boxed e-con e-parent\" data-id=\"112652d4\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;gradient&quot;,&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-298d3397 e-con-full e-flex e-con e-child\" data-id=\"298d3397\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-146a6747 e-con-full e-flex e-con e-child\" data-id=\"146a6747\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;_ha_eqh_enable&quot;:false}\">\n\t\t<div class=\"elementor-element elementor-element-83c3f4 e-grid e-con-full e-con e-child\" data-id=\"83c3f4\" data-element_type=\"container\" data-e-type=\"container\" data-settings=\"{&quot;_ha_eqh_enable&quot;:false}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6bb5ae73 elementor-widget elementor-widget-image\" data-id=\"6bb5ae73\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"250\" height=\"125\" src=\"https:\/\/pegamento.nl\/wp-content\/uploads\/2025\/04\/KVK-Sprinklr-Referentie.png\" class=\"attachment-large size-large wp-image-27057\" alt=\"KVK-Sprinklr Reference\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f7f3255 elementor-widget elementor-widget-image\" data-id=\"7f7f3255\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"250\" height=\"125\" src=\"https:\/\/pegamento.nl\/wp-content\/uploads\/2025\/04\/Kindergarden-Referentie-Pegamento.png\" class=\"attachment-medium size-medium wp-image-27067\" alt=\"Kindergarden Reference Pegamento\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-647a0180 elementor-widget elementor-widget-image\" data-id=\"647a0180\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"250\" height=\"125\" src=\"https:\/\/pegamento.nl\/wp-content\/uploads\/2025\/04\/Luisterlijn-referentie.png\" class=\"attachment-large size-large wp-image-27073\" alt=\"Listening line reference\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1f72a804 elementor-widget elementor-widget-image\" data-id=\"1f72a804\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"250\" height=\"125\" src=\"https:\/\/pegamento.nl\/wp-content\/uploads\/2025\/04\/Hersenstichting-Telefonie.png\" class=\"attachment-large size-large wp-image-27074\" alt=\"Brain Foundation Telephony\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Why modern security requires proof, ownership and consistency Download whitepaper Questions about customer contact? From compliance to control Ready for the next step? We are happy to help you with concrete answers or a solution that fits your organization. Personalized advice tailored to your situation In-depth information not in the white paper A no-obligation meeting [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":27327,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-27326","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/pages\/27326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=27326"}],"version-history":[{"count":4,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/pages\/27326\/revisions"}],"predecessor-version":[{"id":27594,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/pages\/27326\/revisions\/27594"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/27327"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=27326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}