Four Brandenburg municipalities – Hoppegarten, Hohen Neuendorf, Lübben and the Falkenberg-Höhe office – are currently affected by cyberattacks. Administrative processes come to a standstill, communication fails, emergency operation becomes a reality. In September 2025 at Berlin Brandenburg Airport (BER), there were noticeable disruptions to check-in, boarding and baggage handling because an external IT/system provider was affected following a ransomware attack. Passenger data had to be processed manually in some cases, resulting in waiting times and delays. This is exactly where a recent article by Scherer/Pothorn comes in: IT and AI governance is not a technology issue "for IT", but a management and Compliance task – integrated, verifiable and effective in operation.
Standards are helpful – but not the standard of liability
A central point of the text: There is no general obligation to operate IT governance strictly "according to ISO". At the same time, relying on such an approach may constitute a breach of duty in risk management, compliance, and internal control, because courts and legislators expect an effective and appropriately designed organization. Conversely, implemented Compliance- or internal control systems in the jurisdiction have a deterring effect. The core message behind it is uncomfortable, but practical: In the end, it is not the "right" that decides whether something was "right" Certificate, but the "last instance" – the judiciary.
The pressure increases: NIS2, DORA, AI Regulation – and "state of the art"
The article locates IT/AI governance clearly in the area of tension between the cyber threat situation and regulatory density. It is particularly emphasized that obligations result not only from laws, but also from "recognized rules of technology" and the "state of the art". For regulated organizations (e.g., critical infrastructures or NIS2-/ DORA-relevant companies), governance practically becomes an operating license: risks for network and information systems must be controlled, measures must be designed proportionately and explicitly aligned with the state of the art.
Connecting Islands: Why "Integrated" Is More Than an Organizational Chart
Scherer and Pothorn argue against the widespread practice of operating separate "island systems": ISMS here, BCM there, an AI project somewhere within a department. Instead, they propose an integrated framework – with governance as the overarching structure and compliance as the foundation. In practical terms, this means that ISO 37000 (Governance), ISO/IEC 38500 (IT Governance), ISO/IEC 42001 ( AI Management), ISO 27001 (ISMS), ISO 22301 (BCMS), and ISO 37301 (CMS) are not viewed as competing standards, but rather as building blocks of a comprehensive model.
Legal register: Compliance that is not only "collected", but operated
A particularly operational proposal is the process-related, risk-assessed legal register: requirements should be identified, translated, incorporated into processes and kept up to date – ideally tool-supported and audit-proof. What is important here is embodiment of these contributions: IT and AI compliance is more than just NIS2 and the AI Regulation. Conflicts between data protection , copyright, intellectual property rights, product compliance , and AI requirements can undermine legally compliant AI deployment – even if "security" appears to be in order.
Three Lines of Defense – and the blind spot "IT"
The text emphasizes that lines of defense structures (internal control systems, risk and compliance management, auditing) must encompass IT and AI governance, regardless of whether a standard explicitly mentions it. This is more than just theory: outsourcing, cloud computing, supply chains, and service providers shift risks externally – but responsibility remains internal. Accordingly, the article calls for clear delegation, monitoring, documentation, and control mechanisms, even for outsourced services.
"Tone from the Top": Governance is Culture
The authors place an unusually high emphasis on leadership: Without exemplary conduct from management, supervisory boards, and executives, every system remains a paper tiger. "Being lived" is the key, especially with IT and AI rules, which quickly become "too slow" in everyday practice. This ties in with the second leadership aspect: The organization needs a consciously defined "strategy" (e.g., "state of the art," "best in class," risk-averse/risk-prone) so that employees have direction—and decisions are made not just situationally, but transparently.
Conclusion: The next incident is coming – the question is whether it will "just" remain an incident
The text doesn't advocate for more documentation, but rather for an integrated system that brings together obligations, standards, processes, roles, and controls – including legal registers, audit requirements, and operational implementation. And it hits a nerve: when municipalities or companies need weeks to resume operations after an attack, it's rarely a purely technical problem. Most often, it's a governance issue – one that was decided long before the incident.
