The IT department is no longer a printer-support service.

It is the nervous system of the company’s legal, manufacturing and cybersecurity responsibility.

GDPR says: protect personal data.

NIS2 says: manage cyber risks, incidents, suppliers and management accountability.

Regulation (EU) 2023/1230 on machinery indirectly opens the question of software, digital safety components and machine resilience.

And on top of that come the AI Act, automation, sensors, cameras, robots, production lines, cloud platforms and remote access.

The question is:

Who manages all of this inside the company as one system?

The usual reality

In practice, it often looks like this:

  • Legal handles GDPR.
  • IT handles firewalls, backups and MFA.
  • Production handles machines.
  • Maintenance handles failures.
  • Health and safety handles workplace safety.
  • Management handles costs.
  • The supplier handles “their device”.

And everyone assumes that the other part belongs to someone else.

But a modern machine is no longer just a mechanical device.

It is a combination of hardware, software, networks, accounts, logs, sensors, data, remote access and supplier support.

That changes the risk model completely.

Where the boundaries disappear

When an external technician connects to a production line over VPN, is that still maintenance, or is it already cybersecurity?

When a camera on a machine records a worker, is that still the production process, or is it already GDPR?

When new software is uploaded to a PLC or HMI, is that still service, or is it change management and a security risk?

When a machine stops working because of ransomware, is it an IT incident, a production incident, a safety incident or a business-continuity problem?

The uncomfortable answer is:

It is all of them at the same time.

Separate documents are not enough

That is why it is no longer enough for an organization to have a GDPR policy in one place, an IT security policy in another, a separate machine inventory and an Excel file with suppliers somewhere else.

The company needs a management framework that connects:

  • assets,
  • risks,
  • access rights,
  • suppliers,
  • incidents,
  • documentation,
  • technologies,
  • responsibilities,
  • logging,
  • audit trails,
  • business continuity.

This is no longer only compliance.

It is the organization’s ability to survive in an environment where law, technology and operations have merged into one risk space.

The better question

Maybe it is time to stop asking only:

Which regulation do we need to comply with?

And start asking:

Which information, systems, machines and processes must we be able to manage, protect and prove?

That is a much stronger question.

It forces the company to look beyond isolated policies and think about the real operating model.

Who owns the asset?

Who approves access?

Who reviews supplier risk?

Who knows what software is running?

Who can prove what changed, when and why?

Who coordinates response when the problem is legal, technical and operational at the same time?

Proof matters

The future of corporate security will not belong to the organization with the nicest policy document.

It will belong to the organization that can prove its rules actually work.

That means evidence.

It means ownership.

It means repeatable processes.

It means connecting IT, legal, production, safety, management and suppliers into one governed system.

Because in a modern company, cyber risk does not stay inside the IT department.

It moves through machines, data, people, vendors, software and decisions.

And if nobody manages that as one system, the organization may have many policies — but very little control.