Back to journal
Cybersecurity6 May 20262 min read

Cybersecurity and AI: NIS2 regulation, governance requirements and compliance audits

Information security obligations now extend to AI. What NIS2-subject organisations should anticipate.

The transposition of NIS2 broadens the perimeter of regulated entities and tightens cyber governance requirements. AI systems, as critical IS components, fall squarely within the audit perimeter: vulnerability management, penetration testing, logging, business continuity.

02

AI specifics call for complementary controls

AI specifics call for complementary controls: robustness to adversarial attacks, integrity of training data, supply chain of third-party models. Directors are personally on the hook in the event of manifest failure.

AI specifics call for complementary controls: robustness to adversarial attacks, integrity of training data, supply chain of third-party models.

03

Alignment with the AI Act and DORA

Alignment with the AI Act and DORA must be designed upfront to avoid duplicating frameworks. A single control repository, adapted by domain, offers better readability to authorities and reduces audit burden.

Key takeaways

  • 01AI systems, as critical IS components, fall squarely within the audit perimeter: vulnerability management, penetration testing, logging, business continuity.
  • 02Directors are personally on the hook in the event of manifest failure.
  • 03A single control repository, adapted by domain, offers better readability to authorities and reduces audit burden.

Published on

6 May 2026

Section

Cybersecurity

Signed

Gérald Faure

Rackham Limited — Dublin office

Rackham Limited

Take this further

A confidential conversation with the Rackham team to translate these questions into your organisation.

Start the conversation