Cybersecurity Governance and Compliance: Manage Your IT and AI Risks
Cybersecurity governance and compliance refer to the set of processes that enable a company to understand what is in its information system, manage its risks, and demonstrate compliance with applicable regulations. Without this framework, a company cannot proactively manage its cybersecurity; it merely reacts to incidents after they occur. Faced with cybersecurity challenges and new applications of AI, many companies feel overwhelmed. For a long time, compliance was a concern primarily for large corporations. That is no longer the case. NIS2, GDPR, DORA, and the AI Act: these regulations now apply to small and medium-sized enterprises (SMEs) as well as mid-sized companies, with specific documentation requirements and real penalties for noncompliance.
GDPR, NIS2, AI Act: What Your Company Actually Risks
Several regulatory documents are now redefining companies’ obligations regarding cybersecurity governance.
The GDPR has been in effect since 2018. The CNIL imposes penalties. Personal data breaches must be documented and reported within strict timeframes.
The NIS2 Directive has not yet been transposed into French law, but in March 2026, ANSSI published the ReCyF framework, which already defines the technical requirements applicable to critical and important entities. ANSSI explicitly encourages companies not to wait for the law to be enacted before beginning their work.
Companies that rely on the ReCyF framework today are establishing documentable compliance as soon as the law is enacted. Those that wait will have to do so under pressure, with no grace period.
The AI Act will be phased in starting August 2, 2026, for high-risk AI systems: a registry of uses, designation of a responsible person, and mandatory compliance documentation. Fines can reach up to 30 million euros or 6% of global revenue (EU Regulation 2024/1689).
According to the French Court of Auditors, the average cost of a cyberattack ranges from 5 to 10 percent of a company’s annual revenue, regardless of its size or industry.
Shadow AI: A Risk Few Companies Have Anticipated
Artificial intelligence is transforming business practices and improving productivity. At the same time, many employees are using AI tools without approval from the IT department or cybersecurity teams: text-generation tools for drafting contracts, machine translation of confidential documents, and code generation for internal projects.
“Shadow AI” refers to the use of artificial intelligence tools by employees without oversight from the IT department. It exposes sensitive data to uncontrolled third parties, in direct violation of the GDPR and the AI Act. It is invisible, undocumented, and potentially subject to penalties.
The result for most companies: compliance that is claimed but cannot be proven, and blind spots in the information system that neither a one-time audit nor a statement of intent can address.
The Elit-Technologies solution combines data governance and cybersecurity strategy to secure these new use cases.
The AI Act takes effect on August 2, 2026
Talk to an Elit-Technologies expert to strengthen your IT governance, compliance, and control over your AI usage.
Monitoring and Compliance Without Dedicated IT Resources
Most small and medium-sized businesses find themselves in the same situation: they know they need to take action on cybersecurity and compliance, but without an in-house CISO, a clearly defined budget, or visibility into what is actually at risk, decisions are made by default.
What an SME needs to do to comply is not out of reach. What’s missing is a service provider that can do it for them, over the long term, at a predictable cost.
The Elit-Cyber division handles information system monitoring, incident detection and response, and basic regulatory support. Fixed-price rates, with no per-incident billing, and a dedicated cybersecurity expert who can be reached directly.
What this specifically covers:
24/7, 365 days a year, provided by our ISO 27001-certified SOC
in all of our packages
produced by our team, without you having to manage it
Gain visibility into your IT infrastructure and AI usage with ECP and ELiA
A mid-sized company with an IT department or a Chief Information Security Officer (CISO) is aware of its obligations. The problem isn’t a lack of knowledge; it’s the ability to produce evidence, keep documentation up to date, and maintain complete visibility into an information system that is constantly changing.
Assets at the end of their support lifecycle that go undetected. Unused licenses. AI tools used by teams without approval. Unresolved incidents piling up. Without centralization, the CIO spends more time searching for information than making decisions.
Our governance and risk management solution is based on the ECP (Elit Customer Platform). This platform centralizes the management of IT assets, licenses, contracts, and tickets, as well as monitoring, within a single environment.
At the heart of this platform is ELiA, the sovereign artificial intelligence developed by Elit-Technologies. It enables CIOs and CISOs to quickly access strategic information through an intuitive conversational interface.
ELiA identifies, in real time, end-of-support assets, unused licenses, unresolved incidents, and AI tools used without IT department approval. It assesses the risk level of each use case and maps your Shadow AI.
You’ll make strategic decisions faster, improve information security, and anticipate risks before they become critical. All of this is managed by our team in France, around the clock.
For details on how ECP and ELiA work, please visit our dedicated pages.
What sets Elit-Technologies apart in cybersecurity governance and compliance?
Elit-Technologies combines the platform, monitoring, and the operational team into a single contract. Since 2007, we have been supporting small and medium-sized businesses and mid-market companies throughout the entire lifecycle: design, deployment, ongoing monitoring, and compliance documentation.
Our services are based on:
ISO 27001-certified, operational 24 hours a day, 7 days a week, 365 days a year
which ensures the availability and performance of IT services
which ensures that immediate safety measures are implemented in the event of an incident
that supports companies in their IT governance
Elit-Technologies holds the ExpertCyber certification, awarded by cybermalveillance.gouv.fr. Our SOC is operated in France: your data never leaves the country. Your contact person can be reached directly.
Our approach is pragmatic, tailored to the needs of each organization, and driven by a dedicated team.
Frequently Asked Questions
Does NIS2 apply to my company?
Probably yes, if you operate in a sector considered essential or important: energy, transportation, healthcare, food, digital infrastructure, financial services, among others. The NIS2 Directive has not yet been transposed into French law, but the ReCyF framework published by ANSSI in March 2026 already defines the applicable requirements.
ANSSI explicitly encourages companies not to wait for the law to be enacted. If you are unsure whether you fall within the scope of the law, a 30-minute consultation with an Elit-Technologies expert is all it takes to determine this.
Are my teams at risk of GDPR penalties if they use ChatGPT at work?
Yes, the risk is real. Copying personal data (customer contact information, HR data, contractual information) into an AI tool that has not been approved by the IT department may constitute a violation of the GDPR. The CNIL has already penalized companies for transferring data to unregulated third-party services.
This risk is amplified if data is transferred to servers outside the European Union, which is the default setting for most consumer AI tools. Documenting and regulating these uses is the first step toward reducing this exposure.
What is the difference between an in-house SOC and a managed SOC?
Setting up a competent in-house SOC requires several certified analysts who are available on a rotating schedule 24 hours a day. For an SME or mid-sized company, this is rarely feasible from an economic or staffing standpoint. A managed SOC delegates this monitoring to a specialized service provider. Elit-Technologies’ SOC is ISO 27001-certified, operated in France, and staffed by an expert who can be reached directly. Incident management is included at no additional charge per incident.
Can my company achieve NIS2 compliance without an in-house IT director?
The ReCyF framework published by ANSSI defines the requirements that are now in effect: a formalized security policy, documented incident management, and the ability to report incidents. Without an in-house IT department, these obligations may seem difficult to meet. The Elit-Cyber division provides basic regulatory support and produces the necessary documentation. Your teams don’t have to deal with the technical complexity.
Would you like to learn more about a specific topic? Check out our dedicated pages.
- Cybersecurity Governance
- GDPR Compliance and Cybersecurity
- Cybersecurity Regulatory Framework