Critical sectors face increasing cyber and IT threats, with disruptions impacting operations, data, and public trust. Regulatory expectations — including NIS2, CER Directive, GDPR, and other frameworks — are pushing organisations to adopt structured, proactive approaches to safeguarding systems and services. This session examines how regulatory expectations are shaping the convergence of IT risk management and operational resilience. Drawing on high-profile incidents and regulatory actions as illustrative examples, it will explore why these requirements exist, the types of weaknesses regulators are seeking to address, and the operational and compliance ramifications when organisations fall short. Attendees will gain a clearer understanding of what “good” looks like from a regulatory perspective, how cyber and IT risk ties into resilience outcomes, and why anticipation, coordination, and preparedness are now critical for protecting essential services.