In addressing these key issues, we propose a guide to help you face the five major IT security risks in the construction sector.

In fact, by 2025, stakeholders in the construction industry can no longer ignore cyber risks, also known as information or IT risks, even though this is not the core of their activity. An error or misunderstanding of these risks can have serious financial and operational consequences.

Incidents such as phishing, the introduction (whether voluntary or malicious) of a virus by an employee, ransomware, human error, or the leakage of sensitive data are no longer isolated cases, as daily news reports.

In a risk analysis approach, it is essential to have a contingency plan, which describes the procedures to follow if the risk occurs. To avoid having to go that far, we highlight the five major risks and how to avoid them.

Losing control of the project's document management platform

IT risk management in a real estate project begins with the choice and securing of the document management platform (EDM).

When constructing a building, choosing and managing the document management platform are always challenging: which tool to choose, who pays for the licenses, who configures the space, who grants access rights… Generally, it is the project owner or the company in the construction phase that imposes its solution and the digital environment it masters.

For other project stakeholders, this means becoming familiar with a new tool and training in its use. In the construction sector, there are numerous document management platforms, more or less specific to the sector, with varying functionalities.

Beyond the effort of getting accustomed to yet another tool, the question of resilience for the various project participants arises. Indeed, what happens in case of a dispute if the party providing the document management platform (EDM) decides to cut off access to all others? Or delete certain files? In practice, everyone knows this is a risk. This is why a team member is often tasked with backing up data stored on the common platform. But in reality, after several months or even years of construction, archives are rarely maintained systematically.

Whoever owns the information holds the power. In case of disputes, the traceability and accuracy of exchanged information are crucial. Your IT system and its infrastructure must guarantee this.

It is primarily to address this issue that the Cooperlink Hub was created. Thanks to its network architecture, Cooperlink allows each company to have its own data independently, and optionally connect with the company's tools. Cooperlink ensures the independence and security of supply of companies regarding the critical data for their operations.

The dilemma of cloud hosting: public cloud, private cloud, or on-premise

Those seeking an EDM quickly face the hosting dilemma: what to choose between public cloud, private cloud, or on-premise hosting? Each of these solutions has its advantages but also vulnerabilities:

• Public Cloud Hosting: simple, but costly over the total lifespan of a real estate project. Not to mention that pricing is generally based on the storage size required. Plans, perspectives, 3D models, and photos are increasingly large files. This data is also vulnerable to cyberattacks. In this solution, you do not control this aspect but trust your provider. (Have you ever read the fine print of your contract on this matter?)
• Private Cloud Hosting: an interesting alternative exists with sovereign clouds (Combell, WIN, OVH, Scaleway, etc.). The company rents a dedicated server in a data center managed by a provider. Thus, the advantages of accessibility and scalability of a public cloud are present, while offering dedicated and secure storage whose maintenance is ensured by experts. A fairly reliable solution provided that proper redundancy of information storage is ensured. We remember the fire in March 2021 at an OVH datacenter that caused significant damage to its clients' activities with the irreversible loss of their data.
• On-Premise Hosting, i.e., on a server physically installed in the company's premises. The initial investment is costly and requires technical skills for installation and maintenance. This solution carries a risk related to equipment integrity (fire, theft, etc.), as well as a cybersecurity risk with increasingly sophisticated attacks. In our opinion, this solution should be avoided for construction companies.

At Cooperlink, we wanted to keep it simple. You choose the hosting that suits you. By default, we offer a sovereign cloud based on your location. But, like many of our corporate clients, you can install the Cooperlink server in your private cloud. If you add the connection with your company's tools, you have perfect control over the sovereignty of your data.

Even stored in Europe, your data may not be secure

You might think you're safe by choosing a server located in Europe to host your SharePoint or, more broadly, your data, while your provider is Microsoft Azure, Google Cloud, or Amazon AWS. Think again!

For example, laws such as the Patriot Act and the Cloud Act have significant implications for European users of services provided by American cloud solutions. Here are some of the main consequences:

1. Access to data

The Patriot Act allows U.S. authorities to access data stored by American companies, even if that data is hosted on servers located in Europe. This means that the data of European users can be accessible to U.S. intelligence agencies if it is stored by companies subject to U.S. jurisdiction.

The Cloud Act reinforces this capability by allowing U.S. authorities to obtain warrants to access data stored abroad by American service providers. This facilitates transnational access to data, including that of European users.

2. Data sovereignty

These two laws raise concerns about data sovereignty. European companies and users may be subject to U.S. laws regarding access to and processing of data.

3. Privacy protection

The Patriot Act and the Cloud Act have been criticized for their potential impact on user privacy. European users may be concerned that their personal data may be accessible to U.S. authorities without their explicit consent or adequate judicial oversight.

The laws applicable to foreign jurisdiction companies therefore have important implications for European users, particularly regarding data protection and digital sovereignty. The fact that Microsoft has a subsidiary in Switzerland or France does not exempt it from U.S. jurisdiction.

Even if safeguards have been put in place, the global geopolitical context in 2025, and particularly U.S. policy, requires European companies to be extremely cautious when choosing cloud services provided by non-EU companies.

To secure your data when choosing to host it in the cloud, Cooperlink cooperates with local hosts (e.g., Combell, Scaleway, WIN, etc.) that are subject to European law. This ensures that your data will never leave the territory.

Ensuring confidentiality while communicating effectively on your construction site

Dealing with GDPR: not always straightforward

In the construction sector, compliance with the General Data Protection Regulation (GDPR) is crucial, especially when it comes to effectively communicating on construction sites. Companies must adhere to several obligations to protect individuals' personal data. This includes implementing appropriate technical and organizational measures to ensure data security, such as encrypting sensitive information and limiting data access to authorized persons only.

Meeting minutes (PV) from meetings and construction sites, which often contain personal information such as participants' names, phone numbers, and email addresses, must be managed with heightened vigilance. Companies must ensure that this data is collected, stored, and shared securely, respecting individuals' rights to confidentiality and the protection of their personal information.

The choice of digital tools used to manage this data is therefore essential to ensure compliance with GDPR and protect sensitive information.

Use of AI and compliance with GDPR within companies

For many companies, the growing and often clandestine use of technologies such as ChatGPT by employees poses new security challenges. According to the law firm Lexing, many companies, especially SMEs, are not sufficiently aware of the risks associated with the use of artificial intelligence by their personnel. While these tools can enhance productivity and facilitate communication, they can also expose sensitive information if adequate security measures are not in place.

For example, employees may unintentionally share confidential data (personal data, as well as commercial data related to company activities) when using these AI tools without being aware of it. Companies must therefore raise awareness among their employees about these risks and implement clear policies regarding the use of these technologies, even as digital transformation remains a major challenge for the sector.

It is urgent to establish guidelines for the use of AI tools, emphasizing the need to protect sensitive data and comply with legal requirements. By integrating these practices, construction companies can not only protect the data of their employees and partners but also enhance confidence and transparency in their operations.

SMEs and the industry as a whole must raise internal awareness about the evolving digital environment and IT risks (phishing, fraud, malicious acts, etc.). They must identify ways to further secure their networks and systems to address new IT threats and minimize their vulnerability to cyberattacks.

Sensitive to the respect of private data (and one of its directors having even modestly contributed to the development of this directive), Cooperlink applies the principles of privacy-by-design and privacy-by-default. For example, by default and without consent, an individual's name is not visible to partners, but rather the name of the company. Your data is precious, and we treat it as such.

NIS2 and its implications for large enterprises: ensuring their digital supply chain

The NIS2 directive, or "Network and Information Security 2," imposes strict cybersecurity obligations on large enterprises, particularly those operating in critical sectors. Although digital solution providers for the construction sector, like Cooperlink, are not directly subject to NIS2, many of our clients are. It is therefore crucial for us to understand and respond to the requirements of this directive to ensure the security and resilience of our clients' digital supply chain.

For companies subject to NIS2, ensuring the security of their digital supply chain is a priority. This means they must ensure that all suppliers and partners they collaborate with adhere to high IT security standards.

Cooperlink has chosen to limit the number of its critical suppliers and selects them with great care, prioritizing reputable and local companies with which it can establish reliable and balanced agreements.

Conclusion

At Cooperlink, as a provider of digital solutions, we play an essential role in the digital supply chain by offering solutions that not only improve operational efficiency but are also designed to be secure and compliant with regulatory requirements.

Our solution integrates robust security measures, such as true sovereignty in information storage, the ability to have your own copy of the data, privacy-by-design, encryption, reinforced access management, and authentication to protect our clients' sensitive information.

We are committed to staying up-to-date with the latest standards and best practices in cybersecurity to support our clients in their compliance with NIS2. Cooperlink is currently working towards ISO27001 certification. As part of this certification, we are dedicating this year to consolidating our security policies, risk analysis, and management of the most critical risks identified within our organization.

By collaborating closely with our clients and providing them with secure solutions, we contribute to strengthening the resilience of their digital supply chain and reducing the risk of cross-border cybersecurity threats. Our objective is to offer tools that not only meet their operational needs but also help them comply with regulatory requirements, ensuring the protection of their digital assets and the resilience of their operations.

‍