Skip to main content
FORTISEU
Back to Blog
Compliance Strategy10 February 202610 min readAttila Bognar

Continuous Control Monitoring Is Replacing Periodic Compliance

Periodic compliance gives management a snapshot. Continuous control monitoring gives leadership operational truth. Here is how to make the shift.

Continuous Control Monitoring Is Replacing Periodic Compliance featured visual
Continuous control monitoringComplianceAudit readinessControl integrityNIS2DORA

Most compliance programs do not fail dramatically. They fail quietly — in the gap between the last audit and the next one, while controls that looked effective at review time degrade without anyone noticing. The organization that reported 94% compliance in Q3 discovers in Q1 that three critical controls drifted months ago. No one missed the policy. No one ignored the requirement. The monitoring model simply was not designed to catch drift in real time.

Continuous Control Monitoring (CCM) is not a product category or a vendor buzzword. It is a fundamental shift in how organizations verify that their security and compliance controls actually work, continuously, rather than assuming they work because they passed a point-in-time assessment. Under NIS2 Art. 21 and DORA Art. 6, this shift is no longer optional for regulated European entities — both frameworks require ongoing risk management and control effectiveness, not periodic attestation.

Why Periodic Compliance Creates Blind Spots

Periodic compliance was designed for a different era. Quarterly attestations, annual audits, and retrospective evidence collection made sense when IT environments changed slowly, when most controls were procedural, and when regulatory expectations focused on the existence of controls rather than their continuous effectiveness.

That era is over. Modern IT environments change daily. Cloud configurations shift. Access permissions accumulate. Vendor integrations update. Threat landscapes evolve. A control that was effective when tested in March may be ineffective by May — not because someone deactivated it, but because the environment it protects changed underneath it.

The blind spots created by periodic compliance are predictable and well-documented:

Drift goes undetected. Between assessment cycles, controls can degrade gradually. An access review that was current in January becomes stale by April. A firewall rule set that was correct after last quarter's review accumulates exceptions that nobody reconciles until the next cycle. The longer the gap between assessments, the more drift accumulates.

Evidence is reconstructed, not generated. When compliance teams prepare for audits, they assemble evidence retroactively — pulling logs, gathering screenshots, requesting attestations from control owners. This reconstruction is expensive, error-prone, and often reveals gaps that cannot be closed after the fact. Evidence that should have been captured at the time of control execution simply does not exist.

Exceptions hide in the gaps. Periodic models review what was true at assessment time. They do not capture exceptions that occurred and self-resolved between cycles. An unauthorized access that was granted and revoked between audits never appears in the compliance record, even though it may represent a significant control failure.

Audit fatigue compounds. Every periodic assessment cycle requires the same manual effort: evidence requests, owner follow-ups, gap reconciliation, remediation tracking. Teams that spend weeks preparing for each audit cycle are not doing compliance — they are doing audit theatre. The work consumes resources without improving the underlying control environment.

What Continuous Control Monitoring Actually Means

CCM replaces the assess-remediate-attest cycle with a fundamentally different operating model. Instead of periodically checking whether controls exist and have evidence, CCM validates controls through live signals and generates evidence as a natural byproduct of operations.

In a mature CCM model:

Controls are validated through live signals. Rather than asking a control owner to attest that their control works, the system collects technical evidence directly. Does the access review actually run on schedule? Are the results actioned? Does the encryption configuration match the policy? Are backup jobs completing successfully? These questions are answered by data, not by attestation.

Evidence is generated as work happens. When a control executes — an access review completes, a vulnerability is remediated, a configuration is validated — the evidence is captured automatically, timestamped, and stored in an audit-ready format. There is no retroactive evidence assembly because evidence collection is embedded in the control itself.

Exceptions surface close to event time. When a control fails or deviates from its expected behavior, the exception is detected in near-real-time, not at the next quarterly review. This means remediation can begin immediately, before the exception compounds or creates downstream failures.

Ownership is enforced in workflow. Each control has a defined owner, and that owner is notified automatically when their control requires attention. Ownership is not a field in a spreadsheet — it is an active accountability mechanism with escalation paths and time-bound response requirements.

Regulatory Drivers: NIS2 and DORA

The regulatory landscape is accelerating the shift to continuous monitoring. Both NIS2 and DORA impose requirements that are functionally incompatible with periodic-only compliance.

NIS2 Art. 21 requires essential and important entities to implement cybersecurity risk-management measures that are "appropriate and proportionate" to the risks. Critically, Art. 21(1) specifies that these measures must be based on an "all-hazards approach" and must protect network and information systems "and the physical environment of those systems." The ongoing nature of this obligation — "implement" and "maintain," not "establish" — implies continuous operation, not periodic assessment.

Art. 21(2) enumerates specific measures including policies on risk analysis and information system security (Art. 21(2)(a)), incident handling (Art. 21(2)(b)), business continuity (Art. 21(2)(c)), and supply chain security (Art. 21(2)(d)). Each of these domains generates control requirements that must operate continuously. An incident handling process that works during quarterly testing but fails during an actual incident is not compliant.

DORA Art. 6 requires financial entities to have a "sound, comprehensive and well-documented ICT risk management framework" that is "reviewed at least once a year" but — critically — must ensure "a high level of availability, authenticity, integrity and confidentiality of data" on an ongoing basis. Art. 6(5) specifically requires financial entities to "identify, classify and adequately document all ICT supported business functions, roles and responsibilities."

DORA Art. 9 adds requirements for ICT systems to be "continuously monitored and controlled" to ensure they are adequately protected. Art. 10 requires regular testing of ICT systems and tools. Together, these provisions create a regulatory expectation of continuous verification that periodic assessment alone cannot satisfy.

Technical Implementation of CCM

Moving from periodic to continuous monitoring requires investment in four technical capabilities.

Automated Evidence Collection

The foundation of CCM is automated evidence collection — the ability to capture control execution artifacts without manual intervention. This includes API integrations with identity providers (to verify access reviews and provisioning), cloud platforms (to validate configuration compliance), vulnerability scanners (to track remediation timelines), and endpoint management tools (to confirm patching and hardening).

FortisEU's evidence collection module is designed for exactly this purpose: it connects to your existing toolchain, captures control evidence at defined intervals, and stores it in a structured, searchable, audit-ready format. The difference between automated collection and manual evidence assembly is the difference between an operating system and a filing cabinet.

Drift Detection

Drift detection identifies when a control's actual state diverges from its expected state. This requires a defined baseline (the expected configuration, permission set, or process state), continuous comparison against that baseline, and alerting when deviation exceeds defined thresholds.

Effective drift detection is not binary. Not every deviation is a control failure — some are authorized changes that need to be reconciled with the baseline. The drift detection system must distinguish between unauthorized deviation (which requires immediate remediation) and authorized change (which requires baseline update). This distinction is operationally critical and often the point where naive CCM implementations generate alert fatigue.

Real-Time Control Effectiveness Scoring

Aggregate control effectiveness must be calculated and updated continuously, not assembled quarterly. This requires a scoring model that weights controls by criticality and regulatory relevance, incorporates evidence freshness (a control validated yesterday is more reliable than one validated six months ago), and degrades automatically when evidence ages past defined thresholds.

The risk management capabilities within FortisEU calculate control effectiveness scores in real time, updating as new evidence arrives and as evidence ages. This gives CISOs and compliance officers a continuously current picture of their control posture rather than a periodic snapshot.

Exception Management Workflow

When CCM detects a control failure or deviation, the response must be automated and accountable. This means automatic assignment to the control owner, time-bound remediation with escalation paths, and audit trail capture of the full lifecycle: detection, assignment, investigation, remediation, and verification.

Exception management is where CCM delivers its most immediate value. Instead of discovering control failures months later during audit preparation, organizations detect and remediate them in days or weeks. The compliance posture improves not because the monitoring is better, but because the response is faster.

The Business Case for CCM

The shift from periodic to continuous monitoring is not just a regulatory compliance argument. It generates measurable operational benefits.

Reduced audit preparation cost. Organizations that implement CCM report 40-60% reduction in audit preparation effort because evidence is already collected, organized, and current. The audit becomes a review of continuously generated evidence rather than a scramble to assemble it.

Faster remediation cycles. When control failures are detected in days rather than quarters, remediation is simpler, cheaper, and less disruptive. A configuration drift caught in week one is a 30-minute fix. The same drift discovered six months later may require a full remediation project.

Improved board reporting quality. Continuous monitoring feeds executive dashboards with current data, replacing the stale snapshots that undermine board confidence. When the CISO reports a control effectiveness rate, it reflects today's reality, not last quarter's assessment.

Defensible regulatory posture. When a regulator asks "how do you know your controls are effective?", the answer shifts from "we assessed them last quarter" to "we monitor them continuously and here is the current evidence." This is a qualitatively different answer that demonstrates operational maturity.

Common Implementation Pitfalls

Organizations adopting CCM frequently encounter several pitfalls:

Boiling the ocean. Trying to implement continuous monitoring across all controls simultaneously is a recipe for failure. Start with the controls that are highest risk, most frequently tested, and most amenable to automation. Expand coverage iteratively based on demonstrated value.

Alert fatigue. CCM systems that generate hundreds of alerts per day without prioritization or context quickly lose operational trust. Design thresholds carefully, implement risk-based prioritization, and ensure every alert has a clear owner and response expectation.

Neglecting the human layer. Not all controls can be monitored technically. Procedural controls — like segregation of duties reviews, vendor governance meetings, or incident response plan testing — require human attestation on a defined schedule. CCM must accommodate both automated and attestation-based evidence collection.

Ignoring baseline management. Drift detection only works if the baseline is accurate and maintained. Organizations that define baselines once and never update them will see increasing false positives as legitimate changes accumulate without baseline reconciliation.

Where to Start

For organizations beginning the shift from periodic to continuous monitoring, the practical starting point is:

  1. Identify the 20 controls with highest regulatory exposure. These are the controls most likely to be examined by auditors under NIS2, DORA, or GDPR, and where periodic evidence gaps carry the most risk.

  2. Define evidence standards for each. What specific artifact proves the control is effective? How frequently must it be collected? What freshness threshold triggers degradation?

  3. Automate evidence collection for the top 10. Connect to source systems, configure collection schedules, and validate that evidence is captured accurately and completely.

  4. Build exception workflows. Define owners, escalation paths, and remediation SLAs. Test the workflow with a simulated control failure.

  5. Report control integrity trend, not compliance percentage. Show the board a trend line of control effectiveness over time, with evidence freshness overlaid. This is fundamentally more valuable than a point-in-time compliance percentage.

Key Takeaways

  • Periodic compliance creates a false sense of security. Controls drift between assessment cycles, evidence is reconstructed rather than generated, and exceptions hide in the gaps. The model was designed for slower environments and cannot meet current regulatory expectations.

  • NIS2 Art. 21 and DORA Art. 6/Art. 9 require ongoing control effectiveness. Both frameworks use language that implies continuous operation, not periodic assessment. Point-in-time compliance alone will not satisfy supervisory scrutiny.

  • CCM generates evidence as a byproduct of operations. The fundamental shift is from assembling evidence retroactively to collecting it automatically as controls execute. This eliminates the audit preparation scramble and produces higher-quality, more current evidence.

  • Start with high-risk controls and expand iteratively. Attempting to monitor everything continuously from day one creates alert fatigue and implementation failure. Begin with the 20 controls that carry the most regulatory and operational exposure.

  • The business case extends beyond compliance. CCM reduces audit preparation costs, accelerates remediation, improves board reporting quality, and creates a defensible regulatory posture. These benefits compound over time as coverage expands.

Next Step

Turn guidance into evidence.

If procurement is involved, start with the Trust Center. If you want to see the product, create an account or launch a live demo.

Trust CenterCreate accountTalk to an engineer