Current global developments clearly show that times have become more uncertain. Rising cyber threats, geopolitical tensions and rapidly changing conditions are presenting companies with new challenges. For Europe, one key question is emerging: how can we secure our economic strength without becoming overly dependent on others? Digital sovereignty — that is, the ability to independently control data, technologies and infrastructure — is emerging as a strategic factor, not only at the political level, but also in everyday business operations.
At its core, it is about how data is handled. Companies are driving digitalisation forward by relying on flexible cloud solutions and artificial intelligence. At the same time, there is a growing awareness that data is a sensitive resource that needs to be protected. The question is: what information is stored where? Which providers can be trusted? And how can control over one’s own data be maintained, even in the context of international interests?
Against this backdrop, regulatory requirements are becoming increasingly important. With the Network and Information Systems Security Directive (NIS-2), the EU is implementing measures to respond to the changing landscape and establish uniform security standards. In this interview, Alexander Mestian, Group Data Protection Officer at PALFINGER, and Robin Schmeisser, Managing Director of Fabasoft Contracts, discuss how companies can maintain their ability to innovate while adhering to security and compliance requirements.
New regulations are often perceived as an additional burden in practice. To what extent do legal requirements such as NIS-2 limit Europe’s competitiveness?
Robin Schmeisser: The goal of NIS-2 is to protect European infrastructure and businesses. The world we live in has changed. Uniform security standards and clear rules help us better assess and reduce risks. This applies not only to IT and cybersecurity, which the regulations address, but also to providing legal certainty for individual companies.
Alexander Mestian: New regulatory requirements are naturally viewed with skepticism at first. With the GDPR, for example, there were concerns that it would severely hinder economic growth and competitiveness. Eight years after its implementation, however, we can say that this has not happened.
PALFINGER operates in more than 30 countries, all of which have comparable data protection regulations today. With NIS-2, this discussion is happening all over again. Many people perceive such requirements as restrictions on their freedoms, similar to speed limits on the highway. Ultimately, these limits protect both the driver and other road users, thereby contributing to the long-term stability and reliability of the system.
Do you view the NIS-2 Directive as a necessary extension for the protection of network and information systems?
Alexander Mestian: I think the basic concept behind NIS-2 makes a lot of sense. First, it establishes a uniform standard for reporting security incidents. Second, the directive raises awareness of the importance of IT and data security. However, at the operational level, there is currently a lack of uniform implementation across Europe.
Robin Schmeisser: Unlike regulations, EU directives such as NIS-2 must first be transposed into national law by member states. Using the DORA regulation in the financial sector as an example, we have seen the benefit of a uniform European law, especially for companies operating internationally.
Do national implementations result in differences in the content of the respective NIS-2 laws?
Alexander Mestian: I see the biggest differences in the speed of implementation and the types of reporting and registration requirements across individual countries. The interpretation of NIS 2 is virtually identical in almost all countries. Nevertheless, location-specific analyses are currently required, which necessitates additional coordination. A centralized management solution similar to the one-stop-shop principle of the GDPR would be desirable.
Where do you see the biggest areas of action or challenges for companies subject to NIS 2?
Alexander Mestian: NIS 2 expands the scope of affected companies and requires a thorough review of IT security measures. For instance, under NIS-2, contracts with suppliers must include strict security and incident response provisions. This means the entire contract portfolio must be reviewed and adjusted as needed, a process requiring the allocation of appropriate resources, but which also contributes to greater transparency and security in collaboration.
Robin Schmeisser: This is where AI-powered software can make a significant contribution. Some of our clients use automated systems to check their contracts for deal-breaking criteria or regulatory requirements. With the click of a button, decision-makers receive an overview of which requirements have been met and where further action is needed. This saves an enormous amount of time and, thanks to modern language models, works for international companies in various languages.
Alexander Mestian: In general, supplier management is a key issue. As a company, we are obligated to audit our suppliers against a wide range of criteria, both before the start of the collaboration and on an ongoing basis. In practice, evaluating external companies at this level of detail involves significant effort, especially with regard to internal capacity and the availability of relevant information.
What control options are then left to ensure that suppliers meet the necessary security criteria?
Robin Schmeisser: The best proof of data protection and information security comes from independent certifications and audit reports. There is nothing better for customers than receiving a detailed annual audit report from an independent auditing body that confirms all requirements have been met based on standardized best-practice criteria.
Alexander Mestian: The goal is to reduce risks in a structured manner and create greater security in collaboration with suppliers. When we work with certified service providers, we establish a reliable foundation for meeting regulatory requirements and minimizing potential risks, such as those related to liability or sanctions. It is crucial that companies design transparent and traceable processes.
Robin Schmeisser: From the perspective of the board of directors or management, this is also an important issue with regard to personal liability. If appropriate documentation from suppliers is available, negligent conduct can often be ruled out.
What standards exist in this area that companies can use as a guide?
Robin Schmeisser: In the field of data protection, the EU Cloud Code of Conduct at Level 3 is considered the highest standard of compliance. With regard to information security, there are certifications such as BSI C5 in German-speaking countries, or internationally, ISAE 3000 SOC2 Type 2. When certifications are cited, it is advisable to always question their scope. It may be the case that only part of the service is covered by the certification. In addition, companies should not only check the location of the data centers but also the origin of the IT provider. Just because data is stored in Europe does not guarantee complete security. Keyword: US Cloud Act.
To remain competitive, IT service providers must therefore meet extensive requirements these days. AI, on the other hand, is often used very carelessly in practice. How does that fit together?
Alexander Mestian: We cannot and do not want to prevent artificial intelligence. On the contrary, we see it as a significant advantage for PALFINGER, especially since AI increases productivity, streamlines processes, and improves safety and decision-making. However, this field is evolving so rapidly that regulatory and practical frameworks often lag behind, which makes responsible and conscious use all the more important. This is particularly true with regard to data sources, accuracy, and copyrights. As soon as information is entered into public AI systems, control over the content can be lost, and company-owned information may leak to the outside world. It is crucial to clearly manage the use of AI and embed it strategically within the company, particularly when dealing with sensitive data.
How can companies use AI to avoid this problem?
Alexander Mestian: The only way we currently see to make AI results reliable is to control the data. Where does the AI get this data, and which data models are used? Ultimately, we make decisions based on the results. This is only feasible with good, clean data.
Robin Schmeisser: That is precisely why our AI solutions, such as those used to answer chat questions, draw exclusively on information from documents that our customers have stored in an audit-proof manner. These documents include source references, so the results can be verified.
Do humans still remain an important oversight authority?
Robin Schmeisser: AI should support humans throughout business processes. However, to ensure quality results, it's essential to integrate human expertise at the right points in a targeted manner. The information processed by the AI, as well as the decisions it makes, must be clear and easy to understand to achieve the desired acceleration of processes. Take the risk assessment of contracts, for example. When I use AI to check my contractual agreements for NIS-2 compliance, it identifies critical points, assesses them based on risk level, justifies its decisions with relevant content, and presents everything to me in a clear, organized manner. This allows me to understand the results quickly.
Alexander Mestian: At the end of the day, however, humans remain responsible for the outcome. Technological support does not alter corporate responsibility.
