"Compliance Isn't Security": EU Regulation vs. US National Security, Why Where You Are Changes Everything

It was 1 A.M when the call came in. A company had been paralyzed by ransomware for over a month. The decision to pay was approaching.

Then news broke that OFAC had issued new guidance: if a ransom payment went to a sanctioned entity, the company making the payment could face liability. The question landed immediately: what does this change?

Nobody knew. Lawyers had to be woken up. Legal and technical were working in parallel in real time, racing to understand a rule that had just been rewritten while the clock was already running.

For Alejandro Rivas-Vásquez, it was a vivid illustration of something he'd spent two decades watching play out across boardrooms and crisis rooms on both sides of the Atlantic: the rules governing how you respond to a cyber incident aren't just technical. They're legal, regulatory, and deeply geographic.

In Episode 4 of Full Metal Packet, Alejandro joins hosts Yegor Sak and Alex Paguis to break down why where you are when an incident hits changes everything.

Two Philosophies. One Internet.

Alejandro's career has run across both sides of the Atlantic, and the clearest pattern he's observed isn't technical. It's cultural.

The US came to cybersecurity through the lens of national security. Cyber is a matter of defense, sovereignty, and strategic posture. That framing, reinforced through government mandates and aggressive regulatory enforcement dating back to the Obama administration, pushed board-level awareness of cyber risk faster than almost anywhere else in the world. CISO accountability followed. So did litigation.

Europe came at it differently. The organizing principle was the protection of individual rights, privacy above all, and the regulatory apparatus built around it is correspondingly vast. GDPR, NIS2, sector-specific disclosure rules. The result is a compliance-first culture that is, in Alejandro's view, both a strength and a significant liability.

"We are in Europe killing innovation," he says, plainly. "I agree with that statement."

The irony is that compliance and security are not the same thing. A company can be fully GDPR-compliant and entirely unprepared for a ransomware event. Passing an audit doesn't patch a vulnerable mailbox.

What Alejandro argues for isn't one model or the other. It's convergence, borrowing the strategic seriousness of the American approach while preserving the rights-based framework that Europe has spent decades building. The jurisdictions he sees getting closest to that balance, he notes, tend to be the ones with the most immediate threat experience. Countries on Russia's doorstep didn't need a regulator to tell them that cyber was a national security issue.

Business Email Compromise: The Breach That Doesn't Make Headlines

One of the episode's more surprising threads is Alejandro's insistence that ransomware, the threat that dominates conference panels and vendor marketing, is not the biggest financial risk most organizations face.

Business email compromise is.

"Ransomware is sexy," he says. "The financial impact of BEC is by far bigger than ransomware, by far. And it's direct."

The distinction matters. With ransomware, the damage is operational: systems locked, recovery costs, and potential ransom payment. With BEC, money moves out of accounts and into the attacker's hands. There's no recovery. The wire has cleared.

The case he walked through on the podcast started as an internal fraud investigation. Seasoned investigators began to suspect they were looking at something else. They brought Alejandro in. The attacker had spent weeks playing both sides of a corporate communication thread, maintaining parallel conversations with two parties who each believed they were talking to the other. The entry point, eventually traced, was a fake voicemail notification email that prompted an executive to enter credentials to "listen to the message." Credentials captured. Mailbox compromised. Millions gone.

Not sophisticated by today's standards. Devastating in its outcome.

The harder discovery came during the investigation: the same company had been hit two years earlier through a similar scheme. The second incident hadn't surfaced the first. Nobody had connected the dots. There was no governance structure that would have.

"That says something about your governance structure and your communication channels," Alejandro said.

The board, confronted with both incidents simultaneously, finally had to reckon with what had been sitting in their blind spot. When Alejandro presented his findings to the board, a board member stood up and told him he didn't know what he was talking about.

No lawyer in the room. No legal framework to protect the findings. Just a senior executive with a preferred narrative and nothing standing in the way.

At the next meeting, he had a lawyer beside him. The dynamic shifted immediately. The technical findings, it turns out, are only as strong as the framework around them. Whether that framework exists at all depends largely on which side of the Atlantic you're on.

When the Rules Change Mid-Crisis

That 1 A.M. call was more than a dramatic moment. It was a stress test, and it revealed something that no tabletop exercise had prepared that team for: the legal framework governing your response can shift while you're still inside the incident.

What it exposed was the gap between organizations that had built genuine muscle memory around cross-functional decision-making and those that hadn't. When legal and technical are aligned before a crisis, a 1 A.M. phone call with a new regulatory wrinkle is disruptive but manageable. When they're not, it can be paralyzing at exactly the moment you can least afford it.

Alejandro's conclusion from years of engagements like this is straightforward: preparation isn't a compliance exercise. It's tabletops, simulations, and mock raids where participants don't know it's a drill, repeated until the response is automatic. Because when the rules change at one in the morning, you don't want that to be the first time anyone in the room has had to think on their feet.

What CISOs Are Getting Wrong About Personal Liability

In the episode, Alex asks about the wave of sessions at RSA and similar conferences focused on personal liability, CISOs watching peers get subpoenaed, wondering what they've signed up for.

Alejandro's answer is practical and worth sitting with.

"Make sure it's not you accepting the risk." The CISO's job is to articulate risk clearly, present options, and help someone above them make an informed decision. When that decision is made, it should be documented, and it should belong to the person with the authority to make it. If a CISO finds themselves regularly signing off on risk acceptance they don't control, they have a governance problem.

The second piece of advice is less glamorous but equally important: check your contract for D&O-equivalent insurance coverage before you take the role, not after you need it. The number of experienced security leaders who Alejandro met at RSA who hadn't thought this through surprised him.

And the third, which he returns to more than once: take care of yourself. Not as a platitude, as a professional obligation. A burned-out CISO isn't a vigilant CISO. The capacity to think clearly under pressure is the actual asset. Destroying it in the name of diligence defeats the point.

"It's just a job," he says. "It's not the most important job in the world."

Coming from someone who has spent two decades in rooms where the stakes were genuinely very high, the reminder lands differently than it might otherwise.

The Conversation That's Just Getting Started

Toward the end of the episode, the three turn to where all of this is headed, AI as force multiplier for both attackers and defenders, the professionalization of DFIR as a discipline, and the shrinking window in which any individual human can claim to understand even a meaningful fraction of the threat landscape.

Alex puts it starkly: the percentage of the cybersecurity world that any single practitioner truly knows is going down every year, and will keep going down. Not because people are getting worse at their jobs. Because the world is expanding faster than any individual can track.

Alejandro's response is characteristically pragmatic. The question isn't whether AI will reshape DFIR. It already is. The question is whether the people building that future are the ones who have been in the rooms, who understand what evidence preservation actually means, what a boardroom looks like when a board member wants to rewrite reality, what it feels like to get a phone call at one in the morning when the legal framework has just shifted.

That combination of technical fluency, legal awareness, and operational experience built over decades: that's what the next generation of DFIR practitioners will need to develop faster than their predecessors did. And where you are, it turns out, still shapes all of it.

Alejandro Rivas-Vásquez is an associate professor at IE Law School in Madrid and a multi-decade DFIR practitioner. This post is based on his appearance on Episode 4 of Full Metal Packet.

Listen to this episode on Apple Podcasts, Spotify, YouTube, or wherever you get your podcasts.