it-sa 2025: AI Governance for SMEs – Insights and Recommendations
- Digital sovereignty is becoming a mandatory criterion: Made in Europe outperforms global providers – customers demand control over their data.
- Without AI governance, innovation becomes a liability risk: Lack of rules for AI deployment leads to data protection violations and compliance issues.
- SMEs need pragmatism, not perfection: "How do we achieve compliance without slowing down?" – SMEs are looking for implementable solutions.
- AI security is a top management priority – not just an IT issue: From Legal to HR: All departments must be integrated into the security strategy.
- NIS2 and AI risks go hand in hand: AI systems are critical infrastructure – risk management must imperatively include AI.
- Item A
- Item B
- Item C
When it feels like half of Germany wants to talk about NIS2
Nuremberg, early October 2025. The aisles of it-sa are packed, discussions are intense, and the coffee is strong. Our team was on site, fully engaged – and one thing quickly became clear: the digital transformation has arrived in the SME sector.
What particularly impressed us? Not the grand keynotes or the latest tech gadgets. But the conversations over coffee and currywurst. The honest questions from IT decision-makers, managing directors, and compliance officers, all grappling with the same issue: How do we achieve compliance without slowing us down?
From 50-person companies to established mid-sized businesses – NIS2, AI risks, and digital sovereignty were the hot topics. And that's exactly what we want to discuss in this article.
Digital Sovereignty: The unexpected star of the fair
Alexander Ingelheim, CEO and co-founder of Proliance, summed it up in the interview :
"Every booth that was marked 'Made in Europe' or 'Made in Germany' had twice as many visitors as the others."
This is no coincidence. It's a clear signal of the direction digital security is heading. Companies don't just want to be compliant – they want control over their data, their processes, and their risks. And they want partners who understand that.
What's particularly interesting: The issue no longer affects only the "usual suspects" from the IT or financial sectors. We've spoken with companies from healthcare, manufacturing, logistics, and retail – and all are asking the same questions:
- How do we protect our critical data from foreign cloud providers?
- What risks does AI truly entail?
- How do we become NIS2 compliant without overwhelming the IT department?
Panel Discussion: "Risk Exposure – What Does AI Really Change?"
On the second day of the fair, Florian Müller, Head of Product & Technology at Proliance, took the stage alongside Martin J. Kraemer (KnowBe4) and Dominic Haussmann (Cloudflare). The topic: "Risk Exposure: What Does AI Really Change?"
The key takeaway upfront: AI is both friend AND foe. It helps with threat detection, automating security processes, and analyzing vast amounts of data. At the same time, tools like FraudGPT create new attack vectors, and the increasing number of hacks targeting ChatGPT, Gemini & Co. show: AI systems are also vulnerable.
The three most important insights from the panel:
1. Governance determines success or failure
Many companies deploy AI without defining clear rules: Who is allowed to do what? Which data may be processed? How are AI decisions documented? Without a solid AI governance structure innovation quickly turns into a liability risk.
2. SMEs need pragmatic solutions
Most SMEs lack both the resources and the expertise to develop complex AI security concepts themselves. What matters: Practical answers instead of complicated theory. Companies want to know: What exactly do I need to do? Which measures are truly necessary?
3. AI security is not an IT issue – it's a business issue
From Legal to HR to Operations: AI affects all departments. Therefore, the security strategy must also be cross-departmental. Information security must be integrated into the company's DNA – not as a burdensome obligation, but as a strategic competitive advantage.
What SMEs need to know now: FAQ on AI Governance and NIS2
What is AI Governance and why is it important?
AI governance encompasses all rules, processes, and controls that govern the use of artificial intelligence within a company. It defines:
- Which AI tools may be used
- How sensitive data is protected
- Who is responsible for AI decisions
- How risks are identified and minimized
Without clear governance, the risk of data breaches, compliance violations, and reputational damage increases significantly.
How are NIS2 and AI Security related?
The NIS2 directive obliges companies in critical sectors to implement comprehensive cybersecurity measures. AI systems must be particularly protected because they:
- Often work with sensitive or personal data
- Create new attack surfaces (e.g., through prompt injection)
- Can cripple critical business processes in case of failure
NIS2 specifically requires: Risk management, incident response, supply chain security, and regular security audits – all areas where AI plays a central role.
What are the biggest AI risks for SMEs?
- Data Breaches: AI tools often unintentionally process personal or confidential data
- Shadow AI: Employees use AI tools without the IT department's knowledge
- Third-Party Dependency: External AI services can have security vulnerabilities or experience outages
- Lack of Explainability: "Black box" decisions cannot be explained or audited
- AI-Powered Attacks: Criminals use AI for phishing, deepfakes, or automated cyberattacks
Practical Recommendations: 5 Steps to Secure AI Governance
1. Inventory: Which AI tools are being used?
Systematically record which AI applications are in use in your company – including those used privately by employees. Create an AI inventory with information on providers, data flow, and protection requirements.
2. Perform a risk analysis
For each AI tool, assess:
- What data is processed?
- Where is the data located (server location)?
- How high is the risk in case of an outage or data breach?
- Are there alternatives with better security?
3. Establish clear usage policies
Define mandatory rules:
- Which AI tools are permitted, and which are prohibited?
- What data must NOT be entered into AI systems?
- How are AI decisions documented?
- Who is responsible?
4. Train employees
Raise your team's awareness of AI risks through:
- Regular awareness training
- Practical examples (e.g., AI-powered phishing)
- Clear Dos and Don'ts for daily work
5. Leverage External Expertise
SMEs often lack the resources for their own AI security experts. Seek professional support – whether through external data protection officers, information security consultants, or specialized platforms.
Our experts analyze your current situation and show you concrete action steps – non-binding and tailored to your company.
Our Takeaway from it-sa 2025
it-sa 2025 demonstrated: Information security has become a priority for SMEs. Not as a theoretical concept, but as an urgent, practical challenge.
Companies are not looking for the perfect solution – they are looking for a solution that works. A solution that doesn't slow them down, but empowers them. A solution that provides security without overwhelming them.
That's precisely why we developed Proliance 360 InfoSec: A central platform for SMEs that makes information security tangible – even without deep internal expertise. From NIS2 and ISO 27001 to AI governance: Everything from a single source, combined with the expertise of certified consultants.
Because ultimately, it's not about ticking off compliance boxes. It's about future-proofing your business – in a world where AI, cyber risks, and regulatory requirements are rapidly increasing.
Do you have further questions on this topic? Our experts will be happy to advise you free of charge.
