The Regulations Are Siloed. The Threats Are Not.

Across Europe and beyond, over a hundred binding and standards-setting regulatory frameworks are now setting requirements for organizations to identify, assess, and mitigate threats. From cybersecurity to terrorist financing to AI governance, the scope is unprecedented. So is the overlap.

Consider a European-based platform with users across the EU, UK, and Australia. In the EU, the Digital Services Act requires content moderation and transparency reporting, with additional risk assessment obligations for the largest platforms. The Terrorist Content Online Regulation requires the removal of terrorist content within one hour of receiving a removal order, with designated contact points available around the clock. In the UK, the Online Safety Act imposes its own content and age assurance obligations. Australia's Abhorrent Violent Material Act creates criminal liability for hosting providers that fail to expeditiously remove extreme violent content once aware of it. If the platform handles payments, AML/CFT obligations apply. If it uses algorithmic recommendations or moderation, the EU AI Act has most of its obligations taking effect from August 2026. Counter-terrorism content obligations differ in definition and procedure across each of these jurisdictions.

No single regulation covers all of this. But taken together, they share a common dependency: access to current, contextual threat intelligence that spans multiple domains.

The compliance window is closing

Most of these frameworks are already in force or will be by mid-2027. The NIS2 transposition deadline passed in October 2024, though as of early 2026, a significant number of Member States have not yet completed transposition. DORA has been fully enforceable since January 2025. The EU's new Anti-Money Laundering Authority (AMLA) became operational in July 2025, with the AML Single Rulebook applying from 10 July 2027. The CER Directive's entity identification deadline is 17 July 2026. Penalties are substantial: up to 2% of global turnover for essential entities under NIS2, 4% under GDPR, and 6% under the DSA, with criminal liability for individuals in some frameworks.

The practical challenge is that compliance with any one of these regulations increasingly requires awareness of threats that fall under another. A ransomware attack on critical infrastructure is a NIS2 event, but an effective response depends on understanding the threat actor behind it. Is this a financially motivated criminal group, or a state-affiliated operation using ransomware as cover for espionage or disruption? The answer changes the risk assessment, the reporting obligations, and the defensive measures required. That answer comes from counter-terrorism and geopolitical intelligence, not just the cybersecurity silo. Suspicious financial flows trigger AML obligations, but tracing them often leads to organized crime, sanctions evasion, or cyber-enabled fraud. The regulations are siloed. The threats are not.

What we mapped

Our regulatory intelligence database now tracks 129+ pieces of legislation, standards, and frameworks across multiple jurisdictions, from EU-wide directives to national implementations in Norway, Sweden, the Netherlands, Germany, Finland, Denmark, the UK, and beyond. We also cover relevant international instruments from the UN, Council of Europe, FATF, and ISO.

For each, we have documented the scope, key obligations relevant to threat intelligence, enforcement mechanisms, and how cross-domain intelligence capabilities address specific compliance requirements. Across these regulations, we have extracted and categorized over 300 individual compliance obligations and mapped more than 265 regulatory definitions that shape how those obligations are interpreted in practice. These numbers grow every week as we add new frameworks and deepen our coverage of existing ones.

The interactive version of this mapping is available on our website, where the most relevant frameworks are presented as interactive cards: a concise summary on the front, with detailed analysis, enforcement information, and relevance mapping available on click. The underlying database is updated weekly and covers far more than what's on the surface.

The pattern we see

Three things stand out from mapping this landscape at scale.

First, the regulatory environment itself is creating mandatory demand for cross-domain threat intelligence. Consider a European logistics company with operations across the Nordics. NIS2 and the CER Directive require cybersecurity and physical resilience assessments. If it handles security-classified contracts or operates designated critical infrastructure in Norway, Sikkerhetsloven adds security clearance obligations, and Eksportkontrolloven imposes export control requirements for any controlled or dual-use goods in its supply chain. The EU Forced Labour Regulation (fully applicable from December 2027) will prohibit placing products made with forced labour on the EU market and require companies to ensure their supply chains are free of forced labour. The CSDDD (first application delayed to July 2029 and scope narrowed following 2025 amendments) adds formal supply chain due diligence obligations. And if any of its cargo or counterparties intersect with sanctioned entities, EU and UN sanctions frameworks apply simultaneously. Cybersecurity, counter-terrorism, sanctions, export control, and supply chain integrity all converge on the same organization. The siloes between these domains are a regulatory artefact, not an operational reality.

Second, the penalties are converging upward. Fines scaled to global turnover, personal liability for senior managers, and criminal sanctions are becoming the norm rather than the exception. The cost of non-compliance is no longer abstract.

Third, the timeline is compressed. Most obligations are already active or will take effect within the next 12 months. Organizations that haven't started building their threat intelligence capabilities for cross-regulatory compliance are running out of runway.

Why this matters to us

Nowhere is this convergence more visible than in financial services. DORA became enforceable in January 2025. AMLA went operational in July 2025 and has already taken over AML/CFT coordination powers from the EBA. The AML Single Rulebook applies from 10 July 2027. A Nordic bank with international correspondent relationships now sits at the intersection of operational resilience (DORA), anti-money laundering (Hvitvaskingsloven in Norway, FATF standards globally), EU and UN sanctions, cybersecurity (NIS2), and counter-terrorism financing obligations tracing back to UNSCR 1373. Suspicious financial flows don't stay in the AML lane; they trace into organized crime, sanctions evasion, and state-sponsored activity. That is where the regulatory landscape is heading for every sector: more overlap, more cross-domain obligations, more pressure to connect intelligence that was previously siloed.

Revontulet was built to address exactly this problem. We connect intelligence across cyber threats, counter-terrorism, geopolitical risk, financial crime, organized crime, disinformation, and influence operations into a unified analytical environment. We do this because the real world doesn't respect regulatory boundaries, and neither do the threat actors operating within it.

The regulatory landscape is catching up to what practitioners have known for years: threats are interconnected, and intelligence needs to be too.

If you want to understand how these regulations apply to your organization specifically, or how your existing policies measure up against the obligations that matter most, get in touch. We help organizations turn regulatory complexity into a clear, prioritized action plan.