Volume One - April 2025
Subject – Upcoming Compliance Awareness
Welcome to the first instalment of our new Source Code Conversations series. Each month, we will question an expert from our team on an important topic, getting to the heart of the subject and providing useful information and advice. Up first is our Director of Cloud Services, Paul McAdam, who discussed upcoming regulations that organisations should be aware of and the potential implications if preparation is not done.
Matt Webb: Firstly Paul, thank you for being our first guest on Source Code Conversations! To kick us off, for anyone who doesn’t know you, please can you tell us a bit about yourself and your background?
Paul McAdam: Yep.. Hi. I’m Paul McAdam – I’m one of the owners and directors here at Source Code Control. Like most small business owners, my role is really about keeping the company healthy. So, looking after our people. Ensuring we have good products which people want and ensuring we have the correct relationships with customers and partners.
My background prior to Source Code Control.. I was at Microsoft for 14 years. A few years in the middle of that as an independent consultant.
I’m also the chairperson of a charity called Sport in Mind which aims to improve the lives of people experiencing mental health problems through sport and physical activity.
Matt: Thanks for the intro, Paul. Now, onto the topic we’re here to discuss today, which is upcoming regulations and the potential impact on organisations. Which measures are we going to be covering please, and how serious are the potential consequences of not adhering to them please?
Paul: Well there are a few! I think when we shape this up, I will ask the team to add a table below which summarises them all.
We saw with GDPR that the European legislators introduced the threat of fines at 2% of worldwide revenue. There is another of those this year with NIS 2 which covers CyberSecurity for critical industries.
| Jurisdiction | Item | Comments |
|---|---|---|
|
EU |
NIS 2 |
Cybersecurity for critical industries. |
|
EU |
DORA |
Digital Operations Resilience Act applied as of Jan 2025. Aims to harmonise the rules for Financial Sector and the applicable IT. Largely focuses on risk identification and management framework which includes incident management. |
|
EU |
European Accessibility Act |
Includes a lot of things like devices, but crucially websites
Based on WCAG standards – brings countries up to a specific standard.
The law was passed in 2019 and becomes effective from June 2025 |
|
US |
Americans with Disabilities Act |
In 2024 the DOJ ruled on something similar which updated the Americans with Disabilities Act requiring web content and applications provided by state and local government funded items to be fully accessible to people with disabilities.
|
|
EU |
Cyber Resilience Act |
Came into force Dec 24 and will apply from 11 Dec 2027. This one is largely about baking Cybersecurity measures into products and making the product elements transparent. It covers all products which connect to another device or network – so very broad. |
|
UK |
PPN 006 |
Taking account of Carbon reduction plans for government procurement. |
|
UK |
PPN 016 |
Carbon reduction schedule included in successful contracts. |
Matt: Ok, thank you for clearing that up, I’m sure that’s given people clear reason to read on! Let’s focus on a couple here then, and start with NIS 2, which I believe is already being enforced. Please can you tell us more about why this was put in place, who it impacts, and if there are specific penalties listed for non-compliance?
Paul: Yes.. NIS2 is the headline catcher because it comes with that 2% fine based on revenue. It targets critical industries, but the definition of critical industries is broad and it applies to anyone who is selling in the EU. So, don’t ignore it. In fact, if you learn nothing else from this, please go and find out if NIS2 applies to you!
Critical industries include utilities and transport etc, but also retail, postal services and research.
There’s a great resource by Irina Lundergan who is a Security Architect in my team where she discusses NIS2 in depth. I highly recommend reading that!
Matt: Pretty serious stuff then, and thank you for providing the extra resource for people if they want more details. Moving on, your earlier table talks about a new measure coming in the shape of the European Accessibility Act. Please can you tell us more about this, again who it will apply to, and what the implications could be?
Paul: Ok.. Yes. The European Accessibility Act was passed in 2019 and will become mandatory in June 2025 – meaning that all member states must have a law in place. This is being driven by the EN 301 549 directive, which harmonises everything with existing WCAG 2.1 standards. In theory, this is a broad-reaching act which covers all products and services including consumer electronics (TV’s, smartphones, gaming consoles) but also websites and applications. Items like ticketing machines and phone services also fall into scope.
The penalties would apply only to public sector organisations, but “restrictions” are threatened for non-compliant commercial organisations. Ultimately, that would be country-by-country but could include things like disqualification from public-sector procurement.
As far as software, hardware and websites are concerned, following a standard called WCAG 2.1 AA will cover the vast majority of the requirements. The team here at Source Code Control have a “gap analysis” assessment which includes some fantastic education content to point customers in the correct direction.
Matt: Thanks Paul, I think that’s a really good overview for people on what’s coming. On both the NIS 2 and accessibility standards, if people need help to understand their readiness and plan for the future, what would you recommend they do?
Paul: Obviously, pop along to our website or give us a call. In all seriousness the European legislations are well covered on their website which is europa.eu.
However, what we see is that neither customers, nor their partners have the people or the time to invest in connecting the legislation to their own context and working out what needs to be done. At Source Code Control, we are doing this day-in day-out and have a number of gap analysis type assessments for Accessibility, Security, FinOps etc.
Matt: Thank you, that’s great. And in closing, if people want to connect with you, where can they find you please?
Paul: You can find and connect with me on LinkedIn via https://www.linkedin.com/in/paul-mcadam/ , and I’ll ask the team to put a link below if anyone would like to follow up with me on anything we’ve covered, so that we can discuss it further.
That’s a wrap on our first instalment of Source Code Conversations, we hope you’ve enjoyed the format and the information that we’ve covered. If you would like to discuss your readiness for NIS 2 and/or the European Accessibility Act more detail and with no obligation, please use the button below to follow up with our team. If you have an area that you would like us to cover on an upcoming instalment of the series, please email us at open@sourcecodecontrol.com with your suggestions – we’d love to hear from you.
Paul McAdam
Interviewee
Matt Webb
Interviewer
Aaron Wyld
Photographer
Zoe Hawkins
Editor