All notes

NIS2 does not ask for a standalone AI policy. It asks that your AI system sits inside seven documents you already produce. Here is the list, with a mapping table.

How to build RAG outside the public cloud: the pipeline layers, the most common retrieval failures, the data boundary inside the prompt, and the questions an auditor will ask. A technical note for architects and CISOs.

ISO 27001 has no concept of "AI," yet an AI vendor touches three of its controls at once: supplier relationships, information classification and flow, and logging. Which to map today – and how they tie into NIS2.

The amended Polish cybersecurity act shifts responsibility for cybersecurity oversight onto the management board personally. What that means for choosing an AI vendor and architecture, and the decision trail you need to be able to show. A mapping of duties, not legal advice.

AI vendor lock-in is rarely one bad decision — it's the sum of reasonable steps across three layers (data, model, integrations). The worst traps sit not in the architecture but in the contract. How to spot them before you sign an MSA.

"On-prem AI" isn't one deployment model but at least three, with different cost, risk, and team-load profiles. We break them down so CISOs and CIOs know which conversation they're really having before the RFP.

How many GPUs does it really take to run Llama 3.1 70B in-house? Concrete configs (A100, H100, H200), the impact of quantization (FP16 → FP8 → INT4), tokens/s, TTFT, and cost per 1M tokens. No marketing — numbers from vLLM and TensorRT-LLM benchmarks.

Bare-metal in your own server room, colocation with dedicated hardware, or a vendor's managed appliance. Three on-prem AI deployment models for European manufacturing in 2026: CAPEX and OPEX numbers, NIS2 risk profiles, when each makes sense — and when to skip on-prem entirely.

A technical note: one NIS2 article, one scenario. Does a ChatGPT Enterprise or Claude contract meet Article 21(1)(d)? Three areas where a standard public-cloud LLM relationship starts to drift from supply-chain compliance.

Architecture, GPU sizing, security, integrations, TCO, build vs buy. A practical guide to deploying on-prem AI for CISOs and CIOs in European manufacturing in 2026.