To the point: AI fine-tuning can inadvertently make you a GPAI provider — review your pilot projects. Ghost CMS patches must go live within 5 business days. Cybersecurity belongs in every executive board meeting from October onwards, not just during incidents.
Three burning issues for IT leadership: The EU agreement on Artificial Intelligence sharpens the provider-deployer distinction, a critical SQL injection in Ghost CMS threatens hundreds of installations, and the new NIS2 Directive now anchors cybersecurity directly at executive management level.
1. AI Omnibus: New definitions demand a stock-taking
The EU agreement of 7 May 2026 has redefined Artificial Intelligence according to General Purpose (GPAI) principles and reframed the roles of providers and deployers. For internal AI initiatives, this has clear consequences: anyone who optimizes an open-source model with their own data and then deploys it in production may themselves become a GPAI provider — with all associated documentation and transparency obligations.
Architecture decision: Audit your ongoing AI projects (chatbot, internal document management, AI assistants for code development) under this lens. Who is the provider in the contract, who is the deployer? A 30-minute legal review can save you two development quarters of migration.
2. Ghost CMS CVE-2026-26980: Patch speed becomes compliance obligation
The ClickFix campaign has infected over 700 Ghost CMS installations through a critical SQL injection at the database level. Universities, publishers and SaaS providers are affected. Patches are available — but many operators have not yet deployed them.
Architecture decision: Measure: How long does it take from “patch is available” to live rollout in your organization? Once NIS2 takes effect, a timeline of more than five business days is a compliance risk. Create an automated patch validation pipeline this week — that is the minimum meaningful investment.
3. Verena Becker: Executive management becomes cybersecurity driver
The Austrian cybersecurity expert from the WKÖ has recently clarified: the NISG 2026 anchors cybersecurity directly at executive management level. This means mandatory training, active resource allocation and regular reporting. For you as Chief of IT, this fundamentally changes your reporting line — you no longer escalate to the board only in crises, but the board must now steer proactively.
Architecture decision: When is your next executive board meeting with a fixed cybersecurity agenda item scheduled? If the answer is “only during acute incidents,” that will not be sufficient from October onwards. Establish quarterly cybersecurity reporting now — even if no one is asking for it yet. This is your easiest preparation for the new legal situation.