Hook

Video Poster Image

Key Takeaways:

  • Process Before Platform
    Map your customer journey first. Then choose the tools that support it. Automation without clarity just amplifies the chaos.
  • Build a Single Source of Truth
    Stop juggling multiple systems. Pick one core platform for data and integrate everything else into it.
  • Automate the Repetitive, Personalise the Rest
    Automate the predictable. Keep the personal moments human. That’s how you stay connected while scaling.
  • AI Should Be Your Teammate, Not Your CEO
    Use AI to assist, not decide. It should lighten your cognitive load — not replace your judgment.

If your business feels like it’s held together with spreadsheets and wishful thinking, this episode will show you how to scale without losing the soul of your brand.

Sub-Header 1

Sub-Header 2

Sub-Header 3

Sub-Header 4

Sub-Header 5

Sub-Header 6

Sub-Header 7

Sub-Header 8

Sub-Header 9

Sub-Header 10

NIS2 Is Filling Your Pipeline. Here's Why Your Cybersecurity Consultancy Still Isn't Growing

Jul 07, 2026

What you'll take away from this

  • A packed NIS2 or DORA pipeline can feel like proof the business is working, but compliance work is deadline-driven, so the phone goes quiet the moment the certificate is on the wall.
  • Certifications are pass-or-fail, which pushes buyers to compare you on price and speed rather than your judgment, compressing what you can charge.
  • Compliance delivery is judgment-heavy, so it's hard to hand off, and every project routes back through you. Busier doesn't mean growing or less dependence on you.
  • The founders who come out of this stronger use the compliance project as the start of a relationship, not the whole of it.
  • Build that deeper positioning while the rush is happening. Wait until the deadline passes and you're starting cold with buyers who've already filed you under "compliance vendor."

In a gold rush, the miners get busy. The merchants get wealthy.

Somewhere near you right now, there's a founder trying to grow a cybersecurity consultancy who is booked solid into the autumn. Seven NIS2 projects, five DORA assessments, a calendar with no gaps, a phone that won't stop. Twelve months from now, that same founder is likely starting from scratch, and they won't quite understand why.

The compliance wave is real. Deadlines have already passed, more are landing across 2026, and enforcement is tightening. CyberSmart's 2026 research found only 16% of businesses required to comply with NIS2 are confident they actually are. That gap between where buyers need to be and where they are is why your phone is ringing.

The work is legitimate. What almost all the advice in this market skips is what that compliance-led growth does to your business model over the next three years, not the next three months. If your pipeline looks full right now, this is worth ten minutes of your time if you want to scale up to meet it.

Why does compliance work stop a cybersecurity consultancy from growing?

Three mechanics, and none of them are obvious until they've already happened.

Certifications are pass or fail.

When the output is binary, buyers only have one way to compare suppliers: price and speed. Fifteen or twenty years of experience compresses down to who can get them to Cyber Essentials Plus, or across the NIS2 line the quickest. The work hasn't changed. The market's relationship to it has.

Your pipeline becomes calendar-driven.

Compliance is deadline-led, so demand spikes when a regulation is hot and drops the moment the certificate is on the wall. You've probably already felt a version of this: a retainer pitch that went nowhere because the client said, "but we're certified now, what would we be paying for?" That's this cycle completing. GDPR ran the same way.

Judgment-heavy delivery makes you the bottleneck.

Compliance work is hard to delegate because so much of it depends on your personal judgment. Every project runs through you, because it has to. So you get busier and become a bigger bottleneck at the same time. And if every project runs through you, you're trading your hours for money, and there are only so many of those in a year. That's a hard ceiling, not a growth path. (If that pattern sounds familiar beyond compliance work, this piece on scaling back to grow bigger goes deeper on it.)

The miner and the merchant

During the Klondike Gold Rush of 1896, roughly 100,000 people made the journey north chasing gold that was genuinely there. But the people who got rich weren't mostly the miners breaking their backs in freezing creek beds. It was the merchants who sold the boots, tools, and supplies every miner needed.

The miner in your business chases the visible demand, takes every compliance call, prices to match the market, and builds a business that depends on the next regulatory deadline with you behind every single engagement. When the rush passes, the miner starts over.

The merchant uses the compliance event as a foot in the door. They deliver exactly what the client asked for, and then ask a different question before scoping it: "What is this certification actually making you worried about?" Because the certificate deals with the deadline. It doesn't deal with what happens the next time a regulation lands, or the board asks a question nobody has an answer to. The merchant position doesn't expire when the certificate does.

What should you do with the compliance work landing on your desk?

Take it. It's real, it's paying, and it's your access point to buyers you'd never otherwise meet. The shift is in what you do once you're in the door of their business.

Deliver the certificate the client asked for. Then have the conversation most compliance vendors never get to: what happens to their risk, board, and reputation the next time something changes and they haven't got an answer ready. Sell them what they want, then help them see what they need. That's the relationship a project alone can't build, and a packaged, repeatable way to deliver it is what turns one certificate job into a client who stays.

What keeps cyber founders stuck in the compliance cycle?

Treating the rush as a positioning strategy.

"We do compliance" is a category, not a position. Thousands of other consultancies share it, and when the rush passes, there's nothing left to stand on.

Waiting until after the rush to build something different.

This feels sensible because you're busy and cash is coming in. But the founders coming out of this stronger are building their deeper position now, while the rush gives them access. Wait until the deadline passes and you're either starting cold with a market that's already categorised you, or going back to clients you've already delivered for, and who as far as they're concerned, the door is closed again. So you end up chasing work with a hint of desperation off you.

There's a reason the rush feels like the whole answer, by the way. Your brain uses how often it sees something as a shortcut for how important it is. When every LinkedIn post and trade article says "capitalise on the compliance demand," that repetition reads as a strategic signal. It's pattern recognition doing its job in an environment it wasn't built for. 

 


 

Frequently asked questions

Is NIS2 still a business opportunity for cybersecurity consultants in 2026?

Yes, and a large one. With only 16% of in-scope businesses confident they're compliant, the delivery gap is real. The risk isn't the work drying up this year. It's building your whole business model on it.

Does NIS2 or DORA actually apply to my clients right now?

I'm not a cybersecurity expert, so I'd suggest you verify this, but from what I can gather, it depends on their sector, size and country. DORA has applied to financial entities since January 2025. NIS2 deadlines vary by member state, and national legislation is still catching up in places, so check your client's obligations against their national competent authority rather than a blog post, including this one.

Why does my retainer pitch keep dying after the compliance project ends?

Because you've positioned yourself as a vendor for one deliverable, so once it's done, there's nothing left to pay for. Retainers only land when the client already understands the ongoing value before you pitch one.

How do I ask about a buyer's deeper concerns without it feeling like an upsell?

Ask because the answer changes how you'll help, not because it opens a sales door. "What is this certification making you worried about?" is a genuine scoping question. Buyers can tell the difference.

Is this a positioning problem or a pricing problem?

If you're winning work but every proposal is bespoke, every price is negotiated fresh, and every project ends the relationship, that's positioning. A pricing problem looks different: you're losing work you want on cost alone.

How do I know if I'm building a miner's business or a merchant's?

Look at what survives a passed deadline. If your pipeline empties when the regulation cools, you're mining. If clients stay because you're the person they think with, not just the person who certified them, you're the merchant.

 


 

Related reading

 

Resources mentioned

  • CyberSmart NIS2 Survey 2026. 670 business leaders surveyed across the UK, Ireland and the EU, late 2025. Found only 16% of businesses required to comply with NIS2 are confident they're fully compliant. cybersmart.co.uk/nis2-research-2026
  • Business growth diagnostic. A 3-minute self-audit that shows you whether you're currently building a miner's business or a merchant's. Worth doing before the next deadline. [Add your tracked link]
  • Millionize, The Built Beyond You System. For cybersecurity founders ready to turn expertise into a business the team can sell and deliver without everything going through them. 

Stay connected with episodes, news and behind-the-scenes updates!

We hate SPAM. And we will never sell your information, for any reason.

Frequently Asked Questions

Resources Mentioned

Recent Episodes

NIS2 Is Filling Your Pipeline. Here's Why Your Cybersecurity Consul...

The Real Reason Buyers Pick the Big 4 Over Better Cybersecurity Firms

Why Being the Best in Your Business Is Capping Your Growth