<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Blog on Datargo</title><link>https://datargo.com/en/blog/</link><description>Recent content in Blog on Datargo</description><generator>Hugo</generator><language>en-US</language><lastBuildDate>Tue, 23 Jun 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://datargo.com/en/blog/index.xml" rel="self" type="application/rss+xml"/><item><title>APIs as Part of the Supply Chain: Why Interface Security Becomes a Matter of Evidence</title><link>https://datargo.com/en/blog/api-security-supply-chain/</link><pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/api-security-supply-chain/</guid><description>&lt;p&gt;Software is rarely a monolith today. Modules, partner services and tenants talk to each other through interfaces, and these APIs are the quiet connectors of the supply chain. NIS2 explicitly requires supply chain security as part of the risk picture. That moves a question long treated as purely technical to the foreground: how secure, and how auditable, are your own interfaces?&lt;/p&gt;
&lt;h2 id="the-interface-is-the-attack-surface"&gt;The interface is the attack surface&lt;/h2&gt;
&lt;p&gt;The most common API weaknesses are not exotic exploits but authorization flaws. In the OWASP API Security Top 10, Broken Object Level Authorization sits in first place: an API hands out data without properly checking whether the requesting account is allowed to see it at all. A changed object ID in the request is then enough to retrieve someone else&amp;rsquo;s records. Three control points decide robustness in practice:&lt;/p&gt;</description></item><item><title>Passkeys in the Enterprise: Phishing-Resistant Sign-In Beyond Passwords and OTPs</title><link>https://datargo.com/en/blog/passkeys-enterprise/</link><pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/passkeys-enterprise/</guid><description>&lt;p&gt;Phishing remains the most reliable way into corporate networks, and most second factors do little to change that. A password plus an SMS code, TOTP app or push approval counts as multi-factor authentication, yet at its core it is attackable: lure the user onto a fake page and the second factor can be captured in real time too. FIDO2 passkeys address exactly this point.&lt;/p&gt;
&lt;h2 id="why-classic-mfa-stays-phishable"&gt;Why classic MFA stays phishable&lt;/h2&gt;
&lt;p&gt;The problem is not the number of factors but their transferability. A one-time code is a shared secret: it works wherever it is entered, including on the phishing page. What is missing is a binding to the genuine counterparty. That binding is precisely what WebAuthn, the standard behind passkeys, provides.&lt;/p&gt;</description></item><item><title>The EU Data Act and the End of Switching Fees: Cloud Switching Becomes Mandatory</title><link>https://datargo.com/en/blog/data-act-cloud-switching/</link><pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/data-act-cloud-switching/</guid><description>&lt;p&gt;Vendor lock-in was long a commercial lever: anyone wanting to leave paid for the exit, fought proprietary formats and lost weeks to migration work. The EU Data Act (Regulation (EU) 2023/2854) reverses that logic. The regulation has applied since 12 September 2025, and its Chapter VI turns switching cloud providers into an enforceable customer right.&lt;/p&gt;
&lt;h2 id="what-has-applied-since-september-2025"&gt;What has applied since September 2025&lt;/h2&gt;
&lt;p&gt;Providers of data processing services (IaaS, PaaS, SaaS) must remove every obstacle that makes switching harder: pre-commercial, commercial, technical, contractual and organisational barriers alike. In practice this means a maximum notice period of two months, a 30-day transition window for the actual move (extendable to up to seven months where technically unfeasible) and the right to take data and digital assets along. For new contracts these duties already apply.&lt;/p&gt;</description></item><item><title>When the Chatbot Has to Identify Itself: AI Transparency in Customer Service from August 2026</title><link>https://datargo.com/en/blog/ai-transparency-customer-service/</link><pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/ai-transparency-customer-service/</guid><description>&lt;p&gt;Automated first responses, AI-assisted ticket triage, generated reply suggestions: in customer service, AI is already routine. From 2 August 2026 Article 50 of the EU AI Act becomes enforceable, bringing binding transparency obligations for exactly these systems. These duties are distinct from the rules for providers of general-purpose AI models (GPAI): the point here is not the model, but the interaction with people.&lt;/p&gt;
&lt;h2 id="what-article-50-requires"&gt;What Article 50 requires&lt;/h2&gt;
&lt;p&gt;At its core sits a disclosure duty. Providers of AI systems intended for direct interaction with people (such as chatbots) must ensure that the person concerned is aware they are communicating with an AI system. The notice must be given at the latest at the time of the first interaction, unless the use of AI is obvious from the circumstances. On top of that, AI-generated or manipulated content must be marked as such in a machine-readable way, and content of public interest that could appear authentic has to be labelled separately.&lt;/p&gt;</description></item><item><title>47-Day Certificates: The CA/Browser Roadmap to 2029</title><link>https://datargo.com/en/blog/47-day-tls-certificates/</link><pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/47-day-tls-certificates/</guid><description>&lt;p&gt;The debate is settled, and part of the outcome is already operational reality: since 15 March 2026, publicly trusted TLS certificates may be valid for at most &lt;strong&gt;200 days&lt;/strong&gt;, down from 398. That is the first step in a roadmap the CA/Browser Forum adopted in April 2025 with Ballot &lt;strong&gt;SC-081v3&lt;/strong&gt;: unanimously, with 29 votes in favour and none against. At the end of that roadmap sits a maximum lifetime of &lt;strong&gt;47 days&lt;/strong&gt;.&lt;/p&gt;</description></item><item><title>eIDAS 2.0 and the EUDI Wallet: What Relying Parties Must Prepare by the End of 2026</title><link>https://datargo.com/en/blog/eidas-2-eudi-wallet/</link><pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/eidas-2-eudi-wallet/</guid><description>&lt;p&gt;In about six months a deadline expires that many companies still treat as distant regulation: by &lt;strong&gt;24 December 2026&lt;/strong&gt;, all 27 EU member states must provide their citizens and residents with at least one &lt;strong&gt;European Digital Identity Wallet (EUDI Wallet)&lt;/strong&gt;. The legal basis is Regulation (EU) 2024/1183 (&amp;ldquo;eIDAS 2.0&amp;rdquo;), in force since 20 May 2024.&lt;/p&gt;
&lt;p&gt;For most companies the more pressing question is not when the wallet arrives, but when they will have to &lt;strong&gt;accept&lt;/strong&gt; it. And that deadline follows immediately.&lt;/p&gt;</description></item><item><title>The Cyber Resilience Act: What 11 September 2026 Means for Makers of Digital Products</title><link>https://datargo.com/en/blog/cyber-resilience-act-reporting-2026/</link><pubDate>Tue, 09 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/cyber-resilience-act-reporting-2026/</guid><description>&lt;p&gt;In about three months a regulation turns into operational reality. From &lt;strong&gt;11 September 2026&lt;/strong&gt; the first binding obligations of the Cyber Resilience Act (Regulation (EU) 2024/2847) take effect, and they happen to be the ones that demand the most process: reporting actively exploited vulnerabilities and severe security incidents. The remaining product and conformity obligations follow with full application on &lt;strong&gt;11 December 2027&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;Anyone who manufactures, imports or distributes products with digital elements in the EU should therefore treat September not as a distant date, but as the day a working reporting path has to exist.&lt;/p&gt;</description></item><item><title>Data Sovereignty After the Data Privacy Framework: Why EU Hosting Becomes an Architecture Question</title><link>https://datargo.com/en/blog/data-sovereignty-data-privacy-framework/</link><pubDate>Tue, 02 Jun 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/data-sovereignty-data-privacy-framework/</guid><description>&lt;p&gt;Anyone transferring personal data to the United States has relied since 2023 on the adequacy decision for the EU-US Data Privacy Framework (DPF). In September 2025 the General Court of the European Union (EuG) dismissed a challenge against it, leaving the framework a valid legal basis. But the matter is not closed: in late October 2025 an appeal was lodged with the Court of Justice (Case C-703/25 P). Another reversal, a &amp;ldquo;Schrems III&amp;rdquo;, is not ruled out.&lt;/p&gt;</description></item><item><title>The EU AI Act: GPAI Enforcement from 2 August 2026 and What the Digital Omnibus Postponed</title><link>https://datargo.com/en/blog/ai-act-gpai-enforcement-2026/</link><pubDate>Tue, 26 May 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/ai-act-gpai-enforcement-2026/</guid><description>&lt;p&gt;The EU AI Act has been in force since August 2024, but many of its obligations take effect in stages. One date stands out: on &lt;strong&gt;2 August 2026&lt;/strong&gt; active enforcement against providers of general-purpose AI models (GPAI) begins through the EU AI Office, and national sanction regimes take effect in parallel. In Germany the accompanying AI Measures and Innovation Act (KI-MIG) applies. Anyone who uses or provides AI should know the deadline, but also the most recent postponements.&lt;/p&gt;</description></item><item><title>SD-JWT VC and OpenID4VP: The Protocols Behind the EUDI Wallet</title><link>https://datargo.com/en/blog/eudi-wallet-protocols-sdjwt-openid4vp/</link><pubDate>Tue, 12 May 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/eudi-wallet-protocols-sdjwt-openid4vp/</guid><description>&lt;p&gt;Most of the conversation around the EUDI Wallet sits at the political and organisational level: member-state provisioning by the end of 2026, registration duties, acceptance deadlines. But anyone who actually wants to accept the wallet eventually faces a technical question: how exactly do I verify that a presented attribute is genuine, valid and sufficient for my purpose? This article looks at the verification side and the building blocks that come together there.&lt;/p&gt;</description></item><item><title>Archiving Structured E-Invoices the GoBD Way: The Eight-Year Question</title><link>https://datargo.com/en/blog/e-invoice-archiving-gobd/</link><pubDate>Tue, 21 Apr 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/e-invoice-archiving-gobd/</guid><description>&lt;p&gt;The debate around e-invoicing mostly turns on issuing and receiving. The quieter but longer-lived obligation only begins afterwards: retention. A structured invoice is not a document in the classic sense but a data set, and it must remain unalterable and machine-readable for years. Building that into your processes from the start avoids costly rework later.&lt;/p&gt;
&lt;h2 id="what-changed-about-the-retention-period"&gt;What changed about the retention period&lt;/h2&gt;
&lt;p&gt;For a long time, accounting records had to be kept for ten years. Germany&amp;rsquo;s Fourth Bureaucracy Relief Act (BEG IV) shortened this to &lt;strong&gt;eight years&lt;/strong&gt; as of 1 January 2025. The new period applies to all records whose previous ten-year period had not yet expired at that point.&lt;/p&gt;</description></item><item><title>NIS2 in Practice: From Reporting Duty to Defensible Evidence</title><link>https://datargo.com/en/blog/nis2-practice-evidence/</link><pubDate>Tue, 14 Apr 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/nis2-practice-evidence/</guid><description>&lt;p&gt;Since 6 December 2025, NIS2 is law in Germany. The NIS2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG) was passed by the Bundestag on 13 November 2025, confirmed by the Bundesrat on 20 November, and entered into force with no transition period. Around 29,500 companies across 18 sectors are in scope. The BSI registration deadline on 6 March 2026 has passed; late registration remains possible and is advisable.&lt;/p&gt;
&lt;p&gt;Many organisations treated the rollout as a registration and documentation task. The harder part begins afterwards: being able to prove, when it counts, what actually happened.&lt;/p&gt;</description></item><item><title>ACME Beyond the Web Server: Certificate Automation for Internal Services and mTLS</title><link>https://datargo.com/en/blog/acme-internal-pki-mtls/</link><pubDate>Tue, 17 Mar 2026 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/acme-internal-pki-mtls/</guid><description>&lt;p&gt;Shortening public TLS lifetimes towards an eventual 47 days has created an awareness that manual renewal no longer scales. What often gets overlooked: inside a company there are usually far more certificates than at the outward-facing edge. Service-to-service communication, mTLS in a service mesh, internal APIs and database connections all live on certificates, and these follow different patterns than the public web.&lt;/p&gt;
&lt;h2 id="why-internal-does-not-mean-simpler"&gt;Why &amp;ldquo;internal&amp;rdquo; does not mean &amp;ldquo;simpler&amp;rdquo;&lt;/h2&gt;
&lt;p&gt;At the public web server the situation is tidy: a handful of domains, a public CA, a clearly defined validation path. Internally the ratio inverts. Here there are often hundreds or thousands of short-lived endpoints that appear and vanish dynamically, for instance when an orchestrator starts new containers. An internal CA issues certificates for them that nobody sees publicly, but which expire just the same, must renew just the same, and take down a service just the same when they fail.&lt;/p&gt;</description></item><item><title>DORA for ICT Providers: Third-Party Risk and Incident Reporting</title><link>https://datargo.com/en/blog/dora-third-party-risk/</link><pubDate>Tue, 09 Dec 2025 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/dora-third-party-risk/</guid><description>&lt;p&gt;DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), has applied to the European financial sector since 17 January 2025. Since 19 November 2025, oversight has become concrete: the European Supervisory Authorities EBA, EIOPA and ESMA published the first official list of 19 ICT third-party providers designated as critical, among them AWS, Google Cloud, Microsoft, Oracle, SAP, IBM and Deutsche Telekom. The list is updated annually.&lt;/p&gt;
&lt;p&gt;The instinctive reaction of many IT providers is: this does not concern me, I am not a bank. That is a fallacy. DORA travels down the supply chain.&lt;/p&gt;</description></item><item><title>Post-Quantum Cryptography: Why the Migration Starts in 2026, Not 2030</title><link>https://datargo.com/en/blog/post-quantum-migration/</link><pubDate>Tue, 16 Sep 2025 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/post-quantum-migration/</guid><description>&lt;p&gt;Since August 2024, the first three post-quantum standards have been final. NIST published FIPS 203 (ML-KEM, derived from Kyber), FIPS 204 (ML-DSA, from Dilithium) and FIPS 205 (SLH-DSA, from SPHINCS+), concluding an eight-year selection process. Many read the headline, see the frequently cited year 2030 and put the topic back on the shelf. That is a misunderstanding: 2030 is a deadline, not a starting gun.&lt;/p&gt;
&lt;h2 id="harvest-now-decrypt-later-makes-it-urgent"&gt;&amp;ldquo;Harvest now, decrypt later&amp;rdquo; makes it urgent&lt;/h2&gt;
&lt;p&gt;The threat does not wait for the first capable quantum computer. Attackers intercept encrypted traffic today and store it to decrypt later. Anything that must stay protected for a long time is therefore already exposed: contracts, health and HR data, long-lived keys, intellectual property, state and trade secrets. For this data, what matters is not when a quantum computer becomes practical, but how long the data must remain secret.&lt;/p&gt;</description></item><item><title>Germany's E-Invoicing Mandate: The 2025 to 2028 Roadmap Without the Myths</title><link>https://datargo.com/en/blog/e-invoicing-mandate-timeline/</link><pubDate>Tue, 11 Feb 2025 00:00:00 +0000</pubDate><guid>https://datargo.com/en/blog/e-invoicing-mandate-timeline/</guid><description>&lt;p&gt;Since 1 January 2025, e-invoicing in German B2B business is no longer optional. The first stage of the new mandate is in force: every domestic company must be able to receive structured electronic invoices. Issuing them electronically is not yet compulsory, but receiving them is. The legal basis is the Growth Opportunities Act (Wachstumschancengesetz), passed by the Bundesrat on 22 March 2024; the details are set out in the Federal Ministry of Finance guidance of 15 October 2024.&lt;/p&gt;</description></item></channel></rss>