
Cybersecurity and AI: NIS2 regulation, governance requirements and compliance audits
Information security obligations now extend to AI. What NIS2-subject organisations should anticipate.
The transposition of NIS2 broadens the perimeter of regulated entities and tightens cyber governance requirements. AI systems, as critical IS components, fall squarely within the audit perimeter: vulnerability management, penetration testing, logging, business continuity.
AI specifics call for complementary controls
AI specifics call for complementary controls: robustness to adversarial attacks, integrity of training data, supply chain of third-party models. Directors are personally on the hook in the event of manifest failure.
AI specifics call for complementary controls: robustness to adversarial attacks, integrity of training data, supply chain of third-party models.
Alignment with the AI Act and DORA
Alignment with the AI Act and DORA must be designed upfront to avoid duplicating frameworks. A single control repository, adapted by domain, offers better readability to authorities and reduces audit burden.
Key takeaways
- 01AI systems, as critical IS components, fall squarely within the audit perimeter: vulnerability management, penetration testing, logging, business continuity.
- 02Directors are personally on the hook in the event of manifest failure.
- 03A single control repository, adapted by domain, offers better readability to authorities and reduces audit burden.
Published on
6 May 2026
Section
Cybersecurity
Rackham Limited
Take this further
A confidential conversation with the Rackham team to translate these questions into your organisation.
Start the conversation →Related articles
Continue reading →
Law & AI
Google's agentic AI and legal liability: who bears the risk when the agent gets it wrong?
Google's new AI agents (I/O 2026) act without direct human supervision. What liability chain applies to the business that deploys them?

Compliance
AI Overviews in Europe: compliance, IP and the risk of misinformation
As Google's AI summaries roll out in France, what obligations apply to businesses embedding these tools in their processes?

Data & AI
Gemini Omni and sensitive data governance: when multimodal AI crosses boundaries
Gemini's ability to process text, image, audio and video in a single flow raises questions of data classification and protection.