Contributions to legislation in development and to existing frameworks with identified design gaps. The entry point is not legal doctrine but security practice, risk management, and the cognitive biases that designers systematically embed in regulatory architecture. The practical question in each case is what can be fixed within existing institutional mechanisms — without reopening primary legislation.
DORA (Regulation 2022/2554) requires financial entities to report major cyber incidents to enforcement authorities. This creates a predictable incentive: document the attack vector, minimise the governance failure that made the attack possible — the deferred patch, the risk acceptance, the procurement delay. The result is an incident record that is technically accurate and governance-silent.
The paper identifies two structural gaps. DORA has no confidential non-punitive learning channel — nothing equivalent to the Aviation Safety Reporting System, which produces over 131,000 honest disclosures a year precisely because NASA, the administering body, has no enforcement authority. And DORA has no mechanism to distinguish a legitimate suppression of public disclosure from an organisation managing the escalation process to avoid scrutiny.
The proposed remedy is a three-tier architecture. Tier 1: a confidential learning channel administered by ENISA, with statutory information barriers against enforcement access. Tier 2: the existing DORA framework, structurally separated from Tier 1. Tier 3: a mandatory suppression-rationale declaration specifying the public-interest grounds for non-disclosure, the review period, and the designated oversight body. Both Tier 1 and Tier 3 can be introduced through DORA Article 20 regulatory technical standards — without reopening the regulation.
Closing the DORA Gap: A Three-Tier Disclosure Architecture for Cyber Incident Reporting — SSRN working paper, April 2026.
In January 2026, an attacker accessed FICOBA — France's national registry of citizens' banking records — by stealing a civil servant's credentials and querying the database through a legitimate government platform. Around 1.2 million records were extracted over multiple weeks without triggering an alert. FICOBA is not a French design choice. It exists because AMLD5 (Directive 2018/843) mandated centralised bank account registries across all Member States.
The problem is that EU law requires the data concentration but does not clearly require its protection. NIS2 lets Member States decide which public authorities fall within scope. GDPR lets Member States cap or exclude fines for public bodies. DORA applies by entity type, not data type — a bank's customer database is in scope; the state registry aggregating every bank's data is not.
The article argues this gap is constitutionally exposed under Digital Rights Ireland (C-293/12), which established that EU-mandated data concentration requires proportionate safeguards as a Charter obligation — not merely a policy aspiration. Three remedies are available within existing competences: implementing acts under NIS2 Article 21(5); an ENISA audit matching collection mandates against protection regimes applied in practice; and a recommendation through the 2027 NIS2 review to embed security requirements in future AML instruments. None requires Treaty change.
Safe to Collect, Unsafe to Store? The Unresolved Cybersecurity Gap in EU Financial Registry Law — European Law Blog, April 2026.
In 2023, a working group of the Majilis of the Parliament of Kazakhstan drafted amendments to national personal data protection and information security legislation. The drafters acted from the best of intentions — to strengthen protections for citizens. The drafts nonetheless would have tightened regulation substantially. Had they passed without calibration, predictable negative systemic consequences would have followed for companies (compliance burden and international competitiveness), for the state (supervisory capacity short of new obligations), and for end users (costs passed through businesses).
As an invited expert, the contribution did not dispute good faith. It drew on what EU and UK institutions were doing in 2023 — not as identical programmes, but as proof that mature jurisdictions were debating burden and proportionality, not only tightening. In the EU, that included the Commission's July 2023 proposal on additional procedural rules for GDPR enforcement (COM(2023) 348) and the September 2023 SME relief package with targeted GDPR administrative relief where risk was lower (COM(2023) 535), within the Commission's wider commitment to cutting administrative burdens on business. In the UK, ministers had introduced the Data Protection and Digital Information (No. 2) Bill in March 2023 (Commons stages ran through late 2023), publicly framed around easing compliance costs and flexibility post-Brexit; civil society argued parts of the bill would weaken substantive protections. Taken together, that picture persuaded the working group that importing another layer of domestic tightening without calibration risked damaging Kazakhstani firms abroad, multiplying overlapping compliance regimes for export-oriented businesses (domestic rules stacked on foreign-market requirements such as the GDPR where applicable), and stretching supervisory capacity — without proportional gains for privacy.
In the outcome, the trajectory moved toward a more balanced settlement than the original drafts: excessive tightening was avoided, so obligations stayed closer to what supervisory capacity could enforce and what export-oriented Kazakhstani firms could operationalise without undermining competitiveness — preserving a credible basis to strengthen citizen protection through proportionate design rather than through cumulative formal rigour alone.
Letter from the Majilis acknowledging the contribution (November 2023).
Eight submissions across April–May 2026 to UK parliamentary committees and government consultations. Six draw on the same empirical research programme — NHS cybersecurity governance across 171 trusts, Freedom of Information data from 205 public bodies, and a framework for technology investment governance under deep uncertainty; one draws on OT security practice in critical national infrastructure; and one on the governance architecture of major public infrastructure programmes. The recurring finding across all eight: when assurance frameworks are formally compliant yet operational risk continues to grow, the binding constraint is rarely the technology or the funding — it is the governance architecture that converts known risk signals into decisions slow enough to be overtaken by events.
Governance capacity as the binding constraint on public sector AI adoption. Written evidence to the House of Lords Science and Technology Committee inquiry into Innovation in the NHS: Personalised Medicine and AI (April 2026). The argument: deploying AI on governance architectures that already fail to convert known risk signals into timely action will reproduce existing failure patterns at greater speed and scale. The binding constraint on safe adoption is not funding or technology but the institutional capacity to govern what is already deployed — a constraint empirically visible in NHS cybersecurity governance across 171 trusts and Freedom of Information data from 205 NHS organisations. Published evidence (PDF); Zenodo.
Decision speed as the binding constraint on national resilience. Written evidence to the House of Lords Select Committee on National Resilience inquiry into national preparedness and resilience (April 2026). The argument: the UK's resilience gap is not primarily about risk identification — the National Risk Register names the relevant threats — but about decision speed. Governance structures systematically attenuate urgency before risk signals reach the decision-maker with authority to act. The pattern is empirically visible in NHS cybersecurity governance across 171 trusts and FOI data from 205 public bodies: formal compliance growing while operational exposure compounds underneath it. Published evidence (PDF); Zenodo.
Decision-making under deep uncertainty in government technology investment. Written evidence to the House of Commons Public Accounts Committee inquiry into Government Shared Services (April 2026). The argument: when shared services programmes fall short, the cause is rarely the wrong technology — it is a governance architecture that treats technology investment as a procurement problem rather than a decision-making-under-deep-uncertainty problem. The same structural pattern has produced cost overruns and delivery shortfalls across UK public sector technology programmes for decades; the current Shared Services strategy is the latest exposure of the underlying design fault. Published evidence (PDF); Zenodo.
Governance architecture as the principal risk in national digital identity. Consultation response to the Cabinet Office consultation on national digital identity (CP 1498) (April 2026). The argument: the failure modes of a national digital ID are more likely to be governance failures than technology failures, and the consultation document is architecturally optimistic about properties — proportionate oversight, accountable supplier governance, fallback capacity, defensible explainability — that the UK's recent record shows cannot be assumed. Four governance priorities follow: decision-latency stress-testing for revocation and dispute pathways; statutory governance of supplier chains under jurisdictional divergence and exit scenarios; a declared fallback architecture for economic continuity when verification services are unavailable; and bounded explainability for fraud controls. Zenodo.
Governance architecture misaligned with uncertainty: DSIT's investment in research infrastructure. Written evidence to the House of Commons Public Accounts Committee inquiry into DSIT's Investment in Research Infrastructure (May 2026). The submission argues that the governance failures identified in the NAO's March 2026 report — fragmented landscape intelligence, appraisal tools decision-makers do not rely on, and a £5.6 billion maintenance backlog — are features of an architecture misaligned with the uncertainty environment of research infrastructure investment. Five mechanisms are proposed: a three-state portfolio architecture with annual review triggers; Cost of Delay as a replacement prioritisation metric; a Standby governance category preserving option value; total expenditure indifference frameworks removing CAPEX bias; and a mandatory annual portfolio utilisation report. Zenodo.
Aggregation-tier designation, OT self-tailoring, and velocity-based assurance: regulatory architecture for distributed energy cyber resilience. Consultation response to the DESNZ/Ofgem consultation on Reshaping Cyber Regulation in Downstream Gas and Electricity (May 2026). The consultation proposes two structural reforms — a review of NIS Regulations applicability and baseline cyber resilience requirements for over 1,400 licensed operators via Cyber Essentials. Both address documented gaps, but both retain the regulatory primitives calibrated in 2018: the individual operator as the unit of analysis and static positional certification as the assurance instrument. The paper argues these primitives were appropriate for a concentrated energy system; they are not appropriate for the distributed, OT-heavy system the UK is building under the Clean Power 2030 ambition. Three components are proposed as simultaneous replacements: aggregation-tier designation targeting correlated risk across operators rather than individual operator size; OT self-tailoring against a recognised reference replacing uniform mandatory control lists; and velocity-based assurance anchored to a sectoral threat-intelligence function. Zenodo.
Governance failure in automated benefit decisions: HMRC's Child Benefit anti-fraud intervention. Written evidence to the House of Commons Public Accounts Committee inquiry into HMRC's Anti-Fraud Intervention on Child Benefit (May 2026). The submission analyses the intervention that suspended Child Benefit for 23,794 families using Home Office flight data, of whom 63% were subsequently confirmed eligible. Three structural failures are identified: governance filtering, in which a known 46% pilot error rate was reframed as remote risk; a deployment accountability gap, in which the pilot-to-scale transition proceeded without a pre-defined pass/fail threshold; and accountability displacement, in which automated suspensions left no named individual answerable for outcomes. Three recommendations follow on acceptance criteria, architectural accountability, and named responsibility for aggregate outcomes. Zenodo.
Governance architecture as the binding constraint on major programme delivery: HS2 and Euston. Written evidence to the House of Commons Public Accounts Committee inquiry into Delivering HS2 and Euston (May 2026). The submission argues that the recurring failures the Committee has documented since 2013 — unknown cost, undefined scope, uncertain timeline, unclear benefits — are coherent outputs of a governance architecture built for a certainty that megaprojects do not possess. The reset, together with the Stewart and Lovegrove reviews, is the opportunity to replace that architecture rather than re-forecast within it. Five recommendations follow: replacing binary commit-or-cancel governance with a staged three-state architecture (Active, Standby, Exit) with defined annual review triggers and transition criteria; re-baselining cost, scope and risk on a fixed annual cycle — jointly owned by the Department's Accounting Officer and Senior Responsible Owner — rather than on crisis; making optimism-bias correction structural and independent through reference-class forecasting at each re-baseline; introducing a Cost of Delay test to complement the benefit-cost ratio for periodic continuation decisions; and tracking benefits and community impact as flows, re-baselined automatically with scope changes. Zenodo.
Public comments submitted to NIST on frameworks under active development. The recurring observation is the same as in the parliamentary submissions: technically detailed guidance that does not specify how to measure whether implementation has succeeded, and no methodology for prioritising effort when resources are constrained. NIST frameworks carry practical weight beyond the United States — the NCSC and NHS cybersecurity assurance draw on CSF logic — which makes structural gaps in the originating documents consequential beyond their immediate jurisdiction.
Risk framing, tiering, and shared responsibility in NIST CSF 2.0. Public comment submitted to NIST (published among CSF 2.0 Concept Paper responses, February 2023). Three structural gaps in CSF 1.1 identified for the 2.0 revision: the absence of a reference to risk framing (SP 800-30's mechanism for focusing assessment on the most consequential risks rather than spreading effort across all risks equally); insufficient guidance on managing risk across all three tiers, with CSF 1.1 effectively defaulting to Tier 3 in a period of elevated Tier 1 exposure; and no explicit treatment of shared responsibility under cloud deployment, where the customer remains accountable for meeting the chosen security profile regardless of what the provider controls.
Measurement and prioritisation gaps in NIST SP 1800-44A (DevSecOps). Public comment submitted to the NIST NCCoE (September 2025). The draft provides technically sound implementation guidance but specifies no method for measuring whether that implementation produces the stated outcomes, and no framework for prioritising effort where budgets, personnel, and time are finite. Without these, DevSecOps adoption becomes compliance theatre — technically active, operationally unmeasured. The submission proposes a metrics architecture across four domains (adoption progress, security effectiveness, developer experience, and DORA integration) and a prioritisation methodology grounded in flow-constrained risk management. It recommends a dedicated Operational Excellence Framework section in the final guide, with gaming-resistant maturity metrics designed to distinguish genuine security improvement from superficial target achievement. Zenodo.
For enquiries regarding regulatory advisory and policy consultation, please get in touch.