NIS2, CRA, and AI – the new rules of cybersecurity
Introduction
SecureSafe (DSwiss AG) CEO Alexander Sommer was recently interviewed by IT Business (it-business.de), one of Germany's leading publications for IT decision-makers. In the interview, conducted by editor Dr. Stefan Riedl, Sommer shares his perspective on what it takes to navigate today's converging pressures of regulation and AI-driven cyber threats, and what organisations need to do right now to stay ahead.
Key Takeaways
- Stop buying tools. Regain clarity on what you actually operate and where the real risks are.
- Three priorities: clean asset inventory, identity and permission hygiene, tested incident response.
- Regulators are penalizing good docs with weak execution. Operational proof is what counts.
- AI makes existing attacks faster and cheaper, not categorically new. Deepfakes, spear phishing, and session theft are the live threats.
- Harden identity first. Phishing-resistant MFA and minimal admin rights cut off the easiest attack paths.
- Digital sovereignty means knowing where your data is and being able to move or isolate it fast.
- Use compliance pressure to simplify architecture, not just tick boxes.
- Assign decision accountability, not policy ownership. Incident command must be practiced before a crisis hits.
Clarity and control over new tools
With NIS2 and the Cyber Resilience Act (CRA) now firmly on the agenda, Sommer argues that 2026 should be less about purchasing new tools and more about regaining clarity and control. Most IT landscapes have grown organically over time – accumulating cloud services, exceptions, and shadow admin accounts – leaving systems optimized for speed, but fragile under stress. His starting point: an honest inventory of what you actually operate, what is truly critical, and where the real risks lie.
Three concrete priorities for 2026
From there, Sommer outlines three immediate areas of focus: an up-to-date and realistic asset and data inventory; a clean-up of identities and permissions to reduce the most commonly exploited attack paths; and an incident readiness capability that works in practice, with usable logging, clear escalation paths, and tested recovery procedures. His message is clear: regulators are increasingly penalising good documentation paired with weak execution. What counts are demonstrable operational capabilities.
AI as a game changer in cybersecurity
Sommer dedicates significant attention to the role of AI in the threat landscape. AI does not create entirely new categories of cybercrime, but it makes existing attacks faster, cheaper, and far more convincing. The most dangerous current patterns include deepfake-assisted fraud, AI-generated spear phishing combined with MFA fatigue, and token or session theft that bypasses traditional malware detection. The most effective countermeasure, in his view, is to focus on what AI amplifies most: identity, trust, and privileges. Hardening identities through phishing-resistant MFA, strong conditional access rules, and minimal standing admin rights removes the easiest path for AI-powered attacks to gain traction.
Digital sovereignty as an operational discipline
A recurring theme throughout the interview is digital sovereignty, which Sommer defines not as a preference for local providers, but as the ability to decide and recover when it matters. Can you answer, with confidence, where your sensitive data is, who has access to it, and how quickly you can move or isolate it? If not, dependency has quietly replaced control. Sommer sees the current compliance moment as an opportunity: using regulatory pressure as a lever to simplify architectures, standardise interfaces, and design systems with replaceable components, turning compliance from a cost centre into a strategic asset.
Governance: from policy responsibility to decision responsibility
Finally, Sommer stresses the need for a shift in security governance: away from policy ownership and toward clear decision accountability. Who decides? Who is responsible? Who communicates? Who acts? These questions must be answered at both board level and in day-to-day operations. Incident readiness, for example, cannot be designed during a crisis. It requires pre-defined classification criteria, an escalation path that functions within hours, and a practised incident command structure that brings together IT, security, legal, and communications.
👉 Read the full article on IT Business:
https://www.it-business.de/nis2-und-cra-in-zeiten-von-ki-es-wird-ernst-a-0656f50b91e229cc71487436f25e45b2/
Published on: it-business.de
Author: Dr. Stefan Riedl
Conclusion
The rules of cybersecurity are not fundamentally changing, but the cost of getting them wrong is. What NIS2, the CRA, and AI-driven threats collectively demand is operational discipline: knowing what you run, controlling who has access, and being ready to act before a crisis forces your hand. Compliance is the floor, not the ceiling. The organizations that treat this moment as a prompt to simplify and strengthen will come out ahead. The ones that treat it as a documentation exercise will not.
