Articles on AI security, DevSecOps, ISO 27001 certification and EU regulation (CRA, AI Act, NIS2, DORA). Continuously updated, written from the field.
SOC 2 Type II is the de facto standard for B2B SaaS selling to enterprise clients in the United States. Here is what it really is, what it covers (and doesn't), and how to obtain it in 9-12 months — alone or paired with ISO 27001.
A RAG (Retrieval Augmented Generation) in production combines an LLM with an external knowledge base. Three specific attack families: index poisoning, cross-tenant leakage, indirect prompt injection via retrieved documents. Here is the defensive pipeline.
The Cyber Resilience Act is probably the most impactful European regulation for software publishers in 2026-2027. Its scope is broad: any product with digital elements placed on the European market. Sanctions on arrival are severe: no CE marking = no market placement, including updates of products already deployed.
On August 2, 2026, the EU AI Act enters its most structuring phase: high-risk system obligations defined in Annex III. Here is the operational roadmap for providers and deployers, with the 7 mandatory technical pillars in production.
The NIS2 Directive (EU 2022/2555) has been transposed in France in 2025. Companies in 18 strategic sectors must achieve compliance before October 2026. Here is the operational guide for European SMBs and scale-ups.
For a B2B SaaS targeting enterprise clients in Europe, ISO 27001 has become a de facto entry requirement. Here is the realistic 12-month roadmap, the budget envelope, and the articulation with SOC 2 Type II for those who also want to address the US market.
When does a fractional CISO make economic and operational sense vs hiring an in-house CISO full-time? The decision is rarely obvious — and the wrong choice costs more than the salary differential.
DevSecOps in CI/CD = automated security at every commit/build/release, without blocking the product roadmap. Here is the operational stack and the four blocking quality gates that should never be optional in 2026.
An LLM in production faces 5 attack families absent from traditional pentesting. Here is the structured methodology to identify, prioritize and mitigate them, aligned OWASP LLM Top 10 and NIST AI RMF Generative Profile.