With NIS2, DORA, KRITIS and the AI Act, not only is the regulatory pressure on companies growing, but also the expectation that cybersecurity should be more firmly anchored in the organization. The implementation of the regulations alone does not constitute a resilient security architecture.
“To expect a law to work without internal discussions is illusory,” emphasizes Christian Garske. Security requirements always have to be translated into the respective company context – organizational, technical and operational.
According to experts, this is exactly why many organizations are currently failing. Policies, documentation and responsibility models are often created, but in an emergency there are no clear decision-making paths, coordinated processes or reliable communication structures.
Götz Schartner from 8com is also increasingly observing this contradiction: “Too often we see compliance first: paper is there, but practice, decision-making ability, restart and resilient incident capability are missing.”
This becomes particularly problematic where regulatory requirements meet highly dynamic cloud and AI environments. Because while technologies are constantly changing, the governance structures of many companies remain comparatively sluggish. This is precisely what creates a dangerous gap between formal compliance and actual security capabilities.
For Andreas Hedderich it is therefore clear: “The attacker can try out new paths and loopholes much more quickly. Defenders, on the other hand, have to further develop people, processes, standards and technologies at the same time.”
Rethinking governance
So how do you bridge the gap between technology and organization? The good news: The organizational challenges of modern cybersecurity can be addressed. The bad thing: There is no single technology, no framework and no compliance requirement that automatically solves the problem.
Companies should therefore first accept that security is now a cross-sectional task. Governance, IT, specialist departments, legal, compliance and management must work much more closely together than before. Security decisions should neither be made exclusively in IT nor exclusively at the management level. What is crucial is a shared understanding of which risks are actually business-critical and how they should be dealt with.
At the same time, it is becoming more important to clearly define responsibilities. Who decides on the use of new AI applications? Who assesses risks in cloud services? Who has operational responsibility in an emergency? Such questions should not only be answered during a security incident.
A pragmatic approach is also recommended when it comes to AI. Companies don’t have to regulate every new technology immediately. However, you should establish guardrails early on: clear guidelines for the use of AI, defined release processes for new use cases, and transparency about which systems and data are actually affected.
It is equally important not to measure security exclusively through compliance. Documentation, policies and audits remain necessary, but they say little about whether a company is actually able to act in an emergency. Regular exercises, incident response tests and clearly defined communication channels often provide much more meaningful insights into the actual level of maturity.
For Petra Maria Grohs from Hitachi Vantara, this is precisely the real challenge: “Many companies now know exactly what they have to do in terms of regulation,” she explains. “The real challenge, however, is to see security not just as a compulsory exercise, but as a business enabler.”
In the end, successful cybersecurity is less and less defined by individual protective measures. What is more important is whether organizations are able to continuously translate technological changes, regulatory requirements and new threats into functioning processes. Especially in the age of AI, governance is turning from an administrative tool into a strategic core competency.
Participants in the roundtable “IT and Cloud Security 2026”
Christian Garske, Lufthansa Industry Solutions:
“The biggest challenge for many companies is not a lack of technology, but the question: Which framework is right for my organization – and how do I orchestrate this sensibly?”
Ulrich Schaarschmidt / Lufthansa Industry Solutions GmbH & Co. KG
Andreas Hedderich, Microfin:
“In many companies there is too little overlap between governance, security and engineering. There are processes and responsibilities, but often no common understanding of a common goal.”
microfin Unternehmensberatung GmbH
Petra Maria Grohs, Hitachi Vantara:
“Security is a management task. But if it is not possible to integrate the business into these processes, any security strategy will ultimately remain ineffective.”
Hitachi Vantara GmbH
Frank Schwaak, section:
“The threat situation is currently changing massively. Many attackers no longer want to completely paralyze companies, but rather infiltrate them and allow operations to continue in a controlled manner.”
Nicolas Armer / Rubrik Germany GmbH
Daniel Schormann, Spike Reply:
“We see enormous technological dynamism, but at the same time there is still great cultural resistance in many organizations. Even massive security incidents often do not lead to lasting changes.”
Spike Reply
André Feigenbutz, Vornac:
“AI will also play an increasingly important role in blue teaming in the future. Many companies have been experimenting very intensively with corresponding technologies for over a year.”
VORNAC GmbH
