Shadow AI in the workplace

The NIS2 Directive (EU 2022/2555) had to be transposed into national law by 17 October 2024. Deadlines and details vary by EU member state, so always check the national law applicable to your organisation. Germany completed transposition with the NIS2 Implementation Act (NIS2UmsuCG), in force since 6 December 2025. The examples below refer to the German implementation.The key point: there is no general transition period. The obligations apply since the law took effect.---

Patient data is among the most sensitive personal data that exists, and among the most regulated. EU healthcare organizations face overlapping obligations: the GDPR's special category data rules, national retention requirements that can span decades, and NIS2 cybersecurity obligations for hospitals classified as essential entities. Getting the archiving architecture wrong carries both regulatory and clinical consequences.This guide is for IT managers and data protection officers in hospitals and healthcare organizations who need a clear, practical picture of the legal framework, the technical requirements, and the architecture decisions that determine long-term compliance.---

Immutable storage preserves the bits. It does not guarantee that anyone can render those bits correctly in 2046. That is the job of the file format, and for documents under long retention periods, the answer across the EU is PDF/A.Audit-proof archiving requires reproducibility: records must remain readable and correctly rendered throughout the retention period, which for business records commonly means 6 to 10 years and for some healthcare records up to 30 years. A proprietary format from software that no longer exists fails this requirement, no matter how well the storage protected it.---

Most archiving projects do not fail on exotic details. They fail on the same six mistakes, and every one of them surfaces at the worst possible moment: during an audit or after an attack. Here they are, with the fix for each.---

Audit-proof archiving is not a product you buy; it is a set of properties your archive must demonstrably have. The following ten criteria condense what auditors, tax authorities, and regulators across the EU check in practice. For each criterion: the verification question to ask yourself, and the implementation note.---

Two legal obligations appear to collide. Retention law says: keep business records, unaltered, for years. The GDPR says: erase personal data when it is no longer needed (Art. 17). Companies that archive invoices, contracts, and correspondence hold personal data in both categories at once. So which rule wins, and how do you build an archive that satisfies both?---

A common misconception: "We use WORM storage, so we have audit-proof archiving." That is incorrect. Immutability is a necessary but not sufficient condition for audit-proof archiving.**Immutability** is the technical property that data cannot be deleted or altered after writing.**Audit-proof archiving** is the business and legal guarantee that an auditor or regulator can find, read, verify, and understand the data throughout the retention period.The distinction is critical, and it costs companies real money when they discover it during an audit.---

An audit-proof archiving system requires two components: a DMS for capture, metadata, workflow and search, and a WORM hardware archive for immutability and long-term storage.---

Both are marketed as "immutable storage." Both promise that data cannot be changed after writing. But the two approaches enforce that promise at very different levels, and the difference decides whether your archive survives an attacker with admin rights, or an audit ten years from now.---

Which WORM technology is right for your archive? The answer depends on data volume, access patterns, and the level of assurance your auditors and regulators expect. Here is the comparison.---

WORM stands for Write Once, Read Many: a storage principle that makes data immutable after it is written.This is the technical answer to the integrity requirements in EU and national regulation: GDPR Art. 5(1)(f) demands integrity of personal data, MiFID II requires tamper-proof records in financial services, and national bookkeeping rules (in Germany, for example, the GoBD standard for digital bookkeeping) require immutability of accounting records, typically implemented with WORM storage plus process documentation.---

A common strategy is: "We have online backups (Tier 1) and cloud copies (Tier 4). That is enough." This is a critical mistake that sets you up to fail against ransomware attacks.Why? Because both Tier 1 and Tier 4 are network-connected. An attacker with sufficient access can compromise both.Tier 2 (air gap) is the only layer protected by physical isolation.---