Global demand for artificial intelligence solutions has exploded, as indicated by our AI Report for B2B 2026 covered in the central and IT/Tech press in Romania.
For a CTO or Procurement Director, the stakes in 2026 are not only technological, but legal. With the entry into force of the NIS2 Directive, companies are directly responsible for the security of their supply chain (Supply Chain Security).
If you contract an AI vendor that does not comply with security standards and personal data protection, their vulnerability becomes your vulnerability. As an accredited ROTLD and Google Cloud partner in Romania, this guide offers a few essential Due Diligence steps.
Commercial Due Diligence: Entity Validation
A growing attack vector, identified in Palo Alto Networks (Unit 42) reports, is the use of 'lookalike' domains (Typosquatting or Combosquatting). See source. Third-party actors register domains containing the names of well-known brands or generic terms, adding suffixes such as .ai, tech or soft.
Why is this a risk for your company?
- Phishing: employees may confuse the clone entity with the real vendor, sending sensitive data.
- Compliance: NIS2 requires verification of partner credibility.
How to verify?
As an accredited ROTLD partner ➛, OPTI Software helps maintain Internet integrity.
1. Owner verification (technical: WHOIS)
For .ro domains: Check the domain owner at rotld.ro/whois ➛.
For .ai / .com domains: Check at ICANN Lookup ➛. Although owner data is often hidden, we recommend verifying domain ownership to avoid the risk of service discontinuity.
2. Legality verification:
In Romania, service provider websites are required to display in the footer: Company Name, Tax ID (CUI) and address.
3. Fiscal verification:
Verify whether the vendor has a financial track record and CAEN codes relevant to IT/AI (6201, 6202) on financial information portals.
In B2B, the technology partner must display their identity. If the domain is registered anonymously, there is a compliance risk.
2026 Case Study: The ClawHub Attack
Why does Supply chain security matter in the AI era? In February 2026, researchers discovered a massive breach in ClawHub, the official marketplace for OpenClaw agents.
The most downloaded skill, an apparently harmless "Twitter writer bot", concealed an ingenious attack vector. To function, the AI agent asked the user to install a dependency called "openclaw-core". This dependency did not officially exist. The link provided by the AI led to a malicious file that, when run, stole SSH keys and cryptocurrency wallets. The AI agent became, unwittingly, the attackers' accomplice. Details here ➛.
Data Security and Certifications
Artificial intelligence works with computer data. About the company, its projects, its employees and customers.
Moreover, almost any AI project quickly reaches:
- Connection to CRM or website: for the company's customer data and communications with them
- Connection to ERP: for products, prices and commercial flow
- Access to the company's documents and databases: for the knowledge base
- Integration with the email service, service and support accounts: for automations ➛
If you give AI access to the entire data supply chain, you also temporarily give the implementer this access. It is important where the company's data resides, who controls access and whether you can revoke it.
Ensure that for any access you have information about the access conditions, the right of revocation, and the contractual and legal basis. This is essential under GDPR, NIS2 and the ISO 27001 standard.
Has the vendor's website implemented security headers?
This is a simple check you can perform at https://securityheaders.com. Implementation means a minimum level of protection for Internet safety.
If you operate in a sector regulated by the NIS2 Directive on cybersecurity, you have an explicit obligation to verify vendors, whereby management's personal liability may be invoked.
Certifications in brief:
ISO 9001 means that the company is annually verified for maintaining a quality management system. E.g.: it collects customer feedback for every project.
ISO 27001 means that the company is annually verified for maintaining an information security management system. E.g.: it knows exactly which persons have access to which data.
ISO 42001 is the first global standard specifically for AI Management Systems (AIMS). It certifies the existence of risk, ethics and human control procedures over algorithms.
Also verify the reputation and market longevity of the certification body.
IT Supply Chain Security Checklist
To protect your company, you can print this quick checklist:
| Audit | Evidence | Risk |
|---|---|---|
| Identity | ||
| Who is the legal entity in the contract? | Tax ID, Address, Transparent WHOIS data for domains. | You cannot sue a website or an anonymous individual. |
| Data (AI training) | ||
| Is my data used for training? | Explicit contractual clause: "No training on customer data". | Risk of losing trade secrets to public models. |
| Data (transfer) | ||
| How is the company's data transferred? | Explicit contractual clause: "Only transfer encrypted". | Risk of losing data and trade secrets in the market. |
| Data (location) | ||
| Where does the company's data reside? | Explicit contractual clause: Accepted regions (EU / non-EU) for data and GDPR guarantees. | GDPR compliance and data sovereignty. |
| Ownership | ||
| Who owns the code and accounts? What happens upon termination? | Administrative access, explicit rights contract. | Vendor lock-in (vendor dependency). |
| Security | ||
| How do you prove data security? | Certification ISO 27001, ISO 42001, Audit report. | NIS2 obligation for the supply chain. |
| Business Continuity | ||
| What happens if the servers / infrastructure go down? | Disaster recovery and backup plan. | Business continuity is critical in operations. |
| Employees and subcontractors | ||
| What guarantees exist for those who work for the vendor? | Imposing the same obligations on employees and subcontractors, with explicit designation if required. | NIS2 obligation for the supply chain. |
Technical Competence
Once legal risks have been eliminated, ensure the partner has the necessary technical competence. We have detailed the performance criteria in two recent materials:
Guide: how to choose a partner from the Google Cloud ecosystem for AI ➛
Choose between partners based on governance requirements, project duration and desired agility.
AI Guide 1: Recommendations, Upsell and Rules ➛
No AI model will compensate for poor-quality data in your own systems — choose an implementer who can clean and work with existing data.
The main checks here relate to experience (case studies and satisfied clients) and expertise (individual certifications).
Conclusion: Innovate Securely
AI adoption is inevitable, but it doesn't have to be chaotic. The difference between a successful implementation and a security breach is so significant that it can be prevented through minimum preliminary checks such as those above.
At OPTI Software, we base our software architecture on standards and certifications: Google Cloud Partner, HubSpot Partner, ISO 9001, ISO 27001, ISO 42001 - in progress.
Register for Guide #6 on security and secrets protection to see what a compliant data architecture looks like.
![[UPDATE] The Romanian startup awards will be presented on March 12. Mr. Benny won 3rd place at the Romania Startup Awards 2026.](/images/new-post/small_long-romania-startup-awards-2026-mrbenny.jpg "[UPDATE] The Romanian startup awards will be presented on March 12. Mr. Benny won 3rd place at the Romania Startup Awards 2026.")