Regulated IT,
in plain English.
The acronyms and jargon that run regulated IT programmes — what each one actually means, and why it matters when you’re trying to deliver. Search, or filter by area.
NIS2
RegulationThe EU’s second Network & Information Security Directive — cybersecurity risk-management and incident-reporting obligations for “essential” and “important” entities across critical sectors. In force in Denmark since 1 July 2025.
Why it matters: it’s a delivery programme wearing a legal costume — the controls have to operate, not just exist on paper. See the NIS2 playbook →
DORA
RegulationThe Digital Operational Resilience Act — the EU regulation making financial entities able to withstand and recover from ICT disruption, covering ICT-risk management, third-party oversight, incident reporting and resilience testing. Applicable since 17 January 2025.
Why it matters: third-party risk and resilience testing are exactly where paper compliance falls over. See the deadline tracker →
GxP
RegulationThe umbrella for “good practice” regulations in life science — GMP (manufacturing), GLP (laboratory), GDP (distribution) and more. Governs how regulated products, and the systems that make them, are controlled.
Why it matters: in a GxP estate a system isn’t “done” until it’s validated and the evidence is audit-ready. See the GxP migration playbook →
CSV / CSA
RegulationComputer System Validation — documented proof that a computerised system does what it’s supposed to — and its risk-based successor, Computer Software Assurance, which focuses effort on what actually carries patient/product risk.
Why it matters: it’s the difference between a system that’s “migrated” and one that’s signed off.
EU GMP Annex 11 & GAMP 5
RegulationAnnex 11 is the EU GMP rule for computerised systems in regulated manufacturing; GAMP 5 is the industry guide for validating automated systems in a risk-based way.
Why it matters: together they turn a “simple” datacenter move into a re-qualification event — and let you put the validation effort where the risk really is.
ALCOA+
RegulationThe data-integrity principles regulators expect: Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring and Available.
Why it matters: if the audit trail doesn’t survive the migration intact, as far as the regulator is concerned the migration didn’t happen.
ISO 27001 / ISMS
RegulationThe international standard for an Information Security Management System — a risk-based set of controls and the governance around them.
Why it matters: it’s the shared control backbone most other regimes (NIS2, DORA) end up leaning on, so evidence is built once and reused.
PCI-DSS / CDE
RegulationThe Payment Card Industry Data Security Standard, and the Cardholder Data Environment (CDE) it applies to — the people, processes and systems that store, process or transmit card data.
Why it matters: uncontrolled CDE scope is where recertification quietly stalls — keep the boundary tight.
Transition management
Transition & migrationMoving a service or estate between providers, platforms or teams without breaking it — the discipline of handing over responsibility, not just kit.
Why it matters: the hardware moves in a weekend; the accountability, knowledge and controls are the hard part.
Cutover
Transition & migrationThe actual switch from the old system or site to the new one, usually inside a tight, planned window.
Why it matters: rehearsed and reversible, or it’s a gamble with production on the table.
Hypercare
Transition & migrationThe intensive, elevated-support period immediately after go-live, before a service settles into business-as-usual.
Why it matters: the cutover isn’t done when it’s live — it’s done when it’s stable.
Datacenter migration
Transition & migrationRelocating infrastructure and workloads between sites, vendors or cloud — often alongside a mainframe or legacy estate.
Why it matters: it’s rarely a server problem; it’s a dependency-and-governance problem wearing a technical mask.
MES / SCADA / PAS-X
Transition & migrationThe systems that run and control pharma manufacturing — Manufacturing Execution Systems, supervisory control (SCADA) and PAS-X (a common MES).
Why it matters: production-critical and validated — you don’t get to take them down to make your migration convenient.
Carve-out / divestiture
Carve-outSeparating a part of a business — and the IT that runs it — into a standalone entity, whether sold, spun off or split.
Why it matters: it’s an integration problem in reverse: disentangling shared people, systems, networks and contracts against a fixed date. See the carve-out playbook →
TSA (Transitional Service Agreement)
Carve-outThe temporary services the parent company keeps providing to a carved-out entity after close, until it can stand on its own.
Why it matters: every extra month of TSA is margin bleeding to the parent — the exit clock is the point. See what it’s costing →
Day 1 readiness
Carve-outThe minimum set of capabilities the separated entity needs to operate independently from the moment the deal closes.
Why it matters: over-scope it and the separation quietly becomes a permanent dependency on the parent.
Programme turnaround / recovery
GovernanceTaking over a programme that’s red, stalled or in crisis and getting it back to delivering.
Why it matters: it’s almost always a governance fix, not a talent one — the people can build; no one can decide. See the turnaround playbook →
Steering committee (SteerCo)
GovernanceThe governance body meant to steer a programme — set direction, unblock decisions, own the escalations.
Why it matters: it’s where decisions are supposed to be made — and, on a troubled programme, often where they’re quietly avoided. Read: why your SteerCo is lying to you →
RAG status
GovernanceRed / Amber / Green health reporting — the traffic-light summary on every programme dashboard.
Why it matters: on a stuck programme, amber is a negotiated colour, not a measurement. Learn to read around it.
Decision rights / RACI
GovernanceWho’s Responsible, Accountable, Consulted and Informed for each decision and deliverable — the map of who actually gets to decide.
Why it matters: unclear or disputed decision rights are the number-one reason programmes stall.
PMO
GovernanceThe Programme (or Project) Management Office — the function that owns reporting, controls, planning cadence and governance mechanics.
Why it matters: it’s the engine room; when it’s weak, the programme flies blind.
No terms match that search. Try a different word, or clear the filter.
The terms are simple. Delivering against them isn’t.
That’s the gap I work in — turning the regulation and the acronyms into a programme that actually delivers.
See the playbooks →