backKey Takeaways
Cybersecurity and artificial intelligence (AI) have become matters of national security, with private companies now playing a central role. The interlocking nature of regulatory frameworks (AI Act, NIS 2, GDPR, Cybersecurity Act, export controls, investment screening) shifts cyber risk from one-off compliance to ongoing responsibility. A cyber incident now immediately becomes a regulatory, financial and reputational crisis, for which executives may be held personally liable. Cyber resilience requires an integrated architecture: dynamic risk mapping, vertical governance from the chief information security officer (“CISO”) to the board of directors, horizontal cross-functional governance integrating business-specific requirements, and mobilisation of the human factor and a trusted partner ecosystem.
When the European Commission published its “Advancing European Economic Security” strategy in January 2024, it formally recognised a shift long anticipated by leaders in the technology sector: the boundary between private economic interests and sovereign interests has, almost imperceptibly, largely disappeared1 Commission européenne, communication « Advancing European Economic Security », COM(2024) 22 final, 24 janvier 2024. . Data, algorithms and source code have become strategic assets in the same way that steel or uranium were in the last century.
Three dynamics explain this turning point. First, the transformation of conflict: according to the NATO Strategic Concept adopted in Madrid in 2022, hybrid threats (cyberattacks, information interference, algorithmic manipulation) are now treated as a fully-fledged theatre of confrontation, directly involving private actors that control critical infrastructure2OTAN, NATO Strategic Concept, sommet de Madrid, 29 juin 2022.. Second, the massive public investment in dual-use technologies (AI, drones, cybersecurity), driven by major powers such as the United States, China and, more recently, the European Union. Third, the operational convergence between AI and cybersecurity: according to the French National Cybersecurity Agency (“ANSSI”), generative AI lowers the technical barrier to entry for malicious actors, while simultaneously becoming an essential defensive tool3ANSSI, Panorama de la cybermenace, éditions 2024 et 2025.. According to Eurostat, 20% of EU companies with ten or more employees used AI in 2025, representing a 6.5 percentage point increase in one year, thereby significantly expanding the attack surface4Eurostat, « 20 % of EU enterprises use AI technologies », 11 décembre 2025..
This evolution is now reflected in an unprecedented increase in AI-enabled attacks, the volume of which has risen by nearly 90%. Intrusion speed has also accelerated dramatically: system compromise now occurs in under thirty minutes and, in some cases, within seconds. The resulting time asymmetry is considerable: a cyberattack can overcome 87% of defences in minutes, while more than two-thirds of its consequences (68%) may only become apparent several months later. Finally, attack methods are evolving: more than 80% of intrusions now rely on exploiting legitimate identities and access rights rather than deploying malware5CrowdStrike, 2026 Global Threat Report: Year of the Evasive Adversary, 2026..
For leaders of technology companies, the conclusion is unequivocal: cybersecurity and AI are no longer purely technical matters confined to IT departments. They are national security issues that expose governing bodies to unprecedented legal, financial and reputational risks.
I. Interlocking frameworks reshaping the nature of risk
From sector-specific rules to a regulatory continuum
In an unusually rapid and dense legislative effort, the European legislator has, within less than five years, created a highly comprehensive legal framework. Regulation (EU) 2024/1689, known as the “AI Act”, governs the development and marketing of AI systems through a risk-based approach, imposing on “high-risk” systems a compliance regime comparable in spirit to that of medical devices6Règlement (UE) 2024/1689 du 13 juin 2024 établissant des règles harmonisées concernant l'intelligence artificielle (AI Act).. The NIS 2 Directive significantly broadens the scope of entities subject to cybersecurity obligations under the supervision of ANSSI in France7Directive (UE) 2022/2555 du 14 décembre 2022 concernant des mesures destinées à assurer un niveau élevé commun de cybersécurité dans l'ensemble de l'Union (dite « NIS 2 »).. This expanded scope includes strategic sectors such as biotechnology, whose value chains rely on sensitive data, as well as defence and dual-use technology actors at the core of sovereignty and national security issues.
Alongside these instruments, Regulation (EU) 2019/881 (Cybersecurity Act) has given a permanent mandate to the European Union Agency for Cybersecurity (“ENISA”) and established the foundations of a European certification framework aimed at harmonising the assessment of digital products and services. In parallel, the European cybersecurity strategy for the digital decade structures EU action around strengthening infrastructure resilience, developing shared operational capabilities, and promoting an open and sovereign cyberspace. The General Data Protection Regulation (“GDPR”), which the Court of Justice of the European Union confirmed in its landmark La Quadrature du Net decision applies even to activities related to national security where they fall within EU law8CJUE, La Quadrature du Net e.a., 6 octobre 2020, affaires jointes C-511/18, C-512/18 et C-520/18., continues to impose high standards for data protection.
To this must be added regimes governing foreign investment screening (Articles L.151-3 et seq. of the French Monetary and Financial Code, Regulation (EU) 2019/452, currently being revised following the political agreement of 11 December 20259Articles L.151-3 et R.151-1 et suivants du code monétaire et financier ; règlement (UE) 2019/452 du 19 mars 2019 sur le filtrage des investissements étrangers directs.) and export controls for dual-use goods, the revision of which was announced by the European Commission in January 2024. This apparent fragmentation reflects a common underlying strategy: to protect European strategic interests by regulating flows of data, capital and technology.
Flows as the central object of regulation
A “flows-based” reading provides the most coherent understanding of the current regulatory dynamic. Investment flows have become subject to continuous screening: in France, the Treasury Directorate now arbitrates in real time between economic attractiveness and industrial sovereignty. Data flows, both personal and industrial, are subject to enhanced oversight, with the European Data Protection Board (“EDPB”) issuing in 2025 its first joint guidelines with the Commission on the interplay between the GDPR and the Digital Markets Regulation. Finally, flows of sensitive technical information fall within export control regimes, whose expansion in both the United States and Europe reflects the growing recognition that AI model weights may be as sensitive as the chips used to compute them.
This focus on flows explains the growing influence of national and European authorities (ANSSI, CNIL, EDPB, as well as their UK and German counterparts), whose guidance—once confined to specialist circles—now shapes the operational environment of companies.
Materialisation of risk: when compliance becomes liability
For technology companies, a cyberattack is no longer a purely technical incident. It immediately triggers a cascade of regulatory obligations (including notifications to data protection authorities within 72 hours under the GDPR, reporting to ANSSI under NIS 2, and financial disclosures to markets), potential administrative sanctions, mass civil litigation, and even criminal reporting obligations to specialised cybercrime prosecutors.
CNIL’s 2025 report is illustrative: 17,802 personal data breach notifications were received, an unprecedented volume partly explained by attacks targeting software providers and sports federations, demonstrating—according to the authority’s own words—that “no one is spared”10CNIL, Rapport annuel 2025 : 17 802 notifications de violations de données personnelles en 2025 (6 167 après retraitement de deux incidents fournisseurs exceptionnels), en hausse de 9,5 % par rapport à 2024.. For operators managing large datasets, CNIL has identified multi-factor authentication and subcontractor access security as key priorities for 2026, alongside targeted inspections.
Beyond administrative sanctions (which may reach 4% of global annual turnover under the GDPR and up to 7% under the AI Act11Articles 83 RGPD et 99 de l'AI Act ; le plafond le plus élevé est retenu en fonction de la nature du manquement.), reputational considerations have become a matter of sovereignty in their own right. For companies in technology, cybersecurity and defence, industrial credibility—particularly with governmental clients—is now directly tied to the robustness of their cybersecurity posture and resilience programmes.
Criminal liability of both corporate entities and executives is also engaged. This liability arises from acts committed by a corporate body or representative, including delegated authority holders. A significant increase in government investigations is expected, potentially leading to numerous criminal proceedings. In the United States, the lifting of the corporate veil is explicit: the Yates Memo (2015), Monaco Memo (2022) and the Blanche Memorandum of 12 May 2025 have made individual prosecutions a priority for the Department of Justice (“DOJ”). Recent convictions of senior technical executives, such as Uber’s former Chief Security Officer in October 2022, confirm that technical roles no longer shield individuals from liability. These issues are increasingly central to cross-border investigations.
II. From risk to strategy: building a cyber resilience architecture
Geoffrey Hinton compared the current pace of technological change in April 2026 to “a car without a steering wheel or brakes”12UN News, « Time to apply the brakes to runaway AI, says pioneer », 22 avril 2026.. This pace structurally exceeds the capacity of legal frameworks to keep up. This gap is fundamental: companies can no longer rely on reactive compliance. They must integrate cybersecurity and AI into their governance architecture proactively.
A continuously evolving risk mapping
The starting point is identifying critical assets (data, systems, infrastructure) and precisely locating associated risks: where is data hosted? Who accesses it, and from which jurisdiction? What technological dependencies shape the supply chain? This exercise is not a one-off audit but a strategic management tool, continuously updated to reflect changes in technology and regulation.
CNIL now recommends that data protection officers play this operational role; according to a 2025 CNIL/AFCDP study, 60% of DPOs are already involved in AI projects13CNIL, Rapport annuel 2025 : enquête menée avec la Délégation générale à l'emploi et à la formation professionnelle du ministère du Travail et des Solidarités et l'AFCDP sur l'évolution du métier de DPO à l'heure de l'IA..
The vertical axis: from the CISO to the board
Key trade-offs—cyber budget versus growth, compliance versus innovation, sovereignty versus internationalisation—can no longer be handled at departmental level. They require structured reporting from the CISO to the executive committee and the board. The September 2024 update of the DOJ’s Evaluation of Corporate Compliance Programs, which now includes specific requirements on AI governance, provides guidance: effectiveness, not just formal compliance, is the decisive criterion for regulators1414. Department of Justice, Evaluation of Corporate Compliance Programs, Criminal Division, mise à jour de septembre 2024, intégrant des exigences spécifiques sur la gouvernance des systèmes d'IA..
A shared language is essential. Technical risk is often unintelligible at board level; framed in operational, financial and reputational terms, it becomes actionable. This translation remains a structural weakness in many fast-growing tech organisations.
This vertical axis must also be supported by structured board training. Tabletop exercises—simulated major cyber incidents—enable directors to understand crisis dynamics, their personal (including criminal) liability exposure, and the reputational consequences for the company.
The horizontal axis: the human factor
Operational experience confirms a simple reality: most vulnerabilities stem from human factors—shared passwords, successful phishing or poorly managed subcontractors. CNIL observed that approximately 80% of major breaches in 2024 involved accounts protected only by passwords15CNIL, recommandations relatives à la sécurité des grandes bases de données, printemps 2025 ; voir également la recommandation de la CNIL sur l'authentification multifacteur.
This vulnerability is amplified by increasingly sophisticated “AI-enabled” attacks, allowing social engineering techniques to be scaled and made more credible. Phishing is gradually being replaced by direct “vishing”: attackers use publicly available information to identify targets and contact them by phone, impersonating internal services (often IT support) to induce remote access or credential disclosure.
In practice, resilience is measured by how quickly an organisation can move from detection to coordinated response—especially when attacks disrupt defences within minutes, while their full impact may take months to emerge.
Purely normative approaches (security policies, IT charters) are insufficient. They must be complemented by operational training tailored to business realities, realistic simulation exercises, and clearly defined ecosystems of crisis partners (cyber insurers, forensic experts, international legal advisers).
These partners should be integrated upstream, not only engaged during crises. Early involvement improves incident response and strengthens detection and prevention systems, with each incident serving as structured feedback to enhance future capabilities.
Conclusion: a paradigm shift
The current moment marks a profound shift. Technology, cybersecurity and defence companies are no longer merely economic actors: they are now instruments and objects of national sovereignty. Rapid technological evolution is accompanied by stronger regulatory requirements and increased personal liability for executives. Cyber risk is no longer merely technical—it is simultaneously legal, financial, reputational and strategic. This is even more true given the intrinsic interdependence of cyber risk and AI risk, which can no longer be addressed separately at technical, legal or strategic levels.
Three priorities emerge for executives. First, understand the interdependence of regulatory frameworks rather than viewing them in silos: a cyber incident immediately engages GDPR, NIS 2, the AI Act, the Cybersecurity Act, and potentially national security and criminal law. Second, anticipate crisis scenarios by developing cooperation frameworks with authorities (French, European and sometimes US) and defining privilege structures between internal and external counsel. Third, build balanced governance between the vertical axis (CISO/executive committee/board) and the horizontal axis (training, exercises, trusted partners), forming a true resilience architecture that is continuously strengthened through experience and remediation.
None of these challenges is purely technical. None is purely legal. All require cross-disciplinary expertise combining business criminal law, digital law, international trade law and corporate strategy. This, in our view, is the future of legal practice.
Many thanks to our legal intern, Adrien Viala, for his contribution to this article.