Without question, compliance requirements must be adhered to, and in some cases, there are even severe penalties for violating them (e.g. GDPR, DORA, NIS2). However, what all these regulations have in common is that they only formulate generic requirements and often remain vague in their implementation instructions. Industry-specific standards such as ISO/IEC 27019 (information security measures for energy utility industry) and DORA (digital operational resilience in the financial sector) or initiatives from mergers of companies in the same industry provide an initial improvement to this problem. Even if the requirements are adapted as closely as possible to the industry, compliance standards only address the absolutely necessary measures and controls. The identification and risk assessmen ...