SpotON – our blog around digital compliance in enterprises
SpotON – Digital Compliance
Read here regularly on selected topics, developments and news from the areas:
SAM & Cloud – use software legally compliant and cost-effective
IT Security & Threat Intelligence – protect the IT landscape effectively
Data & Digitization – manage digital assets across the lifecycle
Complion Insights – look behind the scenes of digital compliance consultants
11/03/2026
Critical Infrastructure (KRITIS) umbrella law 2026: What operators need to know now
The KRITIS umbrella law (KRITIS-DachG) was passed by the German Bundestag on January 29, 2026, and transposes the EU CER Directive (EU) 2022/2557 on the physical resilience of critical facilities into German law. In terms of content, it is clearly distinct from the "classic" KRITIS requirements for IT security (BSI Act/KRITIS Regulation): The umbrella law primarily addresses physical threats, operational and organizational resilience, not pure cybersecurity.
At the same time, there is a risk of confusion: in practice, operators will have to neatly interlink two strands of regulation in the future (physical/organizational vs. cyber/IT). This article provides an overview, highlights typical obligations, and outlines concrete next steps.
Our company consists of people, and we want to introduce them to you. Today we are talking to Senem Sünger. We find out what COMPLION means to her, what her daily tasks are, and what she does when she is not working on customer projects.
Software suppliers today have a strong negotiating position—whether they are hyperscalers, SaaS providers, or traditional on-premise manufacturers. Contracts and licensing models are often deliberately designed to be complex in order to retain customers in the long term or generate additional revenue.
Cybersecurity in the context of geopolitical changes: From protecting critical infrastructure to tool dependencies
From the perspective of a security analyst, whether cyber or otherwise, the year 2026 began with a bang. The US military's access to Venezuelan President Nicolás Maduro shook the world and raised many questions and several causes for concern. It is now confirmed that the US interprets international law in its own way to protect its interests. The possible use of previously unknown cyber capabilities by the US means that this kidnapping case is forcing operators of critical infrastructure in other countries to examine their own resilience.
Software Asset Management – Price Increases in 2025 and Trends for 2026
As part of the Vendor Observer Competence Center (VOCC), we review the latest developments and changes in the software and cloud market on a monthly basis. At the turn of the year, we summarize the key developments in 2025 and look ahead to 2026.
AI is growing up: New requirements for governance, security, and compliance in 2026
The new year marks a decisive turning point in digital enterprise management, with the pure experimentation phase with artificial intelligence giving way to an era of sound governance and operational maturity. While previous years were characterized by hype surrounding generative language models, 2026 will be marked by measurable value creation and the necessary consolidation of technological ecosystems. IT executives are under pressure to master the rapidly growing complexity of their IT landscapes, manage budgets efficiently, and at the same time minimize the security risks posed by accelerated AI adoption.
Many companies need to save money. That's why it's more important than ever to keep a close eye on your own expenses. But how can you efficiently track which costs are necessary and which are not?
Preventing unnecessary expenses early on is the most effective way to save money.
The job description of a software asset manager – for experienced professionals and those who want to become one
In an increasingly digitalized world, where software is not just a tool but a strategic success factor, the job description of a software asset manager is becoming increasingly important. But what exactly does a software asset manager do – and how do you become one? This article is aimed at both industry newcomers and experienced professionals who want to reflect on or further develop their role.
Is the MCA-E the end of the Microsoft Enterprise Agreement (EA)?
The Microsoft Customer Agreement (MCA) is a simplified, digital, and open-ended contract for purchasing Microsoft Online Services.
Microsoft's vision is to gradually replace older and more cumbersome agreements with the MCA. What does this mean for customers?
Cybercrime – Trendwechsel: Mittelständler jetzt im Fadenkreuz der Hacker?
The IT threat landscape has always been an arms race. Anyone who has spent more than five minutes dealing with IT security knows this. It is the reason why threat intelligence products have their raison d'être and why companies have to regularly introduce new tools and processes to avoid falling victim to cyberattacks by hackers.
Resilience instead of stagnation: BCM and emergency management as key factors
Questions such as "Is my company resilient?" and "Can we still operate during a crisis or disaster?" are becoming increasingly important. Additional legal and regulatory requirements, such as NIS2 and DORA, make BCM indispensable. Standards such as ISO 22301 and BSI 200-4 provide guidance on implementing a Business Continuity Management System (BCMS).
In IT in particular, as a unit that mostly supports business processes, the strategic approaches of business continuity management (BCM) and the operational implementation of emergency management are essential.
Since it came into force on January 17, 2025, the DORA Regulation requires financial institutions to report an information register with an overview of all contractual relationships with third-party ICT service providers to the national supervisory authority on an annual basis. Since the creation of this register is mandatory anyway, it is worth using the data strategically for your own risk management. Based on our project experience, we show how valuable insights into dependencies, concentration risks, and cost structures can be gained from regulatory mandatory data.
