The EU is not alone in linking expectations regarding cyber security to regulations. The CMMC framework of American Department of War imposes concrete requirements on companies worldwide, including in the EU.
If the EU regulates, the rest of the world will follow in one way or another. The European market is too important to ignore, which means that the impact of regulations such as NIS2, DORA and the GDPR is felt worldwide. However, Europe is not the only one that can use internal rules for a global impact: from November of this year, companies worldwide must comply with the requirements of the Cybersecurity Maturity Model Certification (CMMC) program.
Global obligation
The obligation applies to all organizations in the supply chain for the US Department of War (formerly the Department of Defense, but rebranded by President Trump withouth the needed congressional approval). “That’s 200,000 to 300,000 companies worldwide,” estimates Chris Dimitriadis, Chief Global Strategy Officer at ISACA. ISACA is responsible for the worldwide training, examination and certification of professionals within the framework of the CMMC framework.
Dimitriadis clarifies what exactly is going on: “NIS2 is a regulation, just like DORA. Companies must comply with the rules, but concrete control mechanisms are lacking. In the US, there is now also regulation and it refers to a very specific framework: CMMC.”
Concrete requirements, also in the EU
In other words, the regulations in the US are linked to a framework that does contain concrete controls. “The CMMC framework is based on the NIST standards in the US. It is owned by the American Department of War,” Dimitriadis explains. The link between the regulations and the framework ensures that organizations get a very concrete picture of what exactly is expected of them. “The requirements are less vague than those of other regulations,” he says.
The obligations regarding CMMC do not distinguish between large or small companies. Every organization that is in any way involved in the supply of solutions that the American armed forces uses must comply with it. “It doesn’t matter where the organizations are located,” Dimitriadis notes.
read also
ISACA undertakes global certification of CMMC professionals
“In the EU, there are many companies that will fall under the CMMC obligations,” he continues. “In November of this year, it will be mandatory to comply with Level 1 and Level 2. In November 2027, it will be time for the stricter Level 3 obligations. By the end of 2028, every company in the supply chain must be truly certified.
An army of specialists
That certification takes some doing. Dimitriadis further explains: “The CMMC framework is owned by the US Department of War and the non-profit CyberAB is the manager of the entire ecosystem. CyberAB works with various parties: ISACA is the CMMC Assessor and Instructor Certification Organization or CAICO for short. Then there are the C3PAOs: the organizations that provide audits for the sector to which the regulations apply, and that employ professionals who are certified by the ISACA CAICO.”
ISACA is tasked with building the workforce
Chris Dimitriadis, Chief Global Strategy Officer ISACA
“ISACA is tasked with building the workforce,” says Dimitriadis. “We will help create a global availability of cyber security experts with a deep understanding of the controls of CMMC, CCAs, CCPs and CCIs. ISACA was chosen as CIAICO for several reasons. The organization has approximately 200,000 members worldwide and has more than 55 years of experience in cyber security and cyber security. Building a foundation of holistically trained people is at the core of what we do.”
Those trained and certified professionals can then get to work in various ways. They can choose to work for C3PAOs as an assessor or teacher, or they can work in the defense sector to implement the framework in practice. The C3PAOs must check on behalf of CyberAB whether organizations are actually in compliance with their obligations according to CMMC.
Hollistic approach
Companies themselves naturally also need specialists in the CMMC framework to achieve compliance. Dimitriadis explains in more detail how that ideally works.
“Everything starts with a risk analysis, in which organizations check which rules they need to comply with. For example, NIS2 has rules, but no controls. There are obligations and penalties associated with this. The same applies to DORA. The American regulation, CFR 32 part 170, does offer concrete requirements by referring to the CMMC framework.”
Everything starts with a risk analysis.
Chris Dimitriadis, Chief Global Strategy Officer ISACA
“Then they have to create their own holistic framework in which all obligations come together. This can be done, for example, via the CMMI framework, or the COBIT framework from ISACA. You can see that work as Lego blocks that you click together, bringing together CMMC, ISO and other standards.”
“When organizations have done that, they will quickly determine that the many requirements overlap. For example, CMMC has controls for incident response, and NIS2 has requirements regarding this. With a few adjustments to the holistic framework, you ensure compliance for both.”
“To pour all the requirements into a holistic framework, you naturally need people who have received the right training,” Dimitriadis realizes. “When you have people who have completed the right training courses, they can work out the correct path towards compliance. Without the required knowledge, organizations run the risk of getting bogged down in costs and overhead.”
Attractive training pathway
ISACA itself has indicated more than once that the supply of cyber security professionals does not cover the demand. Dimitriadis hopes that the CMMC professionals will be a catalyst to improve this situation, rather than a hurdle.
“CMMC relates to the military sector. Security tailored to defense is the gold standard,” says Dimitriadis. “Moreover, American regulations are driven by compliance requirements and mandatory audits. As such, there are incentives to follow the training. The demand for experts is guaranteed by the regulations. Anyone who completes the certification can look forward to a career as a specialist in one of the most important cyber security standards in the world.”
read also
ISACA: “AI-driven Cyber Threats Biggest Concern for 2026”
ISACA expects that this concrete guarantee of relevance of the certification will encourage people to pursue it. Furthermore, ISACA works closely with academic institutions to find enough people. “We strongly believe that we can train the necessary workforce,” says an optimistic Dimitriadis.
For European organizations large and small, CMMC means that they must meet a new set of requirements, but as Dimitriadis indicates, that does not mean that they have to start from scratch. Dimitriadis concludes: “It’s still about cyber security. There are of course differences in the requirements of regulations and frameworks. It is never the case that compliance with one regulation also covers all other regulations. But with a holistic approach, it is perfectly possible to bring all cyber security requirements together.”