The escalating cyber threats and tightening regulatory requirements, such as NIS2, are compelling organizations to re-evaluate their approaches to electronic data protection. Electronic document management, fundamental to any enterprise or government institution, becomes a critical vulnerability if not integrated with modern cybersecurity standards and technologies.
This year and in the coming ones, there is a growing demand for robust electronic data protection. The implementation of new cybersecurity regulations, particularly NIS2, directly impacts business processes and information system architectures. Integrating artificial intelligence (AI) for optimizing and securing electronic document workflows is becoming essential.
Document flow challenges: from legacy platforms to new regulatory demands
Many organizations, especially in the public sector, still rely on outdated electronic document management (EDM) systems or hybrid solutions that do not meet current cybersecurity requirements. Such systems may have limited integration capabilities, lack support for modern encryption standards, or fail to provide adequate access control. This results in an increased risk of data breaches, unauthorized access, and information integrity violations.
Concurrently, in Ukraine, Law No. 2155-VIII serves as the foundational legal framework for qualified electronic signatures (QES) and electronic trust services. This law links the choice of electronic identification methods for state and public information systems to risk assessments and the consequences of identity impersonation, as stipulated in the Law of Ukraine “On Electronic Identification and Electronic Trust Services.” This implies that EDM systems must not only support QES but also be integrated into a broader risk management architecture.
NIS2 and AI: new cybersecurity requirements for electronic documents
The NIS2 Directive (Network and Information Systems Directive 2) is a regulatory act that strengthens cybersecurity requirements for critical infrastructure operators and essential entities within the European Union. Although Ukraine has not yet fully implemented NIS2, its principles are already a benchmark for building resilient systems. NIS2 mandates organizations to implement comprehensive security measures, including risk management, incident response, business continuity, and supply chain security. For electronic document management, this necessitates ensuring document protection throughout their entire lifecycle: from creation and storage to transmission and archiving.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) outlines Cross-Sector Cybersecurity Performance Goals (CPG) as foundational cybersecurity practices for critical infrastructure. According to their reports, CPGs serve as a benchmark for critical infrastructure operators to assess and enhance their cyber maturity. These goals align with NIS2 requirements and offer practical recommendations for strengthening EDM security.
Artificial intelligence plays an increasingly significant role in enhancing the security and efficiency of EDM. AI у Intelligent Document Processing (IDP) systems automate data extraction, document classification, and routing, reducing human error and improving accuracy. AI у smart search provides quick access to relevant information, while AI models can detect anomalies in user behavior or documents, signaling potential threats. Industry trends, according to Gartner, indicate that by 2028, most enterprises will utilize AI platforms for security.
For AI in critical infrastructure, NIST’s Artificial Intelligence Risk Management Framework (AI RMF 1.0) emphasizes the need to evaluate the context of use, harm, trustworthiness, safety, and accountability, not just model accuracy. NIST AI RMF 1.0 structures AI risk management around the functions of Govern, Map, Measure, and Manage. This means that the implementation of AI in EDM must be accompanied by clear risk management policies and accountability.
A common pitfall: risks of monolithic ECM system replacement
A frequent mistake during EDM modernization is attempting a monolithic replacement of the existing Enterprise Content Management (ECM) system with a new one. This approach often leads to protracted projects, high costs, disruption of business processes, and data loss. This is particularly true for large organizations with long histories of document management and substantial archival data. Monolithic migration can create technological dependency on a single vendor, contradicting the principles of flexibility and resilience promoted by NIS2.
Instead, a phased migration strategy is recommended. This allows for the gradual transition of functionality and data, minimizing risks and ensuring operational continuity. This approach enables the integration of new solutions, such as Scriptum.DMS (a document management system from InBase), with existing systems, preserving access to historical data and progressively modernizing the architecture.
Architectural example: digitizing a central executive authority with NIS2 and AI considerations
Let’s consider a typical scenario for modernizing EDM for a central executive authority. The goal is not only digitization but also ensuring compliance with NIS2 cybersecurity requirements and leveraging AI’s potential.
The architecture is based on a modern EDM system, such as Scriptum.DMS, which ensures legally significant document flow using QES. This system integrates with government services, for example, via API to the ‘Electronic Court’ subsystem. As noted on the ‘Electronic Court’ portal, this subsystem operates through an electronic cabinet and utilizes electronic identification and signatures for legally significant actions. Such integration allows for electronic exchange of documents with judicial bodies, ensuring their legal validity and confidentiality.
To enhance security and efficiency, the architecture includes AI modules. For instance, an AI у IDP module automates the recognition and classification of incoming documents, extracting key data and routing them through appropriate approval workflows. This reduces processing time and minimizes errors. AI can also be used for smart search within the document archive, enabling quick retrieval of information based on content, not just metadata.
Cybersecurity is ensured at multiple levels: implementing Role-Based Access Control (RBAC) policies, encrypting data at rest and in transit, monitoring user activity, and detecting anomalies using AI tools. All these measures align with NIS2 principles, ensuring system resilience against cyberattacks and rapid incident response.
Scriptum.DMS, as part of the InBase ecosystem, is designed with modern cybersecurity and integration requirements in mind. The system supports QES usage, provides document versioning, and offers flexible workflow management. This allows organizations to establish unified document management that complies with legal requirements and internal regulations.
The Scriptum.DMS architecture is open and supports integration with various government services and other corporate systems (ERP, CRM) through standardized APIs. This is critical for avoiding technological dependency and ensuring flexibility amidst constant changes in the regulatory environment and technologies. Integration with the e-Court system is a typical scenario for government institutions, ensuring seamless exchange of legally significant documents.
InBase also implements AI solutions to enhance EDM efficiency and security. This includes IDP modules for automated document processing, smart search, and data analysis systems that help identify potential risks and optimize business processes. This approach enables a new level of data protection and business process efficiency, especially in the public sector where security and transparency requirements are paramount.
Checklist for implementing secure EDM
- Risk assessment for electronic data has been conducted according to NIS2 requirements (or similar standards).
- Specific AI functions (IDP, classification, smart search) for document workflow optimization have been identified.
- A phased migration plan from the existing ECM system is in place.
- Integration with government services (via API, QES) is planned.
- An AI risk management policy, including accountability and security, in accordance with NIST AI RMF, has been developed.
- Mechanisms for legally significant actions with electronic documents (QES usage) are ensured.