TOMs — Technical and Organisational Measures

Technical and Organisational Measures — universally referred to as TOMs — is the umbrella term used across EU data protection and cybersecurity law to describe the security and privacy safeguards that organisations must implement to protect personal data and information systems. The term appears in GDPR Article 32, NIS2 Article 21, DORA Chapter II, and the EU AI Act Article 9, each with a tailored but overlapping set of required measures. TOMs are the practical expression of the regulatory principle that security must be proportionate to risk — organisations must implement measures that are appropriate to the specific threats they face, the sensitivity of the data they hold, and the potential consequences of a breach. Under GDPR Article 32, controllers and processors must implement TOMs appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. The Article gives examples — pseudonymisation, encryption, ensuring ongoing confidentiality and integrity, a process for regularly testing and evaluating the effectiveness of measures, and the ability to restore data after a physical or technical incident — but these are illustrative, not exhaustive. The goal is a risk-based security posture, documented and demonstrably implemented. Under NIS2 Article 21, the required TOMs are more prescriptive, covering ten specific domains: policies on risk analysis and information system security; incident handling; business continuity including backup management, disaster recovery, and crisis management; supply chain security; network and information systems security in acquisition, development, and maintenance; policies and procedures for assessing the effectiveness of cybersecurity measures; basic cyber hygiene and training; cryptography; human resources security and access control; and multi-factor authentication and secure communications. For an EU SME, TOMs are the tangible deliverable that regulators examine when conducting audits or investigating breaches. A data breach that occurs because basic TOMs were absent — no encryption, no access controls, no patching process — will attract significantly higher fines and more severe corrective orders than a breach that occurs despite documented and appropriate TOMs being in place. Demonstrating your TOMs through documented policies, system configurations, training records, and test results is the most effective way to reduce regulatory exposure across GDPR, NIS2, DORA, and the AI Act simultaneously.