DSwiss in the news: NIS2, CRA, and AI – the new rules of cybersecurity

DSwiss CEO Alexander Sommer was recently interviewed by IT Business (it-business.de), one of Germany's leading publications for IT decision-makers. In the interview, conducted by editor Dr. Stefan Riedl, Sommer shares his perspective on what it takes to navigate today's converging pressures of regulation and AI-driven cyber threats, and what organisations need to do right now to stay ahead.

Clarity and control over new tools

With NIS2 and the Cyber Resilience Act (CRA) now firmly on the agenda, Sommer argues that 2026 should be less about purchasing new tools and more about regaining clarity and control. Most IT landscapes have grown organically over time – accumulating cloud services, exceptions, and shadow admin accounts – leaving systems optimized for speed, but fragile under stress. His starting point: an honest inventory of what you actually operate, what is truly critical, and where the real risks lie.

Three concrete priorities for 2026

From there, Sommer outlines three immediate areas of focus: an up-to-date and realistic asset and data inventory; a clean-up of identities and permissions to reduce the most commonly exploited attack paths; and an incident readiness capability that works in practice, with usable logging, clear escalation paths, and tested recovery procedures. His message is clear: regulators are increasingly penalising good documentation paired with weak execution. What counts are demonstrable operational capabilities.

AI as a game changer in cybersecurity

Sommer dedicates significant attention to the role of AI in the threat landscape. AI does not create entirely new categories of cybercrime, but it makes existing attacks faster, cheaper, and far more convincing. The most dangerous current patterns include deepfake-assisted fraud, AI-generated spear phishing combined with MFA fatigue, and token or session theft that bypasses traditional malware detection. The most effective countermeasure, in his view, is to focus on what AI amplifies most: identity, trust, and privileges. Hardening identities through phishing-resistant MFA, strong conditional access rules, and minimal standing admin rights removes the easiest path for AI-powered attacks to gain traction.

Digital sovereignty as an operational discipline

A recurring theme throughout the interview is digital sovereignty, which Sommer defines not as a preference for local providers, but as the ability to decide and recover when it matters. Can you answer, with confidence, where your sensitive data is, who has access to it, and how quickly you can move or isolate it? If not, dependency has quietly replaced control. Sommer sees the current compliance moment as an opportunity: using regulatory pressure as a lever to simplify architectures, standardise interfaces, and design systems with replaceable components, turning compliance from a cost centre into a strategic asset.

Governance: from policy responsibility to decision responsibility

Finally, Sommer stresses the need for a shift in security governance: away from policy ownership and toward clear decision accountability. Who decides? Who is responsible? Who communicates? Who acts? These questions must be answered at both board level and in day-to-day operations. Incident readiness, for example, cannot be designed during a crisis. It requires pre-defined classification criteria, an escalation path that functions within hours, and a practised incident command structure that brings together IT, security, legal, and communications.

👉 Read the full article on IT Business:
https://www.it-business.de/nis2-und-cra-in-zeiten-von-ki-es-wird-ernst-a-0656f50b91e229cc71487436f25e45b2/

Published on: it-business.de

Author: Dr. Stefan Riedl

‍