Proportionate Security Controls That Don't Kill Experimentation

Proportionate security controls let you satisfy NIS2 and DORA without freezing your teams. Here's the sequencing that works.

GDPR penalties reach €20 million or 4% of global annual revenue. That number makes CISOs reach for comprehensive control frameworks. The instinct is understandable. It is also how experimentation dies.

The sequencing argument most compliance teams miss

The arXiv 2025 governance study on micro-SMEs built a seven-dimension preventive architecture specifically for organizations that cannot run all controls simultaneously. The sequence matters: awareness and human behavior first, then access control and system hygiene, then data protection, then detection and response, with continuous review running throughout. Low-cost controls come before complex ones. You do not defer the cheap stuff while waiting to afford the expensive stuff.

This is not a reduced standard. The arXiv researchers describe proportionality as a calibration heuristic, not a shortcut. You are matching control complexity to actual risk exposure, not to a regulator's checklist.

DORA makes this explicit in law. EU supervisors assess compliance against nature, scale, complexity, and risk profile. A micro-firm with fewer than 10 staff and under €2 million in turnover qualifies for a simplified ICT-Risk Management Framework, using basic security-by-design and incident logs instead of a full program. The regulation was written to accommodate this. Organizations that treat DORA as a binary pass/fail are misreading it.

Where the Varonis objection actually lands

Varonis argues that static proportionate controls fail against evolving threats. The argument is worth taking seriously because it is structurally correct about one specific scenario: an organization that sequences controls and then stops. If you deploy awareness and access controls, declare compliance, and defer behavioral analytics indefinitely, you have a detection gap. During active experimentation, that gap widens continuously. New APIs, new services, new credentials appear faster than a frozen governance architecture accommodates.

The arXiv model addresses this directly. Continuous review is the seventh dimension, not an appendix. The review cycle is what triggers escalation to higher-complexity controls when risk exposure changes. Without it, the Varonis critique holds. With it, the model is dynamic by design, not static by assumption.

The GDPR penalty ceiling applies regardless of which stage of the sequence you are in. That is the floor the proportionality argument has to account for. Sequencing does not mean operating without detection indefinitely. It means you build detection capacity in order, not all at once, and you review whether the current stage is still adequate as your environment changes.

What this looks like in practice for high-velocity teams

NIS2's shift from prescriptive control lists to principles-based governance gives you the legal room to make context-dependent judgments. A low-risk experimentation environment with no customer data and no production access does not require the same controls as your payment processing infrastructure. Applying the same weight everywhere wastes the security budget that your experimentation teams need to operate.

The data governance framework question is where most organizations stall. They treat data classification as a prerequisite for everything else, which means nothing moves until classification is complete. The arXiv sequence inverts this. You start with awareness training and access control because those controls are cheap, fast to deploy, and reduce the largest category of preventable incidents. Data protection controls come after the human and access layers are stable.

I have never trusted compliance frameworks sold as turnkey solutions. The vendors who package "proportionate controls" as a product are selling you a snapshot calibrated to their last client, not to your risk profile. The arXiv model works because it is a sequencing logic, not a product.

Your experimentation teams ship faster when they know which environments are governed at which level. Ambiguity is the actual blocker, not controls. A clear risk-based controls map tells a developer exactly which sandbox requires a security review before deployment and which does not. That is security enablement in practice. The balanced compliance strategy is not a compromise between security and speed. It is the condition under which both are possible.

Audit your current control stack against the seven-dimension sequence. Find the stage where you stopped.