Your compliance dashboard says 82 percent. The board sees green. But behind that number, three critical evidence packages expire in 19 days, a policy review is six weeks overdue, and the NIS2 transposition deadline in your jurisdiction has a hard enforcement date that your remediation velocity cannot meet at current pace. The score looks stable. The trajectory points toward non-compliance. The board will not know until it is too late — unless you give them a different metric.
Time-to-non-compliance answers the question that static compliance scores cannot: given current evidence freshness, policy review schedules, control effectiveness trends, and regulatory deadlines, when will we fall out of compliance if nothing changes? It is a leading indicator. It converts compliance reporting from a status update into a timing decision. And it is the single most useful metric you can put in front of a board that is accountable under NIS2 Article 20 for approving and overseeing ICT risk management.
Why Percentage-Based Compliance Scores Mislead
The standard compliance KPI — percentage of controls implemented, or percentage of requirements satisfied — has been the default governance metric for two decades. It persists because it is simple, it fits on a slide, and it creates an intuitive sense of progress. It also misleads in three specific ways that become dangerous under active regulatory enforcement.
Percentages hide expiry risk. A control that was implemented and evidenced twelve months ago counts the same as one implemented yesterday. But the twelve-month-old control may rely on evidence that has expired, a configuration that has drifted, or a policy that has been superseded. The percentage treats both as "implemented." The risk reality is different. Under DORA Article 6(5), financial entities must keep their ICT risk management framework up to date. "Up to date" is a temporal claim that a static percentage cannot validate.
Percentages obscure velocity problems. A programme at 75 percent completion with six months of runway looks different from a programme at 75 percent with six weeks of runway. The percentage is identical. The urgency is radically different. Boards that receive percentage-based updates cannot distinguish between these two states without additional context that is rarely provided in a one-page governance summary.
Percentages invite false comparison. When the CISO reports 85 percent compliance to NIS2 and 78 percent to DORA, the board may assume NIS2 is in better shape. But if the NIS2 number includes controls with stale evidence and the DORA number reflects fresh, validated controls, the reality is inverted. Percentages without temporal weighting create an illusion of comparative clarity that does not exist.
The fundamental problem is that percentage-based scores answer "where are we?" without answering "where are we going?" For a board that needs to make resource allocation decisions, approve remediation budgets, and certify risk management adequacy under Article 20 of NIS2, the trajectory matters more than the snapshot.
Time-to-Non-Compliance: The Metric Defined
Time-to-non-compliance (TTNC) is a calculated metric that estimates how many days, weeks, or months remain before an organisation's compliance posture degrades below an acceptable threshold, assuming no new remediation activity occurs.
The calculation considers five input variables:
Evidence expiry schedules. Every piece of compliance evidence has a validity window. SOC 2 reports cover a defined period. Penetration test results have a shelf life. Policy documents require periodic review and reapproval. TTNC models these expiry dates and calculates when the cumulative effect of expiring evidence pushes the organisation below its compliance threshold.
Policy review cycles. Most regulatory frameworks require policies to be reviewed and updated on defined schedules — annually for many, semi-annually for critical policies under frameworks like ISO 27001. TTNC tracks when each policy's review is due and models the compliance impact of overdue reviews.
Regulatory deadlines. NIS2 transposition dates, DORA enforcement milestones, AI Act obligation activation dates, GDPR certification renewal dates — these are fixed external deadlines that create hard compliance cliffs. TTNC incorporates these deadlines and measures whether current remediation velocity is sufficient to meet them.
Control effectiveness decay. Controls that are not regularly tested and validated tend to degrade over time. Configuration drift, personnel changes, infrastructure modifications, and process evolution all erode control effectiveness. TTNC models this decay based on historical control assessment data and the time since last validation.
Remediation velocity. The rate at which the organisation is closing compliance gaps, resolving audit findings, and implementing new controls. This is the counterforce to decay and expiry. If remediation velocity exceeds the rate of compliance degradation, TTNC extends. If degradation outpaces remediation, TTNC contracts.
The output is not a single number but a set of horizon metrics: TTNC for each framework (NIS2, DORA, GDPR, ISO 27001), TTNC for each domain (access control, incident response, third-party risk, business continuity), and an aggregate TTNC that represents the shortest time to non-compliance across all frameworks and domains.
What Boards Can Do With Trajectory Data
A TTNC metric transforms board-level compliance discussions from "are we compliant?" to three actionable questions:
Where is the nearest cliff? If the aggregate TTNC is 45 days, the board knows that without intervention, the organisation will fall out of compliance within six weeks. That creates immediate urgency and focuses discussion on the specific drivers: which evidence is expiring, which remediations are stalled, which deadlines are approaching.
Is our investment producing enough velocity? If the board approved a 500,000 EUR compliance programme six months ago and TTNC is contracting rather than expanding, the investment is not generating sufficient returns. Either the programme is under-resourced, poorly prioritised, or addressing the wrong gaps. TTNC gives the board a single indicator of programme effectiveness that is harder to obscure than a percentage-based progress report.
Where should the next euro go? When the CISO presents a budget request for additional compliance automation tooling, the board can evaluate it against TTNC impact. Will this investment extend our TTNC by three months? Six months? If the answer is unclear, the investment case is incomplete.
NIS2 Article 20(1) requires the management body of essential and important entities to "approve the cybersecurity risk-management measures taken by those entities" and to "oversee its implementation." A board that receives only percentage-based compliance scores cannot meaningfully oversee implementation because it cannot assess trajectory. TTNC gives the board the temporal dimension it needs to fulfil this oversight obligation.
Building the TTNC Model: Practical Implementation
Implementing TTNC does not require a data science team or a custom-built analytics platform. It requires disciplined data collection and a straightforward calculation model.
Step 1: Inventory your evidence with expiry dates. For every control or requirement in your compliance framework, identify the evidence that supports it and record when that evidence expires or requires refresh. This is often the hardest step because many organisations track evidence existence but not evidence currency. Start with your critical controls — the 20 percent that cover 80 percent of your regulatory risk.
Step 2: Map your regulatory calendar. Create a forward-looking calendar of all regulatory deadlines, enforcement dates, and supervisory milestones. For NIS2, this includes national transposition deadlines and any sector-specific implementing acts. For DORA, this includes the Article 28(3) register reporting deadlines and the TLPT testing schedules. For the AI Act, this includes the phased obligation activation dates through 2027.
Step 3: Measure your remediation velocity. Track the number of compliance gaps closed per month, the average time from gap identification to remediation, and the current backlog of open gaps. This data exists in any reasonably structured compliance programme — it just needs to be surfaced as a velocity metric rather than a backlog count.
Step 4: Calculate the horizon. For each framework and domain, project forward: given current evidence expiry rates and remediation velocity, when does the organisation's compliance posture drop below the defined threshold? The threshold is a governance decision — some organisations set it at 90 percent, others at 80 percent, depending on their risk appetite and regulatory context.
Step 5: Report with context. Present TTNC alongside the traditional percentage score. The percentage shows current state. The TTNC shows trajectory. Together, they give the board the complete picture: "We are at 85 percent today, and if nothing changes, we will drop below 80 percent in 67 days. Here are the three drivers and here is our plan to address them."
TTNC in Practice: NIS2 and DORA Context
The urgency of TTNC as a governance metric is amplified by the enforcement timelines of the EU's current regulatory wave.
NIS2 transposition and enforcement. NIS2 required Member State transposition by October 2024. As of early 2026, transposition status varies significantly across the EU. Entities operating in multiple jurisdictions face a patchwork of national implementation timelines and enforcement approaches. TTNC allows these entities to model jurisdiction-specific compliance horizons and prioritise remediation in jurisdictions where enforcement is most imminent.
For entities subject to Article 21 security measures, the evidence burden is continuous. Measures for handling incidents (Art. 21(2)(b)), business continuity (Art. 21(2)(c)), and supply chain security (Art. 21(2)(d)) all require ongoing evidence of implementation effectiveness. TTNC models when that evidence becomes stale and triggers re-collection before gaps emerge.
DORA operational resilience. DORA applies from January 2025 with specific ongoing obligations: the register of information under Article 28(3) must be maintained continuously, ICT risk management frameworks under Article 6 must be kept up to date, and incident reporting under Article 19 requires operational readiness at all times. TTNC for DORA is not about a single compliance deadline — it is about maintaining continuous operational readiness. The relevant question is not "when will we be DORA-compliant?" but "how long can we sustain DORA compliance at current operational tempo?"
AI Act phased obligations. The AI Act's staggered activation dates — prohibited practices from February 2025, GPAI obligations from August 2025, high-risk system requirements from August 2026 — create multiple compliance cliffs that organisations must model and prepare for in parallel. TTNC provides a unified view across these overlapping timelines.
Common Objections and Responses
"Our compliance posture is stable — we don't need trajectory metrics." Stability is a claim about the past. TTNC is a prediction about the future. A stable compliance posture today with a contracting TTNC means stability is temporary. The board should know this.
"We can't predict control decay accurately." Perfect prediction is not the goal. Directional accuracy is. If historical data shows that controls without validation tend to degrade by 10 to 15 percent per quarter, using that estimate in your TTNC model is better than assuming zero decay. The model improves over time as you accumulate more data.
"This will alarm the board unnecessarily." A board that is alarmed by accurate trajectory data is a board that was previously under-informed. The purpose of TTNC is not to create panic but to enable informed decisions. A board that knows TTNC is 90 days has time to act. A board that discovers non-compliance after the fact does not.
Integrating TTNC With Existing Governance
TTNC does not replace existing compliance metrics. It augments them. The most effective governance reporting model uses three layers:
- Current state (percentage-based scores): Where are we today across each framework and domain?
- Trajectory (TTNC): Where are we heading if current trends continue?
- Action priority (remediation backlog with impact weighting): What should we fix first to extend our TTNC?
This three-layer model converts the compliance section of a board report from a backward-looking status update into a forward-looking decision framework. For CISOs reporting to boards under NIS2 Article 20 obligations, it demonstrates the kind of structured oversight that supervisory authorities expect.
The integration with your risk management programme is equally important. TTNC should feed into enterprise risk assessment as a temporal dimension of compliance risk. A compliance risk rated "medium" with a TTNC of 120 days is a different governance priority than one rated "medium" with a TTNC of 21 days.
Key Takeaways
- Static compliance percentages hide trajectory risk — an 82 percent score can mask expiring evidence, stalled remediations, and approaching regulatory deadlines that will push the organisation below acceptable thresholds within weeks.
- Time-to-non-compliance (TTNC) is a leading indicator that models how many days remain before compliance posture degrades below threshold, given current evidence freshness, policy review schedules, regulatory deadlines, and remediation velocity.
- Boards governed under NIS2 Article 20 need trajectory data to fulfil their oversight obligations — percentage scores alone cannot answer whether the organisation's compliance investment is producing sufficient velocity to stay ahead of degradation and deadlines.
- Building a TTNC model requires four data inputs that most compliance programmes already collect: evidence expiry dates, regulatory calendars, control effectiveness trends, and remediation velocity — the calculation is straightforward, the discipline of collecting temporal data is the hard part.
- Report TTNC alongside traditional scores in a three-layer model (current state, trajectory, action priority) to transform board compliance discussions from status updates into timing decisions with clear resource allocation implications.