
1 July 2025
We’ve come a long way in our journey through the Modern SOC. We’ve explored how AI empowers analysts, how legacy models are being reimagined from the ground up, and how External Attack Surface Management (EASM) extends visibility. But no evolution of the SOC would be complete without addressing what might be its most underestimated pillar: compliance.
To dig into the role compliance plays in shaping tomorrow’s SOC, our expert Markus Thiel, Senior Business Development Manager at Orange Cyberdefense, offers his perspective to bring regulatory clarity down to operational reality.
According to Markus, regulatory pressure has grown in lockstep with the threat landscape. "In the EU especially, hybrid threats and targeted attacks have made overseer look more closely at how organizations operate and defend themselves, particularly in critical sectors," he explains.
One major shift? SOCs are no longer seen as purely technical responders. They're now expected to align with business-level risks and governance structures, playing a key role in the Three Lines Model of defense.
Traditional SOCs tend to focus on detection and incident response — technical, reactive, and often siloed. But today’s regulatory frameworks (like DORA, NIS2) expect more than technical response: they demand business focus, demonstrable effectiveness, traceability, and continuous improvement.
Markus points out that legacy SOCs often fail to meet these expectations because they operate in isolation: “Resilience is the goal. You can’t achieve that with a purely reactive setup - and definitely not without strong collaboration and clearly defined dispatch of responsibilities.”
When it comes to compliance, it’s not enough to just react: you must be able to prove how and why you acted. “Proper logging and traceability mean that every action is grounded in elements of the policy-pyramid, and documented accordingly,” Markus explains.
This includes not just basic event or alert information. Even more important is the inclusion of workflow content — such as the results of advanced analyses and the actual impact on specific business processes and outcomes. For example, under DORA, specific incident report attributes are explicitly defined in Level 3 documents, and organizations must be able to demonstrate — and regularly test — their ability to deliver these on time.
Markus highlights a potential blind spot: “Can top management be integrated effectively into the approval process for incident reports to overseers? That’s a potential breaking point. I recommend taking the position of a supervisor and answering these questions with a healthy dose of humility.”
The modern SOC must not only detect threats but also serve as a compliance engine, enabling traceability and aligning response timelines with regulatory reporting requirements.
There’s no compliance or regulation framework that mandates specific tooling — but there are performance expectations. And this is where automation shines. According to Markus, automation and reporting platforms can support with continuous KPI documentation, faster incident triage and response, and higher quality evidence collection. For example, if one of the internal targets is to reduce MTTR (Mean Time to Respond) for critical or important services to under four hours, SOAR technologies can help get you there and track the progress along the way.
“Tools don’t replace responsibility,” Markus says, “but they help prove you’re meeting your goals.”
Is there a risk of 'compliance over security', and how can SOCs strike the right balance?
Markus is unequivocal: “I don’t see a risk of compliance overtaking security. On the contrary – compliance helps optimize security in a risk-based, measurable way.”
Rather than seeing compliance and security as competing priorities, modern SOCs must position themselves as strategic collaborators within the broader business context.
Emerging technologies like AI add new risks. Markus warns that all organizations using AI have a responsibility to ensure traceability and demonstrate how those systems are developed, tested, and monitored.
Bottom line: good compliance doesn’t dilute security; it grounds it in business risk and accountability.
In Markus’ view, the modern SOC can no longer operate in a vacuum. “The SOC must be equipped with up-to-date information and insights in real-time; and act as a feedback channel into the wider organization.” This means creating tight collaboration loops with risk management, first-line functions or the governing body. The SOC delivers:
This positioning transforms the SOC from a cost center to a strategic enabler, keeping every part of the organization better informed and more resilient.
If you’re trying to modernize your SOC, Markus has a clear message: start with skilled people, then mature processes, and finally state-of -the-art-technology.
“Technology is replaceable,” he says. “What matters most is the interpersonal and organizational framework that enables the SOC to support real business goals.” His approach:
This isn’t just theory: it’s the foundation for the continuous improvement that modern regulatory frameworks demand.
Our experts can help you assess, align, and elevate your security operations, from DORA and NIS2 readiness to building a resilient, audit-ready SOC.
Explore our regulatory compliance servicesSenior Business Development Manager
Orange Cyberdefense
Markus Thiel is Senior Business Development Manager at Orange Cyberdefense Germany. With over 20 years in IT security, compliance, and risk management, he has led ISMS, SIEM, and SOAR programs across industries. Markus has deep expertise in frameworks like ISO 27001, BAIT/VAIT, and standards including DORA, NIS2, and GDPR. A seasoned architect of secure operations, he helps large organizations build compliance-ready SOCs through governance, automation, and strategic resilience.