Vendor operationalization: SBOMs, vuln reporting, provenance, AI data practices
Key Questions
What do NIS2, EU Data Act, and Cyber Resilience Act require from AI vendors?
These regulations mandate Software Bill of Materials (SBOMs), vulnerability reporting timelines, provenance tracking, and data portability. Vendors are offering DPIAs and regional hosting options to meet these demands. Procurement processes increasingly require auditability and provenance assurances.
How is Atlassian using customer data for AI training?
Atlassian will train AI on customer metadata from Free and Standard plans unless customers pay for higher tiers to opt out. This involves mandatory metadata collection starting soon. It highlights growing vendor practices in AI data usage amid regulatory pressures for provenance.
What new practices are vendors like Meta implementing for AI data?
Meta is capturing employee mouse movements and keystrokes for AI training data. Atlassian is using customer metadata with limited opt-out options. These align with procurement demands for auditability, provenance, and compliance under acts like NIS2 and Cyber Resilience Act.
NIS2/EU Data Act/Cyber Resilience Act mandate SBOMs/vuln timelines/provenance/portability; vendors offer DPIAs/regional hosting. New: Meta employee data capture, Atlassian customer metadata for AI training (opt-out limits). Procurement demands auditability/provenance.