Cybersecurity, Compliance & Governance
Current insights from our specialized tools covering NIS2, ISO 27001, BSI IT-Grundschutz, AI Governance, DORA and GDPR.
AI Agents Under GDPR and the AI Act: When the Software Decides and Acts, Who Is Accountable?
An LLM answers a question. An agent reads, plans, calls tools, and acts — across systems you never listed in your DPIA. The agent is not a legal actor; you are. Why purpose limitation, Article 22, and least-privilege tool access decide whether an autonomous workflow is lawful or an open finding.
The DPA Is a Promise, Not a Control: Reading an AI Vendor Contract for What It Actually Binds
A signed Article 28 DPA is not, by itself, an operational control — it allocates responsibility for protecting data, down a subprocessor chain that on an AI vendor can run several parties deep into US jurisdiction. Why the controller stays accountable for the whole chain, what the contract must name, and how to read a DPA for the gaps it is silent about.
Fine-Tuning on Your Own Data: Why 'We Host It Ourselves' Solves the Wrong Half of the GDPR Problem
Self-hosting can reduce the third-country transfer exposure but leaves the harder problem untouched: once personal data has influenced the weights, deletion on request is currently difficult to verify and may demand retraining, unlearning, or output controls of uncertain reliability. Legitimate interest is not a default — it is a three-step test the EDPB sets a high bar for. Why the lawful basis must be settled before training, not after.
ChatGPT, Copilot or Gemini: What Happens to Personal Data the Moment You Type It Into an AI?
Every prompt is a processing operation — and often a third-country transfer. The DPA does not make it disappear, and on consumer or free-tier services your colleague's name can be used for service or model improvement unless settings, temporary mode, or business/enterprise terms exclude it. Why the question is not which AI you use, but who reads what you typed — and what they are allowed to keep.
AWS, GCP or Azure: Are Pseudonymisation and a Customer-Managed Key Enough for GDPR Compliance?
Not against the CLOUD Act and FISA 702 — unless you can answer one question: where is the key? Why customer-held key sovereignty, not geography and not the provider's name, is the dividing line.
The Subsidiary Trap: Why Your Company May Be in NIS2 Scope Without Knowing It
NIS2 scope explained from the ground up: the two filters of sector and size, the EU SME definition, the Article 6 consolidation method for linked (>50%) and partner (25–50%) enterprises, seven worked scenarios, and the essential-versus-important distinction — how to determine correctly whether the directive applies to your organisation.
The Microsoft 365 Dilemma: Is Microsoft 365 Really GDPR-Compliant?
A current assessment of Microsoft 365's GDPR compliance: the DSK determination of 2022, the EDPS proceedings against the European Commission, and the 2025 HBDI Hesse report — what has changed legally and what controllers must verify today.
A CISO Almost Went to Prison for Hiding a Breach
The Joe Sullivan Uber case shows what the NIS2 Directive and § 38 BSIG actually mean for the personal liability of management bodies — and why this American story has become Europe's template.
NIS2 Is Not Another Regulation. It Changes Who Gets Fired After a Breach.
How NIS2 shifts cybersecurity governance from organisational responsibility to personal liability — and what Article 20, §38 BSIG, and the German NIS2UmsuCG mean for management bodies in essential and important entities.
What Is an AI System in the Regulatory Context?
Definition, scope, and operational governance consequences under the EU AI Act and ISO/IEC standards. Why classification is the starting point of all regulatory obligations.
DPIA vs. FRIA: The EU's Double Gate for High-Risk AI Compliance
How GDPR's data-protection audit and the AI Act's fundamental-rights exam actually work together — and why the popular LinkedIn infographics are getting dangerously wrong.