The web development market has undergone an irreversible fracture. On one hand, the proliferation of AI-based tools has reduced the creation of basic websites to a low-cost commodity. On the other, complex enterprise architectures require increasingly solid engineering foundations, and it is in this scenario that Drupal’s strategic repositioning fits. Choosing a core technology is no longer a tactical marketing decision, but a strategic imperative to support deep integrations and critical data flows.

The market for simple websites—those we define as showcase sites or brochureware—has been completely commoditized. Between closed visual site builders and the ability of GenAI to produce frontend code, the landscape has changed decisively. The value of building a simple site with a robust framework has collapsed.

As the low-end market saturates, a gap is opening at the high end. This is where the need to manage complex digital infrastructures, structured data, and business-critical processes arises. For years, the market treated content management systems as generic tools, but today that vision is obsolete.

This bifurcation is a hot topic that permeates the background of all strategic discussions. We have felt and experienced it at all the major conferences of the last few months.

It emerged as a central theme at Drupal Pivot EU, the exclusive unconference held in Ghent in January 2026. A restricted event that brought together leading European technology leaders to redefine the role of open source systems in enterprise architectures. We at SparkFabrik actively participated in the working groups with our CTO Paolo Mainardi, helping to chart the course for the coming years.

We saw the same common thread at Drupal4GovEU, the event focused on open source for the European Public Administration. And it obviously appeared in several talks presented at major events, such as the last DrupalCon in Vienna and the very recent DrupalCon Chicago.

The conclusion reached is unequivocal: continuing to treat content management platforms as simple web page providers is a calculation error that generates technical debt.

Indeed, Drupal is establishing and repositioning itself not as a simple CMS, but as the framework of choice for ambitious Digital Experience Platforms (DXP). We are no longer talking about managing web pages, but about governing APIs, digital identities, and complex workflows in a secure environment.

Forward-thinking companies are repositioning their investments. They are shifting budget from ephemeral frontends toward backend infrastructures that are governable, secure, and designed to last.

For a business decision-maker, understanding these dynamics is fundamental to correctly allocating IT budget. Continuing to treat Drupal exclusively as a content manager means underestimating a strategic asset essential for digital resilience, especially when combined with cloud-native technologies and AI.

Drupal as a business enabler: from CMS to Business Application Framework

Drupal has evolved from a simple open source CMS into a true application framework for the enterprise market. It functions as a business enabler by providing the architectural infrastructure necessary to manage complex workflows, advanced API integrations, and structured data, overcoming the functional limits of simple showcase sites.

During the working groups in Ghent, the discussion highlighted the need for an ontological redefinition. Market perception must align with the platform’s actual technical capabilities.

Traditionally, a CMS is viewed as a repository for text and images, but this vision is limiting. We no longer sell a packaged product. With Drupal, we provide a relational engine capable of orchestrating an entire company’s digital experience, thanks to an extremely flexible entity architecture.

This shift in perspective transforms the software from a cost center into a true Business Application Framework, capable of modeling unique business logic without forcing internal processes to adapt to pre-set software.

What does this mean in practical terms for the business? It means transforming the platform into the backbone for:

• Complex enterprise intranets: Granular permission management, multi-level approval workflows, and integration with corporate Identity Providers. (Discover the CNP Vita Intranet case study)
• Service portals: Where data security and accessibility are mandatory non-functional requirements.
• Headless Content Hub: Drupal acts as a single source of truth, decoupling the backend from the frontend and distributing content via REST or GraphQL APIs to various consumer applications.
• Data Management platforms: Native modeling of complex data relationships without the need to write SQL queries or manage manual schema migrations.
• LMS systems (Learning Management System): Proprietary e-learning platforms where progress tracking, skills certification, and protection of educational materials are non-negotiable requirements.

We see a concrete example in the manufacturing sector, where Drupal is adopted as middleware to aggregate data from ERP and CRM systems, exposing them in unified dashboards. This is a pure application framework use case, not that of a simple web page manager.

For IT decision-makers, understanding this evolution means entering a new era of content management for business, where content management is just a subset of much broader capabilities. There is now an unbridgeable gap between quick solutions and engineered platforms.

The difference between the two approaches manifests in several critical areas:

• Distinction between “disposable code” and “durable infrastructure.” AI, visual site builders, and modern frontend frameworks excel at rapid interface creation but introduce a high rate of obsolescence. Generated landing pages have a lifecycle measurable in months and do not survive corporate pivots.
• Long-term maintainability. The backend, business logic, and data model must ensure lasting stability. A Drupal-based infrastructure is designed for decade-long lifecycles, absorbing business evolutions.
• Isolated data vs. centralized hubs. Closed systems fragment information into inaccessible silos. A framework-first approach natively exposes every entity via REST or GraphQL APIs, acting as a single source of truth for omnichannel ecosystems.
• Standard logic vs. custom logic. SaaS products impose their own operational workflows. An open architecture allows for mapping granular permissions and approval flows exactly to existing corporate hierarchies.

Choosing this path means investing in a technology that scales with business complexity, ensuring solid foundations for the future. (To learn more: Complete Guide - Why choose Drupal for complex corporate sites)

Is Drupal the ideal solution for corporate digital sovereignty?

The advantages of Drupal for digital sovereignty lie in total control over architecture and data. Being open source, it eliminates the vendor lock-in typical of SaaS platforms, allowing CTOs to implement secure artificial intelligence models and maintain full infrastructure compliance without ceding control to third parties.

In the European enterprise market, the concept of sovereignty is often reduced to a mere matter of regulatory compliance and geographic server localization to respect GDPR. This vision is limiting. True technological sovereignty is only achieved when an organization possesses the unconditional ability to inspect, modify, and migrate its software stack without asking third parties for permission.

When critical infrastructure rests on closed cloud services, the company cedes control of its technological roadmap to the decisions of an external provider. Vendor lock-in represents the most underestimated operational risk in IT budgets today. Arbitrary changes to pricing models, sudden deprecation of fundamental APIs, or corporate acquisitions can paralyze a company’s digital operations.

Adopting open standards neutralizes this risk at the root. It returns bargaining power to management and the freedom to choose where and how to run their workloads, whether on hyperscaler cloud providers or private infrastructure.

This independence becomes crucial in the age of artificial intelligence. Companies possess invaluable information assets that cannot be fed into public language models. Sovereign AI requires platforms capable of orchestrating open source models or private instances within the corporate perimeter, allowing the use of artificial intelligence without exposing sensitive data to external networks.

The Drupal community shares this vision, embracing a vendor-agnostic approach that is easily adaptable. By using an open framework, it is possible to ensure security and compliance for corporate data by implementing Retrieval-Augmented Generation systems that query internal databases without ever exposing intellectual property on uncontrolled networks.

How does platform engineering transform Drupal into a durable infrastructure?

Platform engineering transforms Drupal into a durable infrastructure by applying cloud-native practices that ensure maximum reliability and scalability. By standardizing operations through an internal platform, development teams reduce cognitive load, cut technical debt, and significantly accelerate the time-to-market for new features.

The strategic transformation of Drupal into a business-critical application would not be possible without an evolution of the underlying infrastructure. Abandoning old monolithic hosting paradigms is the prerequisite for operating at an enterprise scale, in favor of a Cloud Native approach and Platform Engineering practices.

SparkFabrik’s vision is based on a rigorous engineering principle: the value of software is inseparable from the quality of the infrastructure that hosts it.

This is not a stylistic choice, but a reliability requirement. When an application becomes central to business processes, downtime or performance bottlenecks are intolerable. Investing in the underlying platform is the only proven method to mitigate obsolescence and ensure operational continuity.

To transform a CMS into a true cloud-native application, it is essential to create an internal developer platform to standardize operations. This methodological approach shifts the focus from manual server management to process automation, offering tangible business benefits:

1. Immutability and reliability through containerization. The use of containers and modern orchestrators (e.g., Docker, Kubernetes) allows infrastructure to be managed as code. Production environments are not “updated” manually, but replaced entirely with every deploy. This eliminates “configuration drift” and ensures that the development environment is identical to the production one, reducing unexpected bugs.
2. Horizontal scalability, resilience, and self-healing. Business applications have variable workloads. An architecture based on orchestrators like Kubernetes allows Drupal to scale horizontally (adding pods/nodes) in response to real traffic. This ensures high availability and self-healing, automatically restoring failed processes without human intervention and guaranteeing uptime.
3. Operational standardization and reduction of cognitive load with the Internal Developer Platform (IDP). By providing developers with standard paths and preconfigured resources, the need to manage complex infrastructure configurations is eliminated. Teams can thus focus exclusively on writing business logic. This accelerates time-to-market while maintaining centralized control over infrastructure governance.
4. Security integrated into the supply chain. By shifting security checks to the early stages of development, automated CI/CD pipelines block vulnerabilities before they reach production environments. This proactive approach is essential to meet enterprise security standards, from the very first line of code.

For IT decision-makers, the investment is not just in application software: the application and the platform must be designed in symbiosis. Without modern infrastructure, even the best Drupal code risks becoming unmanageable technical debt.

The impact of AI and agents in Drupal: collaboration or replacement?

Artificial intelligence does not replace software architecture, but enhances it by accelerating its tactical execution. Drupal provides the structure, validation rules, and data truth upon which generative models can operate, ensuring long-term governance essential for protecting corporate information assets.

The most common perspective error among IT decision-makers is considering AI as an alternative to traditional backend systems. On the contrary, advanced language models need structured platforms to avoid generating hallucinations or uncontrollable output. The integration between these two technologies pushes the framework up the corporate value chain, transforming it into the conductor of automated interactions.

The real leap in quality lies in Agentic AI, or the ability to orchestrate autonomous agents that operate within a governed perimeter. For development teams, this means moving from simple prompt writing to designing complex system instructions that allow agents to interact securely with platform APIs (agentic coding).

CTOs must adopt a new agentic-first approach to development, ensuring that the infrastructure provides the validation rules, semantic context, and operational limits within which artificial intelligence can move without corrupting corporate data.

AI enhances Drupal and, in turn, Drupal provides the perfect structured and orchestrated context in which AI can thrive. This “technological synergy” (widely debated at all strategic events, from the Drupal Pivot Unconference in Ghent to the major DrupalCons), manifests through practical applications that redefine team efficiency:

• AI content governance: Models generate massive volumes of information, content, and metadata, and Drupal acts as a control layer. It is the framework that orchestrates AI agents and imposes approval workflows, ensuring that every output respects brand guidelines and legal requirements before publication.
• RAG (Retrieval-Augmented Generation): In corporate contexts, AI must provide answers based on secure internal data. The platform acts as a central hub to orchestrate corporate data toward vector databases, allowing AI agents to answer user queries based exclusively on certified corporate documentation, accessing only pertinent information and strictly respecting individual access permissions.
• Development acceleration: Generating pages with GenAI, visual building, and automating repetitive tasks frees up valuable engineering resources. This allows technical teams to focus on architecture, complex integrations, and security.

To fully understand how to implement these hybrid architectures in your business processes, we recommend consulting our overview of Drupal AI and the SparkFabrik vision, where we analyze the most effective integration strategies.

The future sees technical teams focusing on data architecture and security. In our experience at SparkFabrik, adopting AI reduces development time for repetitive tasks by 30%, but only if the underlying framework imposes strict rules that prevent generated code from compromising system stability in production.

Why is the “Pivot” necessary now?

Drupal’s strategic repositioning is necessary today because the market has split sharply. While basic online presence is now commoditized, the demand for deep integrations is growing. CTOs need flexible platforms to solve the build vs. buy dilemma without ceding architectural control.

IT budget optimization requires ruthless choices, even more so today, in a market where code and online presence have become commodities. Financing custom development for low-impact projects is a waste of engineering resources, as automated tools can cover those needs at a fraction of the cost. Think, for example, of the myriad SaaS, “no-code” solutions, and AI builders for creating landing pages. In these cases, a technology like Drupal is clearly inefficient.

However, applying the same cost-saving logic to core systems generates technical debt that is paid for by the inability to scale. Enterprise companies no longer ask for digital showcases, but transactional ecosystems. Needs have shifted toward deep integration.

This level of complexity manifests in advanced use cases that escape the capabilities of traditional CMSs. Structured and complex business cases like customer portals, intranets, e-learning platforms, and data repositories require solid foundations.

In this scenario, technology leaders constantly face the Build vs. Buy dilemma. Buying a finished product guarantees initial speed, but SaaS black boxes show their limits as soon as business processes deviate from the vendor’s intended standard. Serious structural rigidities arise, such as non-modifiable data schemas, API limits, dependence on development roadmaps, and vendor lock-in.

Building everything from scratch, on the other hand, entails unsustainable maintenance costs. A mature application framework offers the optimal middle ground: solid foundations already written and tested, combined with absolute freedom to customize business logic.

The theme of digital sovereignty should be read from this engineering perspective even before a regulatory one. It is not just a matter of data residency, but of control over architecture. European companies need platforms where database access, business logic, and integrations are not bound by black boxes.

Drupal positions itself as an open source framework that guarantees full access to the stack, allowing data to be modeled exactly as required by the business. It offers the flexibility of custom code and the robustness of an enterprise framework, leaving the simple site market to automated tools.

What are the next steps for IT decision-makers?

Owning your technology in an era of uncertainty represents the ultimate competitive advantage for enterprise companies. The transition to robust solutions requires an in-depth audit of current infrastructure and the adoption of open source platforms governed by rigorous engineering practices, capable of supporting business growth in the long term.

Here is a strategic checklist:

1. Technical debt audit: Analyze your digital properties. Which are simple showcase sites and which are critical applications? Identify where you need control over data and software longevity. Those are the candidates for the new enterprise Drupal approach.
2. Technological independence assessment: Do your current systems allow you to extract and migrate data without friction? If the answer is no, you are accumulating operational risk. Adopting open standards and open source platforms is the most effective technical mitigation against vendor lock-in.
3. Platform-First roadmap: Stop funding siloed projects. Invest in the underlying platform. A cloud-native base has an initial setup cost, but it reduces the marginal cost of every subsequent application and ensures uniform security standards.
4. Partner selection: Modern challenges require skills that go beyond traditional CMS development. You need a partner with expertise in distributed architectures, application security, and DevOps practices. Look for proven expertise in SRE and software lifecycle management.

The dividing line in the IT market is now clearly drawn. On one side, we find companies that continue to squander budget on application silos and closed platforms, accumulating operational risks. On the other, industry leaders who invest in open, scalable ecosystems ready for the secure integration of artificial intelligence.

Drupal Pivot and other strategic events have confirmed that technological maturity is not measured by the quantity of features, but by the ability to govern complexity. Drupal has chosen to position itself as the tool for those who build durable digital assets, offering total control over their technology.

We invite technology leaders to evaluate their current infrastructure with a critical eye. Is it ready to support business-critical processes for the next ten years? Or is it time to “pivot” toward more robust solutions capable of supporting the business for the next decade?

If your architecture does not guarantee data sovereignty and operational agility, we invite you to discover our Drupal development and consulting services and contact our experts to design a future-proof cloud-native platform together.

Today, Drupal represents not only the best enterprise-grade CMS solution, but also the one that integrates artificial intelligence in the most mature way. The feature-rich 1.3.0 release of the Drupal AI module marks an important transition from an experimental integration to a production-ready platform. The adoption of LLMs in corporate CMSs has so far been held back by tangible risks related to data privacy, model hallucinations, and a lack of observability over background operations. This version tackles these structural criticalities, introducing advanced governance features, standardized telemetry flows, and orchestration tools that transform experiments into solid architectures.

The SparkFabrik team played an active role in the development of the core module, leading the design of the security and advanced search systems. The Cloud Native engineering approach made it possible to apply security-by-design and DevSecOps principles directly to artificial intelligence, ensuring that every interaction is traceable and secure.

To understand the extent of this ecosystem, it is useful to consult our complete overview of AI features in Drupal. As illustrated in the in-depth video by Marcus Johansson, Tech Lead of the Drupal AI Initiative, the update provides architectural foundations for complex operations. We detailed the journey of these implementations in our dedicated article on how we shaped the future of Drupal AI in 2025, demonstrating how the integration of language models requires cross-functional skills spanning CMS development and distributed infrastructures.

Why AI Guardrails transform Drupal into a secure enterprise platform

AI Guardrails transform Drupal into a secure platform by acting as bidirectional filters that intercept requests and validate the responses of Large Language Models. This governance system blocks the leak of sensitive data and prevents hallucinations, ensuring the necessary compliance for enterprise applications in production.

The implementation of these policies helps increase compliance on interactions with LLMs, both outbound and inbound. To delve deeper into the design of these components, you can analyze the architectural strategies to mitigate the risks of language models in the detailed article on Guardrails in Drupal AI.

During the Drupal X Business event, Luca Lusso presented in detail how these protection mechanisms work. In his talk, he highlighted how the implementation of strict rules shifts artificial intelligence from an experimental paradigm to a governable tool. The Cloud Native approach adopted in the design ensures that these controls operate efficiently, keeping latency very low to avoid negatively impacting editorial processes.

Interception and masking of sensitive data

Guardrails operate at a deep level of the architecture, preventing the leak of sensitive data before the HTTP request leaves the corporate servers. This includes blocking PII (Personally Identifiable Information), financial data, or intellectual property. The system can entirely block the request or mask the input using regular expressions or external validation services like AWS Bedrock.

A practical example illustrates the effectiveness of this approach. If an editor enters the code name of a classified product into a prompt, such as the internal project “MDX 250”, the configured Guardrail immediately intercepts the text. Or, much more simply, if a user sends their personal data or credit card number in the prompt, the system blocks or obscures them before sending them to public LLMs like those of OpenAI or Anthropic.

This preventive validation guarantees the security of the data supply chain, ensuring that the corporate infrastructure does not become a vehicle for the dispersion of trade secrets. The application of these filters happens in real time and provides immediate feedback to the user. By explaining exactly which security policy was violated, the system maintains a high level of awareness among editorial teams.

Agnostic architecture and bidirectional validation

The Guardrails system is designed with a strictly agnostic architecture, meaning it is not tied to a single vendor or a specific language model. This independence allows organizations to define centralized security policies. These rules remain valid even if you decide to migrate from one cloud provider to another, cutting down refactoring costs.

The protection offered by the module is structured on three distinct levels of intervention:

• Preventive blocking of the outbound request, which analyzes the user’s prompt and the provided context to identify violations of corporate policies before any network communication.
• Reformatting or blocking of the inbound response, which analyzes the output generated by the language model to intercept inappropriate content, offensive language, or responses that violate ethical guidelines.
• Prevention of hallucinations and maintenance of the corporate tone of voice, ensuring that the model does not invent non-existent facts or use a communication style foreign to the brand guidelines.

This bidirectional validation ensures that the CMS maintains final authority over the content. Artificial intelligence is treated as a service provider that must be constantly supervised by strict business logic.

How semantic Reranking improves RAG architectures on Drupal AI

Semantic Reranking improves RAG architectures on Drupal by introducing a second evaluation pass based on artificial intelligence. After the initial vector filtering, a specialized model reorders the retrieved documents by analyzing their actual contextual relevance, ensuring that Large Language Models receive precise information to generate responses.

The new Reranking operation type represents another area of strong contribution by SparkFabrik, essential for implementing effective Retrieval-Augmented Generation architectures. The adoption of these advanced techniques requires a new architectural approach oriented towards AI agents, where the precision of information retrieval directly determines the quality of the final output.

Development companies frequently clash with the limits of pure vector search, which often retrieves similar but not contextually relevant documents. By implementing reranking, we observed a 70% reduction in “false positives” during complex document queries and a more effective ordering of results. This deep semantic filter ensures that the language model receives only the strictly necessary context, also optimizing token consumption.

Overcoming the limits of standard vector search

A standard vector database returns results based exclusively on the mathematical distance between the coordinates of the texts in multidimensional space. Although this method is fast and useful for sifting through large volumes of data, it does not always understand the linguistic nuances or the real intent behind a complex query. The order of the documents provided as context to an LLM significantly affects the quality of the final response. In fact, models tend to give more weight to the information presented first, despite increasingly large context windows.

Re-ranking operates as a key second pass. After the vector search engine has retrieved an initial set of documents, for example, the first fifty results, a specialized model analyzes this subset. The model evaluates the actual semantic relevance of each document with respect to the specific question, assigning a new relevance score.

This process reorders the results, bringing to the top the documents that actually contain the answer, even if mathematically they were not the closest to the original query. The result is an optimized context that is then passed to the generative language model, drastically reducing the error rate.

Native integration between Vector Database and LLM

The technical flow implemented in version 1.3 involves a solid integration between an advanced search engine, such as Typesense (for which we are maintainers of the Drupal module) or a relational database with a vector extension, and the chosen AI provider. Drupal orchestrates this communication transparently. First, it queries the database to obtain the candidates, then it sends the results to the reranking service, and finally, it passes the reordered documents to the generative model.

This two-stage architecture increases the reliability of conversational systems. In internal document chatbots, employees get precise answers based on the correct corporate procedures. On e-commerce platforms, semantic searches return products that match the user’s purchase intent, significantly improving conversion rates.

By treating reranking as an agnostic operation, the infrastructure allows the use of specialized models (e.g., cross-encoders) trained specifically for the semantic reordering task. These models are architecturally different and much more precise in this phase compared to using a generative LLM. The most powerful and expensive generative LLMs can thus be reserved only for the final text generation. This separation of tasks optimizes operational costs and decreases the overall latency times of the system.

Cloud Native observability and advanced API management

Cloud Native observability in the Drupal AI module takes shape through the integration of the OpenTelemetry standard. This architecture allows tracking every single request to the language models, monitoring crucial metrics in real time such as latency, token consumption, and operational costs, treating artificial intelligence as a measurable microservice.

The implementation of artificial intelligence in production environments requires precise metrics and strict control over resources. This need explicitly connects to SparkFabrik’s engineering experience, where AI is not seen as a black box, but as a distributed component. To fully understand this architectural philosophy, it is useful to explore the fundamentals and advantages of the Cloud Native approach.

Version 1.3 of Drupal AI introduces native support for OpenTelemetry, allowing the tracking of the entire lifecycle of an autonomous agent. This level of transparency is necessary to diagnose bottlenecks and optimize performance. Having exact visibility into the costs per single AI transaction allows CTOs to justify technological investments to corporate stakeholders with irrefutable data.

Distributed tracing with OpenTelemetry

The standardized export of metrics, spans, and traces allows operations teams to analyze every single AI request with high granularity. When an editor requests the generation of a summary, the system records exactly how long the provider took to respond. It also tracks how many context tokens were sent and how many completion tokens were generated.

These data allow calculating operational costs in real time, associating the expense with specific site features or certain editorial flows. The open-standards-based approach guarantees compatibility with the most popular market tools, such as Honeycomb, Grafana, and Datadog. DevOps teams can visualize the performance of artificial intelligence on the same dashboards used to monitor the database or Kubernetes clusters.

The adoption of OpenTelemetry avoids lock-in to the proprietary monitoring tools of individual cloud vendors. Regardless of whether the infrastructure uses models hosted on AWS, Google Cloud, or local solutions, the format of the observability data remains consistent. This unified approach greatly simplifies the management of IT operations on a large scale.

Rate limiting, failover and normalized metadata

The advanced API management in version 1.3 transforms the way Drupal communicates with external providers. The system introduces rate limit thresholds and timeouts for HTTP requests that can be configured directly from the user interface. This new feature eliminates the need to write custom code to handle the limitations imposed by cloud services.

This evolution brings with it significant architectural advantages for platform stability:

• Implementation of automatic failover logic, which diverts traffic to a secondary model or an alternative provider when the primary service reaches the allowed request limit.
• Secure management of asynchronous calls, allowing AI agents to perform complex tasks in the background without blocking the main web server processes or causing timeouts for users.
• Normalization of metadata, which provides consistent information on model costs and technical capabilities regardless of the chosen provider, facilitating the switch from one vendor to another.

These protection mechanisms ensure that a spike in requests to the site’s intelligent features does not compromise the overall availability of the CMS. The platform degrades in a controlled manner, keeping critical services operational and ensuring enterprise-grade business continuity.

The automation ecosystem: from editorial workflows to AI moderation

The Drupal AI automation ecosystem optimizes editorial workflows by integrating decision-making capabilities directly into the content management interface. Through tools like Field Widget Actions and automated moderation, the system reduces the cognitive load on teams, transforming complex manual tasks into fluid and immediate processes.

These automation features make the offering of an AI software development company immediately tangible for the business. The impact translates into a return on investment based on time savings and the reduction of human errors (an estimated saving of over 20 hours per week of manual review and moderation for medium-sized editorial teams). The goal is to simplify content management by transparently integrating AI into daily operations.

User interface improvements include a new Markdown editor for drafting system prompts. This technical choice is particularly useful since language models interpret the Markdown format much more efficiently than HTML or plain text, and it is also possible to give a better structure to the prompts.

Last but not least, the Context Control Center allows you to define tone of voice, audience, policies, and specific corporate details just once, in a single environment and at one time. The various parts of the context can then be used by the different editorial teams to support their activities.

The CCC also supports the auto-completion of variables and tokens, thus allowing administrators to dynamically “inject” the data of the current user or node into the instructions sent to the model. This increases the overall precision of the context, consequently improving the quality of the LLM’s output as well.

And, tying back to observability, the CCC also has usage tracking, logging, and agent debugging features, as well as a wide range of automated tests that cover all its features—fundamental aspects for engineers.

Content moderation and Object Detection

Content moderation based on artificial intelligence introduces a level of automated control over the texts entered by users or editors. The system analyzes the content in real time and can autonomously alter the moderation state of the node. For example, if inappropriate language is detected, the state automatically changes from published to flagged, requiring the intervention of a human supervisor.

In parallel, the integration of Object Detection expands the analysis capabilities to multimedia content. Using computer vision models or deep learning algorithms, often run locally or through platforms like Hugging Face, the system recognizes specific objects within the uploaded images. This technology returns the exact coordinates of the identified elements, allowing for complex validations.

A typical use case involves blocking uploads that do not comply with corporate guidelines. The system can prevent the upload of an image if it does not detect the presence of a specific safety device in a construction site photo. Or it can reject images that contain competitors’ logos, automating a quality control process that would require hours of manual work.

Field Widget Actions for structured data

Field Widget Actions represent the deepest integration of automation within the editorial experience, bringing generative capabilities directly to individual Drupal fields. Instead of using a generic chatbot, the editor has contextual buttons that perform specific operations on the data during entry.

The technical use cases introduced (or improved) in version 1.3 cover a wide spectrum of operational needs:

• Extraction of physical addresses from unstructured text, normalizing geographical information through integrations with services like Google Places to automatically populate map fields.
• Generation of optimized SEO meta tags, creating catchy titles and relevant descriptions based on the analysis of the node’s textual content.
• Conversion of raw textual data into strictly structured JSON formats, an essential step for exposing consistent information via APIs in headless architectures.
• Automatic creation of FAQ sections starting from long documents and text-to-speech operations that transform textual articles into audio files associated with media fields.

These actions transform the CMS from a simple information container into an active assistant. By forcing language models to respect predefined data schemas, the system ensures that the generated output is immediately usable by the site’s display logic. This approach drastically reduces the need for manual cleaning and formatting interventions. Last but not least, these functions are easily usable by anyone, without particular technical skills.

Conclusion

Drupal AI 1.3 represents a major update that highlights the maturity of the ecosystem. By providing advanced tools like Guardrails for security, Reranking for semantic precision, and integration with OpenTelemetry for observability, the module offers the necessary infrastructure to operate in complex and regulated enterprise environments.

The secure integration of language models within corporate processes requires cross-functional skills that go well beyond the simple installation of a plugin. A deep understanding of CMS development, Cloud Native distributed architectures, and strict data governance practices is necessary. Only an integrated approach, guided by method and experience, guarantees that technological innovation does not compromise the security or performance of the system.

To orchestrate these technologies in a scalable and secure way, the added value lies in relying on technological partners with proven experience in open-source dynamics and in custom artificial intelligence software development. The evolution of Drupal demonstrates that the future of content management belongs to platforms capable of combining editorial flexibility with engineering rigor. Contact our experts and tell us about your challenges to discover how to implement these solutions in your architecture.

Artificial intelligence has transformed coding into a commodity: this is the inescapable truth for CTOs. And it is the central point of Dries Buytaert’s keynote at DrupalCon Chicago 2026, during the event celebrating 25 years of the Drupal open-source project. Source code is literally becoming a disposable resource. The true value of software development is rapidly shifting from mere coding to the rigorous definition of specifications and system architecture design. The result? A massive shift from manual programming to the orchestration of autonomous agents.

The observations that emerged perfectly reflect a core principle of the SparkFabrik Playbook. Ephemeral code frees up resources, but artificial intelligence does not replace software engineering; it exposes it ruthlessly. If a company has a clear vision and solid requirements, AI multiplies operational efficiency; in the absence of strategic direction, it merely amplifies errors on a large scale.

In this scenario, our Drupal development and consulting services are evolving radically, positioning us as strategic partners for the governance of digital processes and the implementation of enterprise-grade AI solutions.

Let’s explore in detail the main evolutions that emerged from the event:

• The architecture of DrupalCMS 2.1 and the new site templates that lower barriers to entry and accelerate time-to-market.
• The Context Control Centre, which allows you to configure tone, audience, and company policies just once for every AI interaction.
• The evolution of visual building with Canvas and the creation of production-ready pages via AI.
• The update of the Drupal AI module to version 1.3, featuring major innovations including the guardrails system contributed by SparkFabrik.
• The agentic-first approach and the redefined role of code in the AI era.

What are the new features introduced by DrupalCMS 2.1 for the enterprise ecosystem?

The main innovations introduced by DrupalCMS 2.1 for the enterprise ecosystem include an advanced architecture based on core 11.3, capable of reducing database queries by 50% for uncached pages. Additionally, the native marketplace is updated with 11 industry-specific site templates, specifically designed to drastically cut release times for complex corporate platforms.

The technological infrastructure presented in Chicago redefines performance expectations for large organizations. The DrupalCMS 2.1 engine does not merely update system dependencies; it rewrites the deep logic of data access. This structural optimization translates into immediate savings on cloud computational resources. Metrics show that corporate infrastructures can now handle intense traffic spikes with a fraction of the load on traditional servers, optimizing operational costs according to FinOps principles.

Alongside raw power, the engineering focus shifts to the speed of operational implementation. The new marketplace introduces 11 site templates specific to vertical sectors, from healthcare and education to financial services and public administration, available directly in the integrated marketplace.

This modular architecture radically transforms the classic conception of Drupal development. The months of work typically required for the initial setup of standard business logic and content modeling are eliminated.

For IT decision-makers, adopting this platform represents entry into a new era of content management for business. The technical advantages over legacy architectures and proprietary solutions are tangible and measurable:

• Drastic reduction in time-to-market thanks to pre-assembled configurations for specific industries.
• Optimization of the infrastructural load with a sharp drop in database queries and more aggressive caching.
• Native integration with GenAI services and solutions to streamline complex editorial workflows.
• Standardization of security best practices inherited directly from the evolution of core 11.3.
• The adoption of a fully open-source solution reduces the Total Cost of Ownership and eliminates vendor lock-in.

The impact of these innovations on IT budgets is direct and quantifiable. When engineering teams no longer have to spend tens or hundreds of hours configuring basic roles, permissions, and publishing workflows, the budget can be entirely redirected toward core system integration and advanced customization.

The role of the Context Control Centre in data governance

The Context Control Centre (CCC) is the new native subsystem designed to solve the problem of hallucinations in language models applied to the enterprise. Without this tool, every time AI is used, you start from scratch, forcing teams to re-explain the brand, correct the output, and redo the work. The CCC eliminates this inefficiency by allowing you to define tone of voice, audience, policies, and design just once.

Through the CCC, IT teams encode the corporate context via guidelines, brand voice, tone of voice, design systems, analytical data, and regulatory requirements (even in different languages). And they do it only once, directly in the CCC.

When artificial intelligence queries the CMS to create new content, the CCC ensures that the final output is perfectly aligned with corporate compliance standards. In this way, any deviation from the authorized communication perimeter is blocked at the source.

But the corporate context is not static. Products evolve, metrics fluctuate, information becomes obsolete. The CCC development team is exploring the concept of dynamic context: the ability to update the context as it evolves in time and to connect external data sources (like Google Analytics) directly to the orchestration engine.

The goal is an autonomously self-monitoring system. Imagine, for example, a sudden drop in key metrics, or pages with obsolete details that no longer reflect the current features of a product or service. With a dynamic context, the system would be able to detect these anomalies.

The direction is clear: moving from a context defined once to a context that evolves with the company itself. A CMS that doesn’t just produce brand-aligned content, but proactively flags when that content requires an update and proposes contextualized corrections. Of course, it is still in an embryonic phase, but it represents the natural frontier of AI orchestration applied to enterprise content management.

Canvas and Display Builder: how does visual creation change in Drupal development?

Visual creation in Drupal development is changing radically through the use of AI agents capable of transforming text documents into production-ready pages. Tools like Canvas (the flagship tool promoted by the AI Initiative) allow for rapid prototyping guided by artificial intelligence, while more mature solutions like Display Builder ensure the rigorous application of complex design systems on a large scale.

The latest practical demonstration of Canvas’s capabilities, in the plenary session in Chicago, shows a constant evolution of the tool, combining visual building and AI generation capabilities. A raw text document, containing only product specifications and unformatted copy, was converted into a complete web page in a matter of minutes.

This level of automation firmly positions the Drupal ecosystem at the top of AI-powered tools for accelerating the delivery of complex interfaces.

Unlike disposable prototypes created by external tools, Canvas operates natively within the CMS. Language models interpret the creator’s intent and map the content onto the visual components available in the system, keeping the permission structure, translation logic, cross-linking, and SEO metadata intact. The result is not a mockup to be rebuilt, but a production-ready page integrated into the corporate editorial workflow.

The new AI-assisted workflow transforms traditional frontend operations:

1. Loading text specifications or product briefs directly into the CMS interpretation engine.
2. Semantic analysis by AI to identify the logical structure, including headings, calls to action, and structured data.
3. Automatic generation of the visual layout by applying predefined components and Canvas typographic rules.
4. Human intervention for final accessibility validation, aesthetic refinement, and formal approval for publication.

For IT directors and product managers, understanding the integration of Canvas and native design systems becomes fundamental to evaluating the trade-off between execution speed and global visual standardization. While Canvas excels at rapidly generating new views, large enterprise architectures often require a higher level of architectural control over design tokens.

The solid alternative: Display Builder and design system integration

In contrast to the generative and prototyping-focused approach, the open-source ecosystem offers solutions specifically designed for visual governance on a global scale. During our Drupal X Business event, Michael Fanini presented Display Builder, a more mature visual builder developed to meet the most stringent needs of large omnichannel organizations.

Unlike tools focused on instantaneous speed, Display Builder offers deep and native support for complex corporate design systems (and is completely integrated with the ecosystem of modules and themes UI Suite). This feature ensures that every single component inserted into the page meticulously respects brand constraints, a non-negotiable requirement when providing development services and solutions for enterprises and institutions, such as multinational pharmaceutical companies or banking institutions.

To delve deeper into the potential of this enterprise visual architecture, we invite you to watch the full talk on our YouTube channel.

How does the Drupal AI 1.3 module guarantee corporate data security?

The Drupal AI 1.3 module guarantees corporate data security through a native Guardrails system that intercepts and filters communications with Large Language Models. This architecture applies pre- and post-processing validation rules, blocking the exposure of sensitive information and ensuring total regulatory compliance before publication.

The maturity reached by the open-source ecosystem transforms the Drupal CMS into a true enterprise-grade platform for the secure orchestration of language models. With the release of version 1.3 of the Drupal AI module, the community has established a new de facto standard for organizations seeking reliable architectures in the field of AI software development.

This release tackles head-on the main security issues plaguing CTOs in the AI space: the concrete risk of data leaks and the consequent loss of control over proprietary information, the hallucinations of probabilistic models, and the potential reputational damage of AI output not aligned with the brand.

The core of this infrastructural security is represented by the Guardrails system, a fundamental architectural component developed and contributed directly by the SparkFabrik team (discover all our contributions to Drupal AI).

As detailed in the article Guardrails AI in Drupal, we designed this protection layer to act as a bidirectional and real-time semantic firewall. Before a request is sent to external providers, the system proactively verifies the absence of personally identifiable information (PII), access credentials, or trade secrets.

Similarly, the post-processing phase analyzes the generated output to ensure compliance with current regulations, internal policies, and copyright restrictions. This architectural approach demonstrates how modern solutions must integrate robust safety nets, observable through standards like OpenTelemetry, around generative models.

Data security is no longer an optional add-on to be evaluated at the end of a project, but the indispensable foundation upon which to build any corporate automation initiative. Once the data security perimeter is locked down, companies can finally focus on the true value multiplier: the strategic orchestration of autonomous agents.

Why does the agentic-first approach redefine the role of AI software development companies?

The agentic-first approach redefines the role of development companies, transforming them from code executors to orchestrators of intelligent systems. Artificial intelligence does not replace engineers, but amplifies their architectural capabilities, allowing a single experienced professional to generate the qualitative and quantitative output of an entire team.

The practical implementation of this agentic-first model implies the integration of Artificial Intelligence as a native architectural component. The operational center of gravity is shifted from manual programming to the orchestration of AI models and agents and the configuration of automated workflows. And this requires precise technical knowledge gained from experience in real projects, Spec Driven Development practices, and rigorous data governance to ensure scalability and security.

Instead of writing individual functions, IT teams define the rules of engagement for multiple AI agents collaborating to solve complex tasks, from code refactoring to generating automated tests. This means being able to explore concrete application scenarios based on agentic AI that reduce bottlenecks in software releases, ensuring previously unimaginable operational scalability.

SparkFabrik’s vision embraces this structural transformation. Treating Artificial Intelligence as a simple external API enormously limits a platform’s potential. Conversely, designing systems where autonomous agents operate within a secure perimeter allows for the automation of entire business processes.

In our daily operational framework, we encode this transformation with an unequivocal principle: artificial intelligence does not replace you, it exposes you.

If you know what you want, it multiplies; if you don’t know, it amplifies errors.

The most glaring and documented demonstration of this augmented productivity came from the work of developer Jurgen Haas on the ECA (Event-Condition-Action) module. Assisted by advanced artificial intelligence tools, a single senior developer wrote, validated, and documented 90,000 lines of code in just six weeks.

This volume of work certifies that individual output is destined to scale dizzily, but only if you know what you want and if you start from a solid base of skills that allow you to orchestrate the work, holding the reins firmly.

To successfully implement the agentic-first approach, the architecture is based on three crucial phases:

• The design and implementation of centralized orchestration systems to robustly yet flexibly manage skills, system prompts, agent profiles, MCP protocols, and custom tools.
• The integration of guardrails and advanced security systems, rigorously applying DevSecOps practices to protect corporate data flows.
• The application of automated governance policies that validate the output of AI agents through automated testing prior to publication.

Software development companies that limit themselves to selling manual programming hours are destined for rapid obsolescence. The enterprise market exclusively rewards those who know how to govern systemic complexity and orchestrate ecosystems of intelligent agents.

Spec Driven Development and the harmony between skills and relationships

In an ecosystem driven by Artificial Intelligence, the quality of the generated output depends entirely on the precision of the initial specifications. SparkFabrik’s operational strategy is firmly based on Spec Driven Development. Language models operate exclusively within the boundaries outlined by system prompts and architectural rules. An ambiguous requirement, which in the past would have required clarification among developers, today translates into a large-scale hallucination or an application outage.

Consequently, the role of the CTO and VP of Engineering is increasingly focused on validating information architecture and data security. The value of technical management shifts from source code review to the definition of unassailable API contracts and the verification of access policies. The success of an enterprise Drupal development project is measured today by the robustness of its specifications, which act as the true source code for AI agents.

The market is clearly rewarding entities capable of bridging this gap, transforming agencies from simple labor providers into strategic consultants. Fundamental to the transition, however, is understanding that the commoditization of code is not something to be feared, but a profound change to be managed with clear strategy and governance.

AI automates execution, but strategy requires empathy and a deep understanding of the client’s business on the one hand, and training and change management internally on the other. As we openly declare in our company Playbook, technology changes at a dizzying pace, but our founding principles remain steadfast.

“What won’t change is why this company exists. Our vision has always been harmony between skills and human relations.”

The future of IT belongs to those who can balance the computational power of autonomous agents with the irreplaceable human ability to build lasting relationships of trust.

DrupalCon Chicago 2026: what are the impacts and takeaways?

What should we take away from DrupalCon Chicago 2026? The message for decision-makers is clear: the modernization of enterprise systems no longer involves the endless manual rewriting of code, but rather the agentic approach.

Contemporary Drupal development represents the true vanguard in the orchestration of autonomous agents within an intrinsically secure, scalable framework governed by clear rules. From the optimized performance of core 11.3 to the rigorous management of semantic context via the Context Control Centre, the open-source platform confirms itself as the platform of choice for large organizations that reject the vendor lock-in of proprietary models.

SparkFabrik does not limit itself to observing market trends or passively using these new generative tools. As demonstrated by the release of the Guardrails system and other contributions, we are actively committed to forging the technologies that define the new global standards for security, governance, and development. We position ourselves as the ideal strategic partner to guide companies through the treacherous complexities of application modernization and the secure adoption of artificial intelligence models.

Explore our custom AI solutions and speak with our experts for tailored architectural consulting, designed to solve the specific challenges of your organization.

Have you ever sat down at your computer one evening to book a medical appointment through your region’s portal, or to pay your municipality’s waste tax? You enter your personal details, provide sensitive information about your health or assets, and click “submit”. But have you ever wondered where that data physically ends up? Who owns the servers where it’s stored? And above all, who wrote the code that manages such delicate information?

These questions are no longer mere speculations for industry insiders, but represent the core of a fundamental debate for our future. On January 29, 2026, the city of Brussels hosted the first edition of Drupal4Gov EU. This event, organized during the Open Source Week by the European Commission’s Drupal Community of Practice and the EUIBAs, proved to be a crucial moment for defining the guidelines for tomorrow’s public services.

During the conference, an unequivocal truth emerged. Digital sovereignty is not an abstract concept or a bureaucratic whim, but a practical and urgent necessity. European governments and institutions are addressing this challenge through the strategic adoption of open technologies. In this scenario of profound transformation, open source platforms like Drupal are at the forefront, offering the necessary tools to build a secure, transparent, and truly independent public infrastructure.

What is digital sovereignty and why does it concern all of us?

Digital sovereignty is the ability of a State or institution to exercise full control over its technological infrastructure, citizens’ data, and the software used. Without this autonomy, government bodies depend on external providers, losing decision-making power over essential public services.

To understand this concept, we can use a metaphor very close to everyday life: the difference between renting and owning a home. An institution that does not control its technology is exactly like a tenant. It can use the apartment, but it doesn’t have the keys to change the lock, it can’t decide to renovate the rooms, and, even worse, the landlord might decide to drastically increase the rent or evict them with little notice. Building services for citizens on closed, proprietary platforms effectively means handing over the keys to the public house to private entities.

To ensure true independence, control must be articulated on three fundamental levels:

• Control over data: This concerns the physical location where information is saved. Citizens’ health, tax, and personal data must reside on servers subject to European regulations, protected from interference or surveillance by third-party nations.
• Control over operations: This defines who physically manages the systems day-to-day. Administrations must be guaranteed that critical infrastructures are not interrupted or altered by corporate decisions made on the other side of the world.
• Control over technology: This concerns who writes, inspects, and modifies the source code. Only by having access to the internal mechanisms of the software is it possible to verify the absence of hidden vulnerabilities and adapt the tools to the real needs of the community.

The impact of all this on citizens is direct and tangible. Privacy protection cannot exist without mathematical certainty of how data is processed. National security requires government systems to withstand technological blackmail or cyberattacks. Finally, the continuity of essential public services must be guaranteed at all times, ensuring that a hospital, a court, or a municipality can always operate without depending on the commercial fate of a single software provider.

How does open source ensure the digital sovereignty of Public Administration?

Open source ensures the digital sovereignty of Public Administration by eliminating vendor lock-in, which is the forced dependence on a single technological provider. By adopting open code, governments retain the freedom to inspect, modify, and transfer their systems without being subject to commercial constraints or external technical limitations.

The concept of vendor lock-in is one of the most serious risks for a public body. When an administration purchases closed software, whose internal mechanisms are secret, it becomes inextricably linked to the company that produces it. If that company decides to double license prices, discontinue technical support, or change product features, the entity has no alternatives. Migrating to a new system would cost too much time and money, forcing the government to accept unfavorable conditions paid with taxpayers’ money. Open code breaks this chain, restoring total freedom of choice and maneuver to institutions.

During the event in Brussels, an extremely effective analogy was used to explain this dynamic: the aqueduct analogy. A government has an absolute duty to ensure that the drinking water reaching citizens’ homes is safe, clean, and free of pathogens. To do this, it cannot merely trust the word of a private supplier; it must be able to inspect the pipes, analyze the sources, and check the filters.

The exact same principle applies to technology. A government must independently know and verify the software on which citizen services are based. If the code is secret, inspection is impossible. And it’s also a matter of responsibility: a government is also responsible for knowing which open source software projects are safe and reliable to use. And the only real way to do that is to be directly involved in how these projects are created and maintained.

This requires a profound cultural and financial paradigm shift on the part of institutions, similar to the accelerated digital transformation during the pandemic. It is no longer enough to purchase licenses as one buys stationery. As a company strongly committed to the development and promotion of the open source ecosystem, we are well aware of this dynamic.

As our CTO Paolo Mainardi precisely highlighted during the reflections arising from the conference:

“Open Source is a public good that must be supported and funded in a new, modern way: like public infrastructure”.

Free software must be treated, funded, and maintained exactly as highways, bridges, or, indeed, public aqueducts are.

Drupal4GovEU: Digital sovereignty lessons from the heart of Europe

The first edition of Drupal4GovEU demonstrated that to achieve true digital sovereignty, European institutions must stop being mere consumers of software and become active contributors. Participating in the open source ecosystem is the only way to ensure the security and continuous evolution of public services.

Our direct observations from the conference confirm an unequivocal trend. Administrations that merely download and use open code gain only a partial benefit. To truly govern technology, it is necessary to sit at the decision-making tables of communities, propose changes, and invest resources in shared development. For those who wish to delve deeper into the individual presentations, the official event playlist on YouTube is available, a valuable resource for understanding the direction of European public innovation.

The active role of governments and local artificial intelligence

The shift from passive users to active creators was the focus of Sachiko Muto’s keynote, titled “Unlocking Public Sector Contributions to Open Source”. Her speech clarified how governments must structure themselves to be effectively involved in open source projects.

Being directly involved, funding development, and allowing their internal developers to write code for open projects is the only way to fully understand how these high-public-interest projects (really) work. Only by contributing directly can institutions ensure that the software precisely meets the complex needs of the public administrative machine.

“Public institutions should take part in open-source projects not only by providing funding, but also by actively contributing to them.”

This need for control becomes even more pressing when it comes to new technologies. Josef Kruckenberg illustrated an illuminating practical case in his presentation “How AI is Supporting End Users and Editors at the Canton of Basel-Stadt”. The Canton of Basel has implemented an AI-based chatbot to help citizens handle bureaucratic procedures quickly and intuitively. The true innovation, however, lies in the system’s architecture.

To keep sensitive data secure and ensure digital sovereignty, the entire artificial intelligence model is hosted in Swiss data centers, such as those provided by Infomaniak. This approach demonstrates that it is possible to combine the most advanced technological innovation with rigorous protection of local data, without ceding information to overseas providers.

Accessibility and scalability for European citizens

Beyond security, public platforms must handle immense traffic volumes while maintaining structural consistency and accessibility. Sandro d’Orazio and Massimiliano Molinari recounted the European Commission’s successful journey in creating a centralized solution for the Europa.eu domain. Using a Drupal-based architecture, they managed to consolidate hundreds of fragmented websites into a coherent ecosystem, drastically improving security, scalability, and user experience for millions of European citizens.

But a scalable service is useless if it’s not usable by everyone. Mike Gifford’s talk addressed accessibility not as a mere technical requirement, but as a fundamental right. Gifford explained the practical impact of the Web Accessibility Directive (WAD) and the European Accessibility Act (EAA).

Building an accessible government website, which allows people with visual, motor, or cognitive disabilities to navigate without obstacles, is not just an obligation to avoid legal penalties. It is an essential civic duty. Open platforms allow communities to develop modules and themes already compliant with these directives, facilitating the work of administrations in ensuring total digital inclusion.

Why is Drupal the engine of innovation for complex institutions and highly regulated industries?

Drupal has established itself as the engine of innovation for complex institutions thanks to its flexible architecture, highest security standards, and the support of a vast global community. This open source platform allows managing enormous volumes of data while ensuring total adherence to regulations.

During the Brussels sessions, it became clear that this CMS (Content Management System) is no longer considered just one option among many, but the platform of choice for high-level government portals. A concrete example of this excellence is the official European Union portal, Europa.eu, which manages vital information for millions of citizens in dozens of different languages.

Drupal’s strength lies in its ability to model extremely complex information architectures, typical of ministries or large public agencies. Furthermore, the open nature of the code allows thousands of developers worldwide to identify and resolve potential vulnerabilities with a speed that proprietary software cannot match.

Security and regulatory compliance are non-negotiable pillars for the public sector. An architecture based on open technologies greatly facilitates adherence to stringent regulations. As we analyzed in our in-depth look at the impact of NIS2 and DORA on cybersecurity in Cloud Native, institutions must ensure proactive resilience against cyberattacks. Drupal integrates perfectly into modern cloud ecosystems, allowing the application of rigorous security policies and maintaining full control over who accesses critical information.

Our team’s direct experience confirms these potentials. At SparkFabrik, we design and develop solutions for organizations that cannot afford the slightest margin of error. We have carried out complex projects in areas where security and stability are vital, providing digital solutions for financial services. We are talking about critical platforms for clients of the caliber of London Stock Exchange and Borsa Italiana/Euronext that are based on robust architectures requiring levels of reliability comparable, if not superior, to those of governments.

Similarly, we manage large-scale modernizations in the education sector, as demonstrated by our work for La Scuola, where we implemented a secure and scalable infrastructure based on Drupal 10. These experiences demonstrate that open technologies are ready to support the most critical and challenging workloads.

Conclusion

The first edition of Drupal4GovEU has drawn a clear line for the future of European digital services. Digital sovereignty, uncompromising accessibility, and the strategic adoption of open source are no longer theoretical concepts, but the three pillars on which to build a modern, efficient, and truly citizen-centric Public Administration. We have seen how control over data and code is the only effective shield against vendor lock-in and how active participation in development communities is vital for national security.

This paradigm shift requires courage and vision. Public decision-makers, project managers, and innovation leaders within complex organizations must prioritize the adoption of open and secure technologies for their institutional portals.

But the transition to technological independence is a journey that should not be undertaken alone. SparkFabrik positions itself as a key technological partner in this transition, thanks to our proven experience in open source contribution, the development of secure Cloud Native architectures, and deep technical and strategic expertise in Drupal.

Contact us for a personalized consultation with our experts: it’s the first step to transforming regulatory challenges into extraordinary innovation opportunities.

Integrating Large Language Models (LLMs) into production environments introduces unprecedented architectural challenges for software engineering teams. Generative artificial intelligence models are inherently non-deterministic systems, meaning the same input can produce different outputs over time.

This variability exposes enterprise applications to critical risks, including hallucinations, the unintentional disclosure of sensitive data (PII), and the generation of content in direct conflict with company policies.

▶ Watch this segment in the video

To mitigate these risks, relying on accurate prompt engineering is not enough. It is necessary to implement a structural control layer that acts as an intermediary between the user, the content management system (CMS), and the language model. During the talk “Drupal X Business: Next-Gen Digital Experiences”, Luca Lusso, developer at SparkFabrik, illustrated how the Drupal ecosystem is tackling this challenge. The goal is to transform AI from a potential risk into a governable and secure asset.

In this article, we explore the practical implementation of these security barriers within the CMS, from the unique perspective of direct contributors to the guardrails system in Drupal. We will analyze how to configure validation policies, orchestrate data flows via autonomous agents, and what architectural strategies to adopt to protect the brand. For a broader view on how we are driving this transformation, we invite you to read how we shaped the future of Drupal AI in 2025 and our comprehensive overview of Drupal AI news and SparkFabrik’s vision.

Adopting a rigorous methodological approach is the only way to take artificial intelligence out of the experimental phases and integrate it into mission-critical processes. Platform Engineering teams and developers must collaborate to build pipelines where security is guaranteed by the infrastructure’s design itself.

What are AI guardrails and why do they protect the business?

AI guardrails are an architectural security infrastructure designed to intercept, validate, and filter communications between users and Large Language Models (LLMs) in real time. They operate on a security-by-design approach to ensure that the generated outputs strictly comply with company policies and privacy regulations.

These tools are not limited to being simple keyword-based filters. They represent a true intelligent middleware layer that semantically analyzes the context of conversations. When a user sends a request, the system evaluates it before it reaches the external provider, blocking manipulation attempts or out-of-context requests.

▶ Watch this segment in the video

Brand protection is the main business driver for adopting these technologies. An unconstrained language model exposes the company to enormous reputational damage, as it can generate responses that are out of line with the corporate tone of voice, or worse, offensive or discriminatory content. Furthermore, accidentally sending personal data to third-party providers constitutes a serious violation of regulations like the GDPR.

Implementing a robust validation system translates into an immediate competitive advantage. Companies that manage to govern the unpredictability of LLMs can scale the use of artificial intelligence across all business processes, from internal customer care to automated content generation. This approach transforms a potential legal and image risk into a reliable and certifiable automation tool.

Anatomy of an AI control system

A modern validation architecture typically consists of two fundamental logical elements: Checkers and Correctors. Checkers are specialized algorithms or models that analyze the payload in transit, verifying the presence of anomalies, malicious patterns, or violations of configured policies. Their sole task is to issue a verdict on data compliance.

Correctors come into play subsequently, applying the necessary mitigation actions. Depending on the severity of the violation, they can mask parts of the text, rewrite the response into a safe format, or block the transaction entirely by returning a predefined error message. This separation of responsibilities facilitates rule maintenance.

In Cloud Native architectures managed by Platform Engineering teams, these components are often deployed as independent microservices or sidecar containers within a Kubernetes cluster. This isolation ensures that validation operations, which can be computationally intensive, do not impact the performance of the main application and can scale horizontally based on the request load.

How AI guardrails work: input, output, and agents?

The operation of AI guardrails is based on continuous bidirectional control. In the input phase, they apply prompt filtering to block malicious injections or forbidden topics. In the output phase, they perform response filtering to censor hallucinations, inappropriate language, and prevent the exposure of sensitive data.

The security of an LLM-based application requires that neither direction is neglected. If you only filter the input, the model could still produce hallucinations based on past training data. If you only filter the output, you expose the infrastructure to unnecessary computational costs to process malicious prompts that should have been discarded upstream.

To better understand the dynamics of this control, it is useful to analyze the three main areas of application:

• Input filtering (Prompt Filtering): Analyzes the user’s intentions to prevent prompt injection attacks, where the user tries to overwrite the model’s system instructions. It also serves to keep the conversation confined to topics relevant to the company’s business.
• Output filtering (Response Filtering): Evaluates the response generated by the model before showing it to the user. It detects and blocks toxic language, responses inconsistent with the provided context, or information that violates corporate compliance directives.
• Sensitive data management (PII Redaction): Identifies personally identifiable information, such as email addresses, phone numbers, or tax codes, within the user’s prompt and replaces them with secure placeholders before sending them to the model.

Managing sensitive information is perhaps the most critical aspect from a regulatory standpoint. During processing, an automatic redaction system intercepts strings like “test@example.com” and converts them into anonymous tokens like “[EMAIL]”. In this way, the model processes the request without ever “seeing” the real data, ensuring total compliance with data privacy requirements.

▶ Watch this segment in the video

These security policies are not limited to chat interfaces exposed to human users. They take on even greater importance when managing automated workflows. If you want to dive deeper into how to orchestrate these complex architectures, you can read our guide on how to develop AI-powered cloud native applications, from code review to multi-agent systems.

In modern systems, autonomous agents constantly communicate with each other and with third-party APIs to perform complex tasks. In these scenarios, validation systems act as true semantic firewalls between the various nodes of the system. They ensure that an agent with database access does not inadvertently transmit the entire schema to an external model during a query generation request.

How are AI guardrails configured in Drupal?

To implement guardrails in Drupal, the Drupal AI module is used, which allows configuring validation policies via a graphical interface, orchestrating complex workflows with Flowdrop AI, and automating operations via Runner APIs. This centralized approach ensures rigorous control over autonomous agents and data flows.

The main advantage of the Drupal ecosystem is the ability to manage complex validation logic directly from the back office, without having to write custom code for every new rule. The base module provides the necessary infrastructure, while additional modules expand the types of controls available, allowing system administrators to react quickly to new threats or business requirements.

▶ Watch this segment in the video

Configuring a security policy follows a well-defined logical process, designed to integrate with the existing workflows of site builders and developers. Here are the fundamental steps to activate an operational control:

1. Creating the individual policy: Access the dedicated section in the back office and select the desired validation plugin (for example, a control based on external cloud services or a local filter).
2. Defining blocking rules: Instruct the system on specific parameters, such as configuring the “Restrict to Topic” plugin to prevent the model from generating responses regarding a direct competitor.
3. Setting the fallback message: Define the exact text the system should return to the user when the policy is breached, ensuring a controlled user experience (e.g., “I am not authorized to discuss this topic”).
4. Assigning to a Guardrail Set: Group the created policies into logical sets, specifying which rules to apply in the input phase (pre-generation) and which in the output phase (post-generation).

▶ Watch this segment in the video

In addition to configuring static rules, advanced management requires visual orchestration tools. This is where Flowdrop AI comes in, an innovative solution that allows drawing logical workflows through a node-based interface. This tool is essential for development teams that need to build pipelines where the output of one model becomes the input of another, with intermediate validation steps.

▶ Watch this segment in the video

Through Flowdrop AI, it is possible to visually map the entire data lifecycle. Validation nodes can be strategically inserted to verify that an intermediate task, such as extracting metadata from a PDF, does not contain sensitive information before being passed to the node tasked with generating a public summary.

The true potential of this architecture is expressed when AI is not limited to generating text but performs actions on the system. Drupal’s Runner APIs allow an AI agent to execute complex operations on the CMS starting from a natural language prompt. An authorized user could ask the agent to “create a new content type for Events with fields for date and location”.

▶ Watch this segment in the video

The Runner APIs translate the textual intent into structured API calls, creating the entities in the database. In this scenario, security policies become fundamental to validate the agent’s permissions and ensure that the requested operations do not compromise the integrity of the site’s information architecture, while maintaining a complete audit log of all executed actions.

Declarative management of validation policies as code

For DevOps Engineers managing infrastructure through declarative approaches, security policies can be defined and versioned as code. This approach ensures that business rules are identically replicable across all environments, from staging to production.

Instead of operating only from the interface, it is possible to structure a YAML file that defines a set of rules to mask sensitive data and block inappropriate language. Within this declarative configuration, unique identifiers and descriptions for the policy are established, then dividing the controls into two distinct phases.

In the pre-generation phase, plugins for PII redaction are activated, specifying entities such as emails, credit cards, or phone numbers to be masked with appropriate characters, along with filters for offensive language in restrictive mode.

In the post-generation phase, hallucination control is configured, setting a tolerance threshold and a fallback message in case the generated information is not present in the company documents.

This structure allows security rules to be easily integrated into Continuous Integration pipelines, validating policies before every infrastructural release.

What are the alternatives and the technological ecosystem?

Alternatives to guardrails in Drupal include managed cloud services like Amazon Bedrock, open-source frameworks like Guardrails AI and LangChain, or on-premise Small Language Models (SLMs) for maximum security of sensitive data. The choice depends on compliance requirements, budget, and team skills.

The technological ecosystem for validating language models offers diversified approaches that can be combined to create a layered defense architecture.

Managed services from major cloud providers offer the fastest adoption path. Amazon Bedrock, for example, provides pre-configured policies to filter toxic content, block specific topics, and remove PII. The main advantage of these solutions is native scalability and the reduction of operational load for internal teams, who do not have to worry about updating block dictionaries or maintaining the validation infrastructure.

For development teams needing more granular control, the open-source landscape offers powerful tools. Exploring GitHub repositories for AI guardrails reveals flexible solutions for every stack. For example, Guardrails AI (that is its actual name) is a Python framework that allows writing complex custom logic, often orchestrated via LangChain to validate autonomous agent pipelines. With these tools, a developer can implement structural controls on the output, ensuring, for instance, that the model always returns a valid JSON that respects a specific corporate schema, blocking the pipeline otherwise.

In the case of highly confidential data, sending information to a public LLM, however protected by filters, might not be acceptable. In these scenarios, the best architectural strategy involves adopting specialized Small Language Models (SLMs). These models, which are lighter and focused on specific tasks, can be run entirely within the company’s infrastructure.

Hosting an SLM on a proprietary Kubernetes cluster ensures that sensitive data never leaves the company’s network perimeter. To effectively manage this infrastructural complexity, it is essential to adopt modern provisioning practices. In this regard, we suggest exploring the benefits of Infrastructure as Code in Cloud Native development, an indispensable approach to automate and scale the deployments of on-premise AI models in a secure and reproducible way.

Choosing the correct approach depends on several factors, primarily the company’s compliance requirements, the available budget, and the skills of the team of engineers and architects. There is no one-size-fits-all solution, but rather a range of options that can be combined to create a layered defense architecture.

SparkFabrik’s contribution to the Drupal AI Initiative

SparkFabrik actively contributes to the Drupal AI Initiative by developing core components for integrating enterprise-grade artificial intelligence into the CMS. Our approach combines Platform Engineering practices with application development, ensuring Cloud Native solutions that are scalable, secure by design, and ready for complex multi-cloud environments.

As a Kubernetes Certified Service Provider (KCSP) and an active member of the Cloud Native Computing Foundation (CNCF), our vision goes beyond the simple implementation of features. We believe that AI adoption must be based on solid infrastructural foundations, where observability, software supply chain security, and the operational resilience of services are guaranteed from the earliest design phases.

Our commitment to Open Source translates into concrete contributions to Drupal’s source code, as discussed in our report on DrupalCon Vienna 2025. Developers on our team, such as Luca Lusso and Roberto Peruzzo, work daily to extend the capabilities of the AI module, introducing advanced features that respond to the real needs of the enterprise market. To discover in detail the technical innovations we have introduced, we invite you to read the article on how we shaped the future of Drupal AI in 2025.

▶ Watch this segment in the video

Our architectural vision considers the CMS no longer as an isolated monolith, but as an intelligent hub within a distributed ecosystem. When we implement reranking features to improve vector searches, or develop orchestration systems for autonomous agents, we do so thinking about how these processes will behave under stress in a containerized production environment.

This holistic approach allows us to support companies in creating Internal Developer Platforms (IDPs) where artificial intelligence is integrated natively and securely. The ultimate goal is not just to provide a smarter CMS, but to equip IT teams with governable tools that accelerate time-to-market without ever compromising the stability and security of the corporate infrastructure.

Conclusions and next steps

Implementing AI guardrails represents a crucial juncture for the technological evolution of digital platforms. These security barriers should not be interpreted as a brake on innovation, but rather as the technical and architectural prerequisite that makes artificial intelligence effectively usable in mission-critical and highly regulated contexts.

The future roadmap for the Drupal ecosystem envisions even more advanced developments. The next steps will focus on the automated and intelligent generation of entire pages, based on complex and contextualized prompts. Furthermore, context management will become increasingly sophisticated, allowing autonomous agents to fully understand brand guidelines and the semantic structure of the site before proposing or executing any content modifications.

For Tech Leads, DevOps Engineers, and CTOs, the time to act is now. Integrating AI into your business processes requires careful architectural planning and specific skills in Platform Engineering.

Discover how SparkFabrik can help you implement enterprise-grade AI guardrails in your Drupal. Contact our team of certified architects for a personalized consultation.

Fonte video

Questo articolo è basato sul video “Guardrails e altre novità dal mondo Drupal AI”.

In a landscape where Kubernetes has become the de facto standard for container orchestration, the choice of cloud provider directly impacts how your workloads are executed and managed. In this guide, we analyze the technical aspects that truly matter when discussing Kubernetes cloud providers, from infrastructure integration to a head-to-head comparison of GKE, EKS, and AKS.

How Kubernetes Integrates with Cloud Infrastructure

When it comes to choosing a cloud provider for Kubernetes, it is essential to understand that the provider is not simply “the place where you install the cluster.” It is a deep, bidirectional integration between Kubernetes and the underlying infrastructure, allowing the cluster to natively leverage services such as load balancers, persistent storage, virtual nodes, and cloud-native networking. The key component is the Cloud Controller Manager (CCM), which acts as a bridge between the Kubernetes API and the provider’s APIs. It translates, for example, a Service LoadBalancer into a concrete cloud resource (e.g., AWS ELB, Azure LB, GCP CLB).

Historically, integrations were in-tree: cloud-specific code included in the Kubernetes core. This approach created maintenance issues, feature delays, and integration barriers for new providers. Since 2017, Kubernetes has moved toward an out-of-tree model (the current standard): the CCM is an external component, maintained by the provider or the community, and deployed separately.

With Kubernetes v1.31 (2024), the old in-tree implementation code was completely removed, and today the –cloud-provider=external parameter is mandatory for any provider (except for bare metal/on-prem clusters or those without cloud integrations).

The main advantages of the out-of-tree approach are:

• CCM updates independent of the Kubernetes release cycle
• Faster innovation (new services, quick fixes)
• A lighter, vendor-agnostic core
• A lower perception of platform lock-in

In parallel with this Cloud Controller Manager evolution, Kubernetes has standardized other critical interfaces to further separate the core from vendor-specific implementations:

• CSI (Container Storage Interface): external storage drivers (replacing the old in-tree plugins)
• CNI (Container Network Interface): networking plugins (e.g., Amazon VPC CNI, Azure CNI, Cilium)

In summary: before comparing GKE, EKS, and AKS, it makes sense to understand how much each provider invests in the quality of these integrations.

Therefore, it is important when evaluating a cloud provider for a production-grade Kubernetes workload to look beyond the high-level “managed” features. You need to verify the maturity and update frequency of their Cloud Controller Manager, the quality and performance of the CSI driver, and the efficiency of the CNI implementation. These are the building blocks that determine how smoothly Kubernetes “perceives” and leverages the underlying infrastructure, directly affecting reliability, costs, and scaling capabilities.

Before moving on, we recommend a resource if you are evaluating how to introduce K8s in your organization in a structured way. In our Guide to Kubernetes Adoption you can explore requirements, roadmaps, and mistakes to avoid: download the free ebook and use the checklist to plan your adoption journey.

Architectures Compared: Control Plane and Node Management

Now that we have clarified how Kubernetes communicates with the cloud, the next step is to understand “who does what” between you and the provider in cluster management. When choosing a cloud provider for Kubernetes, the control plane architecture and worker node management determine the level of abstraction, operational overhead, and flexibility. Here is a direct comparison among the major hyperscalers: GKE (Google), EKS (AWS), and AKS (Azure).

Control Plane: Level of Abstraction

• GKE Autopilot: Fully managed and abstracted. Google entirely controls the control plane and nodes. No visibility or direct management of underlying nodes. Ideal for workload focus (extended SLA on control plane + compute).
• GKE Standard: Control plane managed by Google (multi-zone HA), but worker nodes managed by the customer (provisioning, manual scaling or with autoscaler).
• EKS: Control plane always managed by AWS (multi-AZ, self-healing, endpoint via NLB). Native high availability, but no fully “serverless” mode for nodes (options: managed node groups, self-managed, Fargate, EKS Auto Mode for advanced automation).
• AKS: Control plane managed by Azure (free, HA). From 2025, AKS Automatic introduces a fully-managed mode similar to Autopilot, with dynamic autoscaling via Karpenter-like and automatic patching.

The result of this comparison highlights how Autopilot / AKS Automatic drastically reduce operational toil, but limit the level of possible customization. EKS and GKE Standard offer more control, at the cost of greater management overhead.

Worker Node Lifecycle Management

This is a topic that deeply resonates with operations teams: how much manual work is required to keep the node fleet healthy? Let’s compare.

Node Customization Options

Let’s continue the comparison by analyzing the level of node customization offered by each provider.

• GKE Autopilot: Very limited customization. Direct choice of instance type, OS, or custom GPU is not possible (requested via pod spec, Google optimizes). Supports specialized chips (GPU/TPU) on request.
• GKE Standard: High customization: custom VM types (n2, c3, tau), OS (Container-Optimized OS), taints/labels, preemptible/spot, custom machine types.
• EKS: Very high customization. Granular control through EC2 instance types, custom AMIs (Bottlerocket, AL2), Launch Templates, spot instances, GPU/ARM, Fargate for serverless approaches.
• AKS: High customization: VM sizes (Standard_D, Fsv2, etc.), Azure Linux/Windows, spot/low-priority, custom images, GPU/InfiniBand.

In practice, the higher the abstraction level (Autopilot/AKS Automatic), the more operational responsibility you offload to the provider, giving up some fine-tuning levers for optimization. The “sweet spot” depends on how much you want to standardize and how much you are willing to invest in internal management.

READ ALSO

• Kubernetes architecture: a guide to the main components
• Kubernetes operators: what they are and examples

Networking Integration: Service, Ingress, and CNI Compared

Once you have chosen the control plane and node model, the next topic is how traffic enters, exits (Service, Ingress) and moves within the cluster (CNI). Networking integration is another fundamental element when choosing a Kubernetes cloud provider: it impacts latency, costs, scalability, and IP management.

To compare GKE, EKS, and AKS, it makes sense to look at three distinct but interconnected layers:

1. How you expose Services (LoadBalancer)
2. How you manage HTTP/HTTPS routing (Ingress)
3. Which CNI governs internal traffic between pods

1. LoadBalancer Service Implementation

The Service controller (part of the external CCM) creates a cloud load balancer when a Service type: LoadBalancer is defined. The question here is: what type of LB do you get “out of the box” and what are the implications for performance and costs?

• GKE: Uses a Passthrough Network Load Balancer (external/internal) operating at Layer 4 (TCP/UDP). The “passthrough” aspect is important because it preserves the original request IP address. It also supports subsetting, a feature that optimizes backend speed and scalability (it optimizes load distribution by sending traffic only to nodes that actually have active pods for that service, avoiding unnecessary sends to “empty” nodes).
• EKS: Here, the AWS Load Balancer Controller acts as the default controller for LoadBalancer-type services and, when such a service is created, automatically provisions a Network Load Balancer (NLB) (Layer 4, high throughput, static IPs, UDP/TCP). ALB for Ingress (Layer 7) and other load balancers are also supported (Gateway LB, and the now-legacy Classic LB).
• AKS: Creates an Azure Standard Load Balancer by default (Layer 4) to handle both public and private traffic. It also automatically manages outbound cluster traffic (outbound type LoadBalancer for egress). A dedicated annotation allows creating an internal LB. An important feature is backend flexibility. The backend pool (the set of traffic recipients) can be configured with nodeIP (sending to nodes hosting the Pods) or podIP (sending directly to individual Pods, eliminating intermediate network hops in Azure and maximizing performance).

GKE and EKS prioritize passthrough/performance while AKS offers simpler integration with Azure networking (NSG, outbound rules). In general, NLB/ALB on AWS tend to be more expensive for L7 traffic compared to Azure, which however offers a more limited overall feature set. If your workloads are heavily externally exposed or handle high traffic volumes, this mix of LB type, features, and pricing becomes an important selection criterion.

2. Recommended or Integrated Ingress Solutions

Ingress manages HTTP/HTTPS routing (Layer 7). Here, not only load balancing and request routing come into play, but also security topics such as SSL/TLS certificates, WAF firewalls, and integration with the provider’s security and observability services.

• GKE: The default Ingress controller creates a Google Cloud Application Load Balancer (classic or internal) to manage traffic. It supports container-native LBs via NEGs (communicating directly with individual containers without intermediate hops to maximize speed). GKE was the first to natively support the new Gateway API for even more precise traffic management (advanced routing and easy multi-cluster traffic management). It is a recommended solution for global HTTP workloads.
• EKS: The AWS Load Balancer Controller creates an Application Load Balancer (ALB) for Ingress. It manages traffic based on address or path (path/host routing). The main advantage is the deep, turnkey integration with AWS services: it uses WAF for security, ACM TLS for SSL certificates, and CloudWatch for logs. Alternative: NGINX/Traefik, but ALB is native and the preferred option for AWS service integration.
• AKS: Offers the Application routing add-on, which is the recommended method because it is simple and integrated. For advanced security needs, it also offers the Application Gateway Ingress Controller (AGIC) for Azure Application Gateway (which includes WAF, SSL offload, path-based routing). Gateway API is supported.

The components natively provided by providers (ALB, App Gateway, Google ALB) reduce management overhead and offer security features (WAF), while open-source controllers (NGINX) focus on offering fewer features but greater management simplicity. The choice, therefore, is between deeper integration with the cloud ecosystem (managed LBs) and greater portability/operational simplicity (open-source Ingress controllers). It is also worth noting that many Ingress solutions are evolving into the Kubernetes Gateway API, which offers even more control than classic Ingress.

3. Default CNI Plugins and Implications

The CNI manages pod networking, IP allocation, and policies. Unlike Service and Ingress, which deal with traffic “toward” the cluster, here we focus on internal traffic between pods, IP address assignment to Pods, and the rules for them to communicate with each other.

For networking, it is worth choosing a native CNI for simplicity/integration and an alternative (Cilium) for advanced observability, pure eBPF, and multi-cloud. This choice directly affects IP scalability, operational complexity, and internal traffic visibility: three variables to balance based on the type of workloads you need to manage and the level of control you want to maintain over the data plane.

Persistent Storage: CSI Driver Analysis and Performance

Networking aside, the real litmus test for many Kubernetes clusters comes when databases, queues, and stateful components enter the picture. Persistent storage is a critical pillar when choosing a cloud provider for Kubernetes: it influences latency, throughput, and IOPS (speed), costs, and reliability for services such as databases, stateful apps, and AI/ML workloads.

All major providers use mature CSI (Container Storage Interface) drivers for dynamic provisioning of block volumes for a single pod (ReadWriteOnce) and shared file systems across multiple pods (ReadWriteMany), completely replacing the old in-tree plugins.

The CSI driver allows automatic creation of PersistentVolumes from a PersistentVolumeClaim (PVC), managing attach/detach, expansion, snapshots, and reclaim. In other words, the CSI driver automates the disk lifecycle: when an app requests space (via a PVC), the driver creates, attaches, and manages the volume without manual intervention, and also supports resizing and backup functions. To choose disk speed, you simply select a StorageClass. Each provider offers predefined or custom StorageClasses across different performance tiers, suited to different use cases.

Below is a direct comparison table of block (disk) and file options, with major tiers, indicative performance, and typical use cases.

Here, the selection criterion is not just “who offers more IOPS,” but also how your real workloads map to the different tiers: OLTP databases, log management, AI/ML – each has very different access patterns that can reveal significant advantages of one provider over another.

READ ALSO

• Choosing a cloud provider: comparing AWS, Azure, GCP, and Alibaba

Beyond Orchestration: Cloud-Native Services and Added Value

So far, we have focused on “core Kubernetes”: control plane, nodes, networking, storage. But in day-to-day practice, much of the value of a Kubernetes cloud provider comes from the services surrounding it. Beyond Kubernetes cluster management, a cloud provider’s true added value emerges from native integration with the managed services in its ecosystem, which reduce operational complexity and accelerate the adoption of enterprise best practices. Each hyperscaler enriches Kubernetes with an entire integrated ecosystem across three key areas:

• Identity and Security: Integration with identity systems enables federated workload identities and least-privilege access without static keys. These are cornerstone concepts of modern security: instead of “injecting” secrets and passwords into pods, the pod itself becomes a cloud IAM identity and, through its identity, can access other resources (databases, buckets, etc.) without additional credentials. Each hyperscaler offers its own system: AWS IRSA (IAM Roles for Service Accounts), Azure Workload Identity with Microsoft Entra ID, Google Workload Identity Federation with Google IAM. This eliminates the risk of credential leakage and simplifies cross-service RBAC permissions.
• Observability: Native logging and monitoring are ready to use and significantly reduce setup effort. Amazon CloudWatch Container Insights collects metrics, logs, and traces from pods and nodes; Azure Monitor with Container Insights offers Kube-state, Prometheus scraping, and Log Analytics; Google Cloud Operations Suite (formerly Stackdriver) provides structured logging, Prometheus metrics, and distributed tracing with native OpenTelemetry. All support centralized alerting and ready-to-use dashboards. In short, each supports monitoring optimized for its own ecosystem, with pre-configured dashboards and alerts, without needing to install external systems.
• Service Mesh & Advanced Networking: To manage internal (east-west) traffic securely and observably, providers offer managed or plug-and-play solutions: Google Anthos Service Mesh (Istio-based, with integrated policy and telemetry), AWS App Mesh (serverless-friendly, with X-Ray tracing), Azure Service Mesh (Istio-based in the AKS add-on). These reduce the need to manage Istio/Linkerd from scratch (which is complex), providing automatic inter-service encryption (mTLS), facilitating gradual releases (canary rollouts), and offering out-of-the-box observability.

From a design perspective, these services often carry as much weight (if not more) as the pure Kubernetes differences: choosing a provider also means choosing its ecosystem “around the cluster.”

READ ALSO

• 3 mistakes to avoid when adopting Kubernetes
• Containers and Kubernetes: 3 companies using them successfully

Decision Framework: Choosing a Provider by Cost, Scenarios, and Alternatives

At this point, the picture is clear but complex: each provider has areas of excellence and trade-offs. To navigate this, you need to connect technical characteristics to concrete scenarios. The choice of a Kubernetes cloud provider depends on clear priorities and several important factors: time-to-market, operational control, ecosystem integration, total costs, and potentially regulatory constraints.

• Google Kubernetes Engine (GKE): Best for hybrid/multicloud ecosystems, AI/ML, and global workloads. Excels in simplicity (especially Autopilot), performant networking (Dataplane V2), flexible storage (Hyperdisk), and Anthos for hybrid/on-prem. Ideal when rapid time-to-market and Google innovation (TPU, BigQuery federation) are needed.
• Amazon EKS: Best for maximum configurability and deep AWS integration, creating synergy with other AWS services and reducing operational overhead when you are in the Amazon ecosystem. Wins on complex enterprise workloads, intensive use of EC2 spot, Fargate serverless, App Mesh, and IRSA. The natural choice if your organization is already heavy-AWS. A free tier for the control plane has been introduced for small clusters under 50 nodes, an attractive option for small businesses.
• Azure Kubernetes Service (AKS): Best for Microsoft-centric enterprises and competitive storage/networking costs. Strong on Entra ID integration, Azure Monitor, Application Gateway, and .NET workloads and beyond. Great for those seeking a balance between simplicity and control. Often an economically viable option for generalist workloads under 100 nodes thanks to the free control plane and competitive networking/storage costs.

Cost Models (Beyond the Per-Node Price)

• Control plane: Free on AKS in the free tier, but variable cluster management costs in higher tiers and other SKUs. GKE/EKS ~$73/month (typically an hourly fee per cluster). From 2026, EKS has also introduced a free tier for small clusters (under 50 nodes).
• Egress: Often the dominant cost item, depending on region and tier. AWS is more expensive (~$0.09/GB), Azure/Google are similar.
• Load Balancer: Costs per LB instance; on AWS, NLB/ALB cumulative costs are high – with many microservices using individual load balancers, costs explode (“NLB proliferation”). On Azure/Google, costs are more predictable; a single IP address is often used for multiple services, consolidating costs.
• Storage: AWS EBS gp3 is the benchmark for price/performance ratio, being economical compared to competitors especially for small but fast disks because it allows configuring IOPS and throughput independently of disk size. Google Persistent Disk and Azure Managed Disk are similar, but separate IOPS “weigh” more economically because they are often tied to disk size.

Under these aspects, AKS wins on multiple clusters, EKS has a licensing model that can lead to cost explosion on LB/egress, and GKE Autopilot greatly simplifies management but costs more.

Viable Alternatives

• DigitalOcean Kubernetes: Suitable for startups and limited budgets: simple pricing, free control plane, one of the simplest interfaces on the market. A solid alternative for those who want to run apps without a degree in AWS networking.
• OVHcloud: EU data sovereignty, full GDPR compliance, protection from extra-EU regulations. A major advantage: zero egress costs (outbound data traffic) for most cases in Europe.
• Others (Linode, Scaleway, Hetzner) for low-cost scenarios and EU presence (bare metal, low-power ARM instances).

Ultimately, there is no “best Kubernetes cloud provider” in absolute terms: there is the provider best suited to your technical context, your cost constraints, and your product roadmaps. The choice involves a combined reading of cluster architecture, infrastructure integration, managed services, and pricing models.

If you want to evaluate in a structured way which direction to take – or how to design a portable Kubernetes architecture across multiple clouds – SparkFabrik can support you from the analysis phase through to production, helping you transform these technical variables into solid strategic decisions. Take a look at our Kubernetes Consultancy service and contact us.

Over the last few months, AI-powered software development has moved from early curiosity experiments to a daily practice for many teams. Tools like Copilot and other LLMs for developers let you generate code from increasingly rich prompts, but as projects grow, the clear limits of plain vibe-coding start to show. This is where Spec Driven Development (SDD) comes in: a paradigm that tries to bring order to the way you use artificial intelligence to write software.

Why isn’t vibe-coding enough anymore?

Let’s look at a typical scenario. You write a prompt for your AI assistant:

“Implement a React registration form with real-time validation for email and password, error handling, a POST request to /api/register, a modern Tailwind style, state management via Zustand, and HTTP calls with Axios.”

In a matter of seconds the LLM generates a complete component. It looks well-structured, has validations, visual feedback, even a small success toast. You integrate it, test the happy path, everything works. Commit and deploy. Then reality comes knocking, and the quality team flags an endless list of issues.

This is an example of AI-driven software development based entirely on gut-feel prompts (in other words, vibe-coding). The concrete limits of vibe-coding become obvious pretty quickly:

• Imprecision and semantic ambiguity. Generic expressions are interpreted differently with every generation.
• Lack of reproducibility. The same prompt, run multiple times, produces semantically different implementations.
• Complex maintenance and refactoring, because there’s no consistent standard for how the code is generated.
• Latent security and performance risks, for instance: client-side-only validation, unsafe parsing of untrusted inputs, and issues that go unnoticed during generation but become costly when the product scales.

In short, vibe-coding has played (and still plays) an important role: it accelerated prototyping, lowered the barrier to entry, and helped many teams discover the real potential of AI coding agents and AI at the service of developers. But it’s no longer sufficient when it comes to software that needs to operate in enterprise contexts.

To go beyond gut-feel prompt engineering, you need a shift in paradigm. The perspective has to change: from code driven by intuition and appearance, to code driven by explicit, verifiable, and shared specifications. That’s exactly where Spec Driven Development fits in.

Spec driven development: setting the rules of the game for AI

Spec Driven Development (SDD) means treating specifications as the central and most important element of a project (the true source of truth) rather than the generated code. But this isn’t about classic specs written in Word, PDFs, or Confluence pages that go stale the moment a release ships.

We’re talking about executable specifications, built for AI-powered software development, written in a language understandable by both humans and machines, that describe the system’s purpose, usage scenarios, and constraints in a precise and unambiguous way.

If you’re familiar with Test Driven Development (TDD) and/or Behavior Driven Development (BDD), here’s how the analogy works. Think of SDD as TDD taken to the next level and made collaborative with AI:

• TDD: you write the test first, then the minimum code needed to make it pass.
• BDD: you specify the expected behaviour in structured natural language.
• SDD: does the same thing, but pushes the format even further toward the machine, making the specification the primary artefact from which everything else is derived.

In other words, the developer’s intent (your intent) becomes the real “spec” that governs the LLM.

The operational phases: from idea to guided implementation

To understand how this approach changes the way you work, it helps to map out the typical workflow of a developer adopting Spec Driven Development. The phases below give you a useful mental model.

Specify

In the specification phase, the developer describes the expected behaviour of the system in structured natural language: the user journey step by step, business goals, the main use cases alongside relevant edge cases, and all non-negotiable validation rules or constraints.

Your work here is primarily one of analysis and intent formalisation, not code writing.

Starting from this narrative, the AI generates a formal, detailed specification: JSON schemas for requests and responses, validation rules with concrete examples, expected and failure cases in Given-When-Then format, business invariants, and mocks for any external services.

Importantly, this is not a one-shot activity. It’s not simply a matter of the developer defining things upfront and the AI then refining and structuring them. Rather, it’s an iterative process in which the developer works alongside the AI, defining the specifications: the what and the why of the project.

Equally important, specifications must be maintained over time so they don’t become stale as the actual implementation progresses and the project naturally evolves.

Plan

In the planning phase, the developer defines the non-negotiable technical constraints: the technology stack, preferred architecture, libraries to use for validation, state management, HTTP calls and testing, plus any performance or bundle size limits.

The AI then produces a complete and realistic technical plan, covering the folder structure, the main components with their respective responsibilities, the data flow, the chosen libraries and the reasoning behind them, the error and loading state management strategy, and the mocks needed for testing.

At this stage, prompting becomes genuine prompt engineering: you’re no longer asking “do X for me”, but guiding an AI agent with clear, verifiable constraints.

Breakdown / Tasks

In the task breakdown phase, the AI takes the approved plan and splits it into atomic, ordered, and independent tasks. Each task is designed to be small, independently testable, and tied to clear acceptance criteria, often linked directly to one or more examples from the specification.

This step makes the work feel much closer to a classic agile backlog, but one generated and kept consistent with the spec.

Implement

Finally, there’s the implementation phase. The AI generates code one task at a time, always respecting the agreed specification and plan. The developer reads and validates small, targeted code chunks: checking that the code handles both typical cases and the expected edge cases, running local tests or previewing the result, and either approving the output or requesting targeted corrections. The cycle is fast, usually 5 to 15 minutes per task.

This way, the LLM becomes a collaborator you’re in control of, not a generator of monolithic blocks that are hard to understand.

At this point you have a complete flow: from specification to implementation, with the AI following clear rules instead of improvising. The next step is choosing the right tools to support this way of working.

Essential tools: from Spec Kit to emerging alternatives

GitHub Spec Kit remains the open source reference point. It’s a modular toolkit that lets you write specifications in structured markdown (with JSON schemas, Given-When-Then examples, and invariants), validate them automatically, and generate code via contextualised prompts to any LLM.

Its strength lies in its simplicity, transparency, and the fact that it doesn’t lock you into a single provider: you can use it with Claude, GPT, Gemini, or local models. It’s the ideal starting point for teams that want to experiment with SDD without vendor lock-in.

OpenSpec is an open source framework for SDD with coding agents. What makes it stand out is how well it suits brownfield contexts with legacy code. Rather than high-level requirements, its strength is defining operational requirements for individual agents, starting from the context of an existing codebase and feeding it a single issue.

It’s easy to get started with: just run openspec init to integrate it into a codebase, and it installs only three commands: proposal (proposes a new change), apply (implements it), archive (archives it and updates the specs). One interesting aspect is how it keeps current specifications (the “source of truth”) separate from proposed changes, in two distinct folders that are reconciled when changes are archived.

This keeps diffs manageable and tracked at all times, a key requirement in many contexts. It’s also very lightweight, using only markdown files, and supports all the major coding assistants you’re probably already using (Claude Code, GitHub Copilot, OpenCode, Cursor, Windsurf…).

There are also numerous other, more niche SDD frameworks with specific capabilities. One example is Spec-Kitty, designed for those who want high orchestration capabilities (parallel execution of multiple agents without conflicts) combined with full visibility into what’s actually happening and what each agent is working on. Its most distinctive feature is a visual dashboard that automatically tracks all progress, letting you view planned, in-progress, under review, and completed tasks in a kanban-style board, as well as see which agents are working on which task.

In the video “So you think you know Copilot?”, we also go into a practical deep dive showing the interaction with the AI agent, highlighting how a well-executed Spec Driven Development approach changes the way you use tools like GitHub Copilot.

For those looking for a more integrated experience than classic Copilot, the most interesting alternatives are Kiro and Tessl. Kiro focuses on a collaborative workflow with “constitutions” (style and architecture rules enforced at the project level) and automatic checklists for every generation. It’s particularly useful in large teams where consistency is critical.

Tessl, on the other hand, represents the most radical approach: it’s the first true spec-as-source tool. The specification is the only modifiable artefact, code is regenerated from scratch with every change, and the project’s history lives almost entirely in the spec itself. It’s the choice for those who want to push to the maximum the idea that code is a derived output, not the source of truth.

If you want to see how AI can also support the DevOps and delivery side, you can explore the topic further in this article onAI, DevOps and Platform Engineering.

From executor to orchestra conductor: the developer’s new role

SDD doesn’t reduce the developer to a simple “reviewer of AI-generated code”. On the contrary, it elevates them to a strategic, high-value role: from someone who wrote every line, to someone who defines, orchestrates, and guarantees the quality of the entire system.

In the traditional model, the developer was often an executor of requirements, translating technical details and business logic into code once those had been partially formalised. With Spec Driven Development, the focus shifts decisively upward:

• Formalising intent and constraints with surgical precision
• Designing sustainable and scalable architectures
• Choosing the right tools and patterns within the context of the real product
• Validating that generated code meets both functional and non-functional requirements
• Reasoning about complex trade-offs that no AI can decide on its own

In practice, you write far less boilerplate code, but invest significantly more in critical thinking, system design, clear communication of requirements, and deep validation skills. These are rare competencies, difficult to automate, and increasingly in demand on the market.

At SparkFabrik, we see this shift as a tremendous opportunity. Our mission isn’t to replace development teams with artificial intelligence, but to help your team evolve toward roles of greater impact and value.

Concrete benefits: when to adopt a spec-driven approach

Spec Driven Development comes with several concrete advantages:

• Higher-quality code with fewer bugs
• Implementations that are more faithful to actual requirements
• Much simpler maintenance, thanks to clear specifications that serve as living, always up-to-date documentation
• Real alignment between business and development, through explicit expression of intent before generation
• Faster throughput and a drastic reduction of AI-introduced errors, thanks to systematic validation and Human-in-the-Loop

Of course, not every context benefits equally. SDD delivers its maximum value in three main scenarios.

Greenfield Projects

Greenfield refers to projects started from scratch, with no legacy constraints, pre-existing architectures, or accumulated technical debt. In this context, Spec Driven Development reaches its full potential: specifications become the true origin point of the system and guide the entire process from the very first commit.

The architecture is born already aligned to functional and non-functional requirements, technical decisions are traceable and motivated, and the risk of divergence between project vision and concrete implementation is drastically reduced.

Specifications are not just initial documentation: they become a structural backbone that reduces surprises, prevents evolutionary inconsistencies, and limits the build-up of early technical debt, creating solid foundations for the system’s future scalability.

Brownfield Projects

Brownfield refers to contexts where you’re working on existing systems: legacy platforms, architectures layered over time, complex ecosystems already in production. In these scenarios, Spec Driven Development isn’t about “building from scratch”, but about making explicit what is often only implicit: architectural constraints, dependencies, integration contracts, emergent behaviours, and structural limits of the system.

Specifications become a tool for formalising the real context, precisely defining touch points, compatibility rules, and functional boundaries. This enables the AI to generate code that is truly contextualised, reducing the risk of regressions, integration errors, and systemic inconsistencies.

The result is increased evolutionary throughput, greater confidence in releases, and a tangible simplification of long-term maintenance, even in highly complex software ecosystems.

Legacy Evolution

In this case, SDD makes the transition gradual and controlled: the desired behaviours of the new code are described first, reverse engineering is tackled in a structured way, specifications are redefined or updated, and obsolete portions are replaced. This way you can reduce regressions, manual overhead, and the risk of breakage, while requiring an initial investment to contextualise the existing system.

The challenges of spec driven development: how to avoid common pitfalls

Like any emerging paradigm, Spec Driven Development brings real benefits but also concrete risks. Here are the most common traps to watch out for.

Verschlimmbesserung: making things worse in an attempt to make them better

Elaborate workflows with dozens of markdown files, checklists, and constitutions can create overhead that outweighs the benefit, turning a small fix into a heavy bureaucratic process. Or worse, the attempt to improve can end up making the initial situation worse (literally “worsening-improvement”).

Overly verbose specifications

AI-generated specs tend to be redundant, repetitive, and tedious to review. Instead of providing clarity, they increase cognitive load: more text to read than code to write.

It’s important to avoid treating SDD as the exhaustive but “hollow” writing of requirements that nobody reads, as a form of bureaucracy creation, or as “waterfall planning”: a sterile exercise in extensive upfront planning that tries to account for every eventuality and the entire future of development.

Instead, Spec Driven Development is about making technical decisions explicit and reviewable, as well as easy to understand (not just for machines, but especially for people) and straightforward to evolve.

Wrong level of detail

Too vague, and the AI misunderstands and generates incorrect code. Too rigid, and the process becomes inflexible, impossible to adapt to rapid changes or brownfield contexts. Finding the right balance takes practice and iteration.

False sense of control

Even with detailed specs, checklists, and large context windows, AI often ignores instructions, duplicates existing code, or over-applies rules. Non-determinism persists: the same spec can produce different output on every regeneration.

This is the central challenge of the new programming paradigm, no longer deterministic, but tied to probabilistic AI tools. This paradigm shift is explored in depth in the talk by Enrico Zimuel at our GenAI x Business event.

Amnesia

In complex codebases or particularly long working sessions, agents can lose track of part of the context: implicit relationships between components, decisions already made, or changes previously applied. Without a continuous anchor to the specifications, this can lead to inconsistencies, duplications, or unintentional regressions.

General limits of SDD

For trivial fixes, the overhead is disproportionate; for very complex or ambiguous features it often isn’t enough; and introducing it on legacy codebases requires a high initial investment. Moreover, if the specification isn’t kept up to date it becomes a more dangerous source of confusion than the code itself, repeating the historical mistakes of model-driven development: rigidity combined with unpredictability.

Being aware of these limits lets you apply Spec Driven Development where it actually makes sense, and avoid turning it into a new dogma.

The future of development: spec-driven development, spec-as-source, always-on agents

Spec Driven Development represents a new frontier of AI-driven development, a direction in which many teams are experimenting with different approaches. Within this context, an even more radical evolution is taking shape: spec-as-source development.

Under this approach, the specification becomes the only stable and modifiable artefact. When requirements change, the tech stack shifts, or a better LLM model comes along, you update only the spec → the plan, tasks, and code are regenerated accordingly, automatically. The project’s history lives in the spec itself, including the “commit history”. Code loses its central role: it becomes a derived output, temporary and regenerable.

Tools like Tessl are already pushing in this direction, though they are still very experimental (currently limited to a one-to-one spec-to-code relationship), while Agent Skills (originally from Claude and now open source, donated to the Agentic AI Foundation) point to a parallel trend: autonomous agents executing complex tasks under guardrails defined by specifications. One example is Superpowers by Obra on GitHub for development tasks, while Skills.sh brings together thousands of Skills covering the widest range of areas, from frontend design to brainstorming to copywriting.

This paradigm profoundly changes the developer’s role. An inexperienced person stays in vibe-coding mode, relying on generic prompts (and getting generic results). A senior developer, on the other hand, unlocks explosive potential: providing precise specifications, rigorous guardrails, and solid architecture, transforming AI from a random generator into a reliable and tireless executor.

SDD in the context of AI is still young, with nuances still evolving and best practices still being discovered. The direction, however, is clear: it won’t be “here’s my prompt, run it, I’ll wait” anymore, but “here are the tasks, the rules, and the direction, keep working”.

Looking further ahead, we’ll see a “workforce shift”, with machines and agents operating 24/7 while humans supervise, define intent, specifications, architecture, and other high-value aspects. Writing code will become less central; writing clear, verifiable, and durable specifications will become a core skill for the modern developer.

Launching a multilingual website is a strategic decision that opens doors to new markets, increases user trust, and strengthens your brand’s identity globally. At the same time, managing a multilingual digital ecosystem has always been a balancing act.

Anyone who has managed an enterprise platform knows that the challenge doesn’t lie so much in the translation technology itself, but in orchestrating the processes: exponentially growing content volumes, review cycles that slow down time-to-market, data governance, and operational costs.

Today, Generative AI (GenAI) has brought brutal acceleration to this scenario. The promise of instant, near-zero-cost translations is seductive, but brings with it new risks : loss of brand consistency , hallucinations from probabilistic models, quality levels not always up to par from generalist models, and the difficulty of maintaining rigorous editorial control over thousands of auto-generated pages.

At SparkFabrik, we work daily on complex Drupal-based projects, serving clients who manage large digital ecosystems , from universities and public institutions that need to publish important tenders and official informations, to enterprise companies with broad product portfolios and global presence.

For these organizations, linguistic precision isn’t an aesthetic detail, it’s not just to “look and sound good”: it’s a requirement for brand identity and reputation (and, in certain contexts, also for compliance).

In this scenario, Drupal confirms itself not only as a solid choice, but as the enterprise CMS best positioned to transform the GenAI revolution into a concrete operational advantage, even for multilingual needs, and without sacrificing quality.

The Multilingual Challenge

Let’s address the central issue right away: multilingualism is not a trivial matter of translating words from language A to language B.

If it were that simple, a Google Translate plugin would suffice. Multilingualism is strategy. It’s international technical SEO, it’s cultural adaptation (localization), it’s evolutionary maintenance of content that must remain synchronized over time.

In short, having a multilingual presence is a multifaceted strategic decision for the brand. And in this area, the choice of Content Management platform is the founding decision for any internationalization strategy.

Drupal stands out in the enterprise CMS landscape** , excelling in the structural management of these complexities thanks to its architecture that conceives multi-language as a native attribute of data.

At the same time, a major “Achilles’ heel” of any multilingual system has always been the automation of translation workflows, in terms of balancing costs and quality. Traditional methods, such as sending files via email to agencies or using old-generation automatic translators, are now obsolete for the pace and quality levels required by today’s market.

Our thesis is clear: the only viable path for modern organizations is the intelligent use of GenAI, but rigorously accompanied by strategic human control.

Why has multilingualism become a current topic again?

To understand the scope and relevance of the multilingual content topic, it’s necessary to look at the historical context we’re experiencing.

First of all, in the digital landscape formed in recent years, we’ve witnessed a convergence that has ultimately led to an explosive increase in the quantity of content and translations :

• The maturation of Generative AI (GenAI) technologies.
• An explosion in digital content production, fueled mainly by GenAI which has empowered teams of all sizes.
• A consequent increase in the demand for localization of produced content (a recent report indicates a surge in enterprise translation demand of 30% annually). Moreover, translations fit into a more general market trend towards consistent and personalized content for end users (we discussed this in the context of omnichannel with Drupal).

But it’s not just about content quantity; there’s an equally important increase in pressure on speed. Marketing campaigns, communications, and other content must be released simultaneously in all languages. There are no more weeks of time for manual localization.

Third, the need for quality. Enterprise organizations face a crossroads: continue to rely on manual processes, now unsustainable in terms of costs and time, or embrace automation while risking compromising brand reputation with low-quality translations (not just literal, but in terms of brand tone-of-voice).

GenAI can represent the “Holy Grail” that balances quantity, speed, and quality in this area. At the same time, however, there’s the need for control : in a world where content is machine-generated, editorial governance becomes the last bastion of brand identity. Both fine-tuning AI systems according to each brand’s identity and human supervision and review become essential.

It’s also worth considering the impact of GenAI on editorial teams: content management teams should not be replaced, but empowered, freeing them from repetitive tasks to focus on creativity and qualitative supervision, including in terms of localization (in this sense, Drupal fully embraces this approach to AI).

Last but not least, making (or maintaining) a brand multilingual is a strategic decision that opens doors to new markets and strengthens the brand internationally or globally. The interest for brands in this strategy is absolutely evident, now made significantly more accessible to organizations of all sizes thanks to GenAI.

Drupal and multilingualism: what works, what’s changing

Drupal needs no introduction when it comes to multilingual capabilities; in fact, Drupal’s centrality in the enterprise sector is largely attributable to its architectural maturity regarding multilingual data structures.

Unlike other CMSs that require heavy plugins to manage translations, Drupal handles multilingualism at the Corelevel. This means that every entity (from nodes to content blocks, from taxonomies to menus) is natively translatable.

However, the ability to store translations is useless without an efficient operational process to create and manage them. This is the domain of modules like the Translation Management Tool (TMGMT).

Let’s analyze in more detail the multilingual aspects in Drupal’s Core and in TMGMT.

Multilingual content and localization in Drupal Core

Drupal incorporates multilingualism into its main Core, at the deepest level of its application framework. This means that robustness and scalability are guaranteed, not depending on third-party plugins that can break at any moment.

More specifically, Drupal integrates language support at the Entity and Field level. Every content element is an entity (be it a page, a block, a taxonomy term, a menu, or a media asset). The native translation system allows creating language variants for each entity while maintaining a single unique ID.

At the same time, you can configure which specific fields of content must be translated (e.g., product titles and descriptions) and which should remain unchanged (e.g., product codes, numeric technical specifications, global images). This not only optimizes translation costs by reducing word volume but also ensures the integrity of technical data across markets.

Drupal’s linguistic architecture therefore operates on four levels:

Furthermore, organizations can choose whether to maintain a symmetric structure (every page exists in all languages) or asymmetric (specific content for local markets), managing everything within a single instance or through a centrally governed multisite architecture. The logic that determines which variant to serve to the user is also configurable: URL prefixes (e.g., /it/), top-level domains, authenticated user preferences, or browser settings.

Equally important, Drupal’s granular permission management is a fundamental aspect for more structured organizations, allowing precise role-based permissions and review, approval, and publication pipelines for each language or region to be set.

In short, Drupal supports flexibility essential to support the most complex international product, content, and SEO strategies.

Drupal’s Architectural Superiority compared to competitors

When compared with alternatives like WordPress or Adobe Experience Manager (AEM), Drupal’s native architecture offers indisputable business advantages.

• Comparison with WordPress: WordPress typically requires plugins like WPML or Polylang. These often store translations as separate posts linked by metadata, which can lead to database bloat and query inefficiency at scale. Drupal’s entity-based translation stores translations within the same entity record, optimizing performance, simplifying API queries, and ensuring greater data consistency.
• Comparison with Adobe Experience Manager (AEM): While AEM offers robust “Language Copies,” it comes with high licensing costs and often requires heavy customization for complex workflows. Drupal offers comparable enterprise capabilities (granular permissions, workflow integration, multi-site management) without licensing fees, significantly reducing Total Cost of Ownership (TCO) and allowing budget to be reinvested in innovation and content quality.
• Comparison with Headless CMS: The evolution of digital architectures towards “Composable” and “Headless” models has made a CMS’s ability to act as a central repository for multilingual content even more critical. Drupal, thanks to its API-first approach, natively exposes translated content via JSON:API and GraphQL. Importantly, data is exposed in a structured format consumable by any frontend (React, Vue, Angular), facilitating omnichannel distribution without complex middleware for language logic management.

TMGMT as a workflow orchestrator

While Drupal Core provides the ability to store translations, it doesn’t fully manage the operational translation process. This is where the Translation Management Tool (TMGMT) comes in.

Used by over 10,000 high-traffic sites, it’s a suite of tools that standardize the translation process. In enterprise contexts, and for anyone managing advanced editorial workflows, TMGMT truly becomes the beating heart of the system.

Manual translation management (export copy-paste via email) is the main bottleneck for scalability. TMGMT solves this problem by introducing an abstraction and automation layer.

First of all, TMGMT allows completely decoupling the content source from the translation provider. We can therefore see two levels:

1. Sources: TMGMT can extract text from any Drupal element (Nodes, Blocks, I18n Strings). It doesn’t matter if the content resides in a paragraph, a custom field, or a configuration string; TMGMT normalizes it into a translation-ready format.
2. Translators: Thanks to its plugin architecture, TMGMT is agnostic about who performs the translation. It can be a human user, an external agency connected via XLIFF files, or an automatic translation service. Today, LLMs are also included among translators, offered by various providers (OpenAI, Gemini, Ollama, Lara…).

The advantage of this flexibility is clear: it allows changing translation providers without having to rewrite code or retrain editorial staff , drastically reducing vendor lock-in risk.

Governance functionalities** are another central added value of TMGMT. It allows assigning translation jobs to specific users , managing granular progress states (“pending”, “translated”, “reviewed”, “accepted”), and having an overview of what has been translated and what hasn’t. This structured approach ensures that translations aren’t published blindly, but according to advanced review and validation pipelines.

Finally, an advanced functionality (particularly useful for high-update-volume sites) is Continuous Translation Jobs.

This feature reverses the traditional paradigm: instead of waiting for an editor to manually create a translation “package,” the system proactively monitors content. When content is created or updated, TMGMT detects it and the new content is automatically added to a Job, then sent to the translation provider.

This mechanism eliminates “dead times” and the risk of drift between original and translated content, essential for maintaining consistency in e-commerce ecosystems or real-time news.

However, until recently, there was a traditional limitation. The options were polarized: on one hand manual translation (high quality, high costs and time), on the other classic Machine Translation (low quality, low cost). An effective “bridge” to services capable of combining automation speed with enterprise-grade publication quality was missing.

GenAI** is changing this paradigm, fitting exactly into this space and enabling hybrid workflows that were previously unthinkable.

AI translations + human-in-the-loop: speed is important, but not at the expense of quality

LLM-based (Large Language Models) language automation today allows managing translation volumes that would have been humanly and economically impossible just a few years ago. Think of translating thousands of product sheets, technical knowledge bases, or historical news archives.

However, speed cannot become an excuse for quality degradation.**

For institutional, strategic, or core business-related content, human input remains essential. AI, however advanced, can lack sensitivity to specific cultural context or may misunderstand tone nuances crucial to the brand. The winning strategy we’re observing isn’t replacement, but the hybrid approach : AI + Review (Human-in-the-loop).

Here arises a critical problem : many try to solve the issue by connecting Drupal to generalist models like ChatGPT or Gemini via generic APIs. While technically possible, this approach is often ineffective for enterprise. Generalist models are “know-it-alls”: they translate a poem with the same statistical probability as they translate a technical manual, often inserting hallucinations or losing necessary terminological consistency.

Enterprise and Academic clients cannot afford these risks. A legal term translated approximately or an overly colloquial tone in institutional communication can create real damage.

When quality is a fundamental KPI, relying on generalist systems means shifting cost from translation to massive review, canceling the economic advantage.

If we want to leverage GenAI’s power in contexts where accuracy is central, we need a specialized AI model. We need a technology partner that has solved the quality problem at the root. It’s in this scenario that we introduce Lara Translate.

Integration with Lara Translate: why we built it

While Drupal Core provides the ability to store translations and TMGMT provides the logistical infrastructure and integration with providers, output quality depends on the translation engine.

If generic Large Language Models (LLM) have demonstrated impressive fluency, they often lack the domain specificity and terminological consistency required for enterprise use.

This is where specialized Language Models like Lara Translate stand out. It’s an AI created by the Italian company Translated, a company specialized vertically in translations and high-quality AI technologies.

Our choice to integrate it into Drupal stems from the specific need of an institutional client to integrate a quality translation provider. From an in-depth analysis of available market solutions, Lara consistently positions itself a step above standard automatic translation, approaching the performance of the best human professional translators.

But what differentiates Lara from other solutions? The difference lies in the project’s DNA. Lara is the LLM developed by Translated, a company operating in the professional translation sector since 1999.

Unlike generalist models trained on the entire web (including low-quality content), Lara was trained and fine-tuned on a proprietary dataset of millions of professional translations.

We’re talking about decades of work done by over 500,000 professional linguists for 397,000 enterprise clients, in more than 200 languages, for a total of over 25 million real professional translations.

Lara “learned” to translate by watching how the best humans work, not by reading online forums. This specialization in training data is what guarantees superior output.

To bring this power into our projects, at SparkFabrik we developed and released the TMGMT Lara Translate module, a plugin that introduces Lara as a translation provider for all content in Drupal.

The plugin allows editorial teams to send content to Lara and receive translations directly in the Drupal interface, keeping intact all TMGMT’s governance, review, and workflow functionalities.

The result is a fluid process: no more copy-paste, all the advantages of multilingual in Drupal, combined with automatically high quality. But to reach this quality level, some peculiar functionalities have been developed in Lara (and are fully supported in Drupal).

Additionally, Translated also offers the possibility to integrate professional human review(human-in-the-loop) for those translations requiring an extra layer of guarantee. As seen, Lara is a highly performant GenAI model in translation tasks precisely thanks to Translated’s human-centric philosophy, which led to training based on millions of human professional translations (you can learn more here).

Distinctive features of Lara Translate integrated in Drupal

• Translation styles.
  Companies don’t communicate in a single way. A legal contract requires absolute precision, while a marketing campaign requires creativity. Similarly, Lara doesn’t translate flatly but natively integrates three distinct translation styles.
  • Faithful: Ideal for technical manuals, legal contracts, and content where terminological precision is vital.
  • Fluid: Perfect for general editorial content, blog posts, and news.
  • Creative: Designed for marketing and storytelling, where AI takes the liberty to adapt the message to maximize emotional impact.

• Context awareness and document coherence.
  Unlike old systems that translated sentence by sentence losing the thread of discourse, Lara analyzes the entire document. It understands relationships between sentences, maintains consistency of grammatical gender and references throughout the text, ensuring natural flow.
• Glossaries.
  Allow specifying correct translations for specific terms and phrases that are crucial for your particular context. This ensures Lara applies the right terminology consistently across all translations.
• Trust Attention.
  Lara uses a proprietary mechanism to “weigh” information. During generation, it prioritizes data from verified professional translations over less reliable sources. These also include revisions, corrections, and “error memory.”
• Lara Feedback.
  Thanks to its dataset that also includes real corrections, Lara is able to “explain” its translation choices, providing an unprecedented level of transparency for an AI system (the so-called “AI Explainability”).
• Access to experts.
  Translated’s ecosystem allows, when AI isn’t enough (for example for ultra-sensitive content), activating professional human translator services through the same pipeline. The transition from AI translation to on-demand professional human translation is thus made more immediate.

How to use Lara as a translation provider in Drupal

If you’re familiar with TMGMT, it will be immediate to start using Lara. If you’re new, here’s a quick procedure overview (common to other providers).

1. Obviously make sure you’ve installed and activated TMGMT and installed the TMGMT Lara Translate plugin.
2. Go to Translation Management → Providers. Create an instance for Lara by adding your API credentials (you’ll obviously need a Lara account). The settings allow you to customize the module according to your specific context, for example selecting the default style and linking glossaries.
3. Through TMGMT, choose the entities to be translated (nodes, paragraphs, etc.) and necessary languages. You thus create Jobs to send content to Lara.
4. Lara automatically translates and returns output to Drupal. Here you see Lara’s quality: translations respect specific context, tone, and terminology.
5. Typically, output requires minimal human editing. Additionally, Lara supports review by highlighting ambiguities and providing explanations.
6. Once approved, translations are automatically published.

The hybrid approach, native but modern

As you may have noticed from the procedure, using Lara seems absolutely native in Drupal, especially if you’ve already worked on a multilingual site with TMGMT. What’s different is the “engine” behind the scenes, a super specialized LLM.

Even with Lara as the basis of the automatic translation process, the human role in the process isn’t eliminated or diminished. This is the concept of “Human in the Loop” (HITL), which here takes on a dual meaning.

• Quality AI as base. Lara provides a high-quality “first translation” that is often already final, drastically reducing editing time.
• Editorial control in Drupal. Thanks to TMGMT, the human editor can review the translation directly in the CMS before publication and manually edit the content. Thanks to output quality, these are typically minor interventions, especially if Lara is correctly configured with glossaries and brand tone. The reviewer is thus empowered and transformed into a strategic supervisor.
• Professional translations. For more specific and particular cases, it’s possible to request professional translator services from Translated, the parent company behind Lara.

Adopting this technology stack generates immediate and measurable economic impact: the company can reduce translation budget by up to 80% or, with the same budget, translate 5 times more content, opening new markets previously unreachable due to cost limitations.

Indeed, 2025 market data highlights an enormous disparity between human and AI translation costs, and the hybrid approach allows having the best of both worlds: the following table offers an indicative estimate (see details here and here).

But the advantages of this approach don’t stop at economic aspects. Equally relevant are:

• Time-to-Market acceleration , with consequent increase not only in speed but also in competitiveness in local markets
• Brand consistency , through use of correct terminology and unified tone of voice, otherwise difficult to obtain with fragmented human teams. We discussed consistency extensively in terms of Design System, but equally important is consistency in textual content.
• Operational scalability : the marketing team (or external support figures) doesn’t need to grow linearly with the number of content and supported languages. It’s possible to automate translation of “low-risk” content and focus human attention on sensitive content, strategy, and other high-value aspects.

Use cases

Adopting this architecture (Drupal + TMGMT + Lara Translate) isn’t a theoretical exercise, but a practical solution to real problems. Not surprisingly, this integration was born from a client’s request in a real business case.

It’s the ideal configuration for high-content-volume sites that cannot afford the costs of a traditional agency for every single word, but also cannot accept the poor quality of raw machine translation.

Think of projects where tone of voice, consistency, and clarity are non-negotiable assets : international marketing portals, technical product documentation, legal or institutional sites. In these contexts, automation must be intelligent.

An immediate example? Think of an enterprise e-commerce with 50,000 SKUs: it can automatically translate product descriptions (in Fluid style) and technical specifications (with Faithful style), reserving human budget for reviewing technical details, marketing campaign pages and the home page, maximizing ROI.

Business Case: The Digital University

Let’s look in more detail at a specific business case. A concrete example of the value of this solution is the work done for a prestigious Italian University (a real client for whom we originally developed the module).

• The context.
  A University is a huge editorial machine with hundreds of people working in different languages: institutional sites, department sites, news, research highlights, competition announcements, regulations, course program descriptions, administrative information… are just part of the content managed by university editorial teams. And typically, they must be published in different languages. In the education context, Drupal proves to be the ideal CMS.
• The problem.
  Manual translation times are incompatible with news speed. Solutions like Google Translate and continuous copy-paste (which also break formatting) are now unthinkable. But even using generalist LLMs, significant quality limitations were encountered, resulting in significant resource investment in the review phase. An alternative system was needed, high-quality and integrated directly into Drupal, in a workflow familiar to operators and able to guarantee full governance.
• The solution.
  After thorough research, Lara was identified as a provider and we implemented the TMGMT Lara Translate module.
• The new workflow.
  Today, University editors create content in Italian (or the initial language) on Drupal. With one click, they select target languages and send the job to Lara directly from the editing interface. Lara returns a high-quality translation, respecting academic terminology (thanks to specific training, use of glossaries, and customized instructions) and keeping HTML tags intact. The content returns to Drupal in the “To be reviewed” state. The editor takes a quick look, approves, possibly optimizes, and publishes.
• The result.
  Multilingual publication times have been reduced by 80%. Translation costs have plummeted, allowing many more contents to be translated with the same budget and high quality. Editorial control has remained firmly in the hands of the University, without duplications or data loss.

Conclusions, recommendations, and next steps

GenAI has had a disruptive impact on the entire content world. Yet, despite how it may seem, the GenAI era doesn’t ask us to choose between automation and human quality, but to orchestrate them to leverage the best parts of both.

Managing a multilingual ecosystem is a strategic lever that directly impacts growth, Time-to-Market, and brand reputation. In a world of tool abundance, some fundamental details make the difference: quality, workflow, supervision.

The combination of Drupal CMS , with its solid, API-first, and inherently secure architecture, TMGMT , to effectively manage the localization process, and Lara Translate , with its specialized contextual intelligence, finally offers a concrete answer.

Brands are no longer forced to sacrifice quality on the altar of speed, nor to drain operational budgets to ensure terminological consistency on a global scale. The identified hybrid solution and the “Human-in-the-Loop” approach (validated through real case studies) are the ideal compromise. Editorial teams can free themselves from repetitive, low-value “linguistic data entry” work and elevate themselves to curators of global strategy, focusing on the cultural and communicative nuances that make brands unique in every market.

Recommendations for Decision Makers

For decision makers who intend to transform this vision into operational reality, the recommended roadmap is articulated in four essential steps:

1. Audit current flows: Map the existing “content-translation” lifecycle. Identify bottlenecks caused by human intervention, manual file management, or email exchanges. Effectively, how much time passes from creating master content in Italian to its actual publication in Chinese, German, or Arabic? If the answer is still measured in weeks rather than hours, the competitive gap is growing.
2. Adopt the structural stack: Implement multilingual management in Drupal with the TMGMT module. For enterprise sites, it’s not optional, but an architectural requirement necessary to “decouple” content creation from its translation.
3. Opt for specialized AI: Start an initial pilot on non-critical segments, replacing generalist LLMs or manual processes with Lara Translate. Leverage the model’s unique ability to understand the entire document context and programmatically adhere to your brand’s style (“Faithful”, “Fluid”, “Creative”) to drastically reduce the time and cost of human review.
4. Define governance: Establish clear guidelines on which types of content require human post-editing versus AI-only translation, using TMGMT workflow states to enforce these rules. For critical content, consider maintaining manual intervention by localization professionals.

By shifting the focus from manual translation to strategic supervision of reliable and contextual AI, companies can overcome language barriers with unprecedented speed and quality.

SparkFabrik, through its deep technical and strategic expertise in Drupal and the development of tools like the Lara connector for Drupal, positions itself as a key technology partner to guide organizations in this transition, transforming the challenge of linguistic complexity into a structural competitive advantage.

If your organization is exploring adopting Drupal as a CMS that’s robust, reliable, and customizable, introducing multilingual strategies , or AI integration for its digital initiatives, we invite you to:

1. Explore our case studies of enterprise Drupal implementations
2. Contact our team for an assessment of your specific needs
3. Discover how our Drupal services suite can support your AI strategy

This article is part of our series dedicated to Drupal CMS. To explore other aspects of the platform, we invite you to consult our previous articles on features and benefits, comparison with alternatives, migration strategies, security and compliance, composable architecture, Design System, Drupal headless omnichannel, and Drupal AI overview and news.

For the Drupal community, January is the month when the candles are blown out: today, January 15, 2026, we celebrate 25 years of a technology that has shaped the web. 🎂

But in Open Source, the best way to honor a project is to build its future and tell its story. ​What better time, then, to stop, tidy up, and share our contributions to the ecosystem?

2025 was the year when artificial intelligence went from “interesting feature” to infrastructure. A bit like the cloud a decade ago: first curiosity, then experimentation, finally inevitability. In between, a question that those working on digital platforms can no longer postpone: “How do we bring AI into production… without losing control, security, and quality?”

This is exactly where the Drupal AI Initiative comes in: a project born to transform the (very real) energy of the community into a coordinated vision, with the goal of making Drupal not just “AI-compatible,” but an enterprise-grade CMS even when AI enters the heart of editorial and business workflows.

At SparkFabrik, we didn’t just stand by and watch. We understood that we didn’t want to be mere users of this new technology, but “makers.” After all, Open Source isn’t a “marketing strategy” for us—it’s part of our history and our DNA.

We chose to be there, with real contributions, in areas we identified as decisive for real adoption: developer experience , governance & security (guardrails), RAG & search, agentic workflows (MCP and toolchain) , enterprise integrations , and, something often underestimated, communication and community building.

Here’s how we contributed to building the future of Drupal in 2025 (explained with a technical angle, but designed also for decision-makers).

And speaking of contribution: what better occasion to announce that on Saturday, January 31 , we will host the Drupal Contribution Day in Milan? ​It’s now a recurring and unmissable event in our offices, a time to meet, write code together (but not only!) and “give back” to the community. Register here to join us!

What is the Drupal AI Initiative

The Drupal AI Initiative is a strategic project aimed at integrating AI into Drupal effectively, evolving the system to position it as the best open-source “agentic CMS.”

The Drupal ecosystem had been talking about AI for some time, with features, integrations, and modules that were growing and providing a taste of what was possible. However, it became clear that to bring real strategic impact, it was necessary to go beyond fragmented contributions and channel efforts.

With this awareness, the Drupal AI Initiative was launched on June 9, 2025, with the goal of bringing structure, strategy, and shared direction to innovation (and a common vision of AI that supports people, is secure, and fully governable even in enterprise environments). In other words: not just “AI modules,” but a common direction, a framework, and an ecosystem capable of growing without losing governability.

For decision-makers (CTOs, CEOs, digital managers, marketing leads), this point is huge: it means being able to bring AI into digital experiences without vendor lock-in, without having to rebuild everything from scratch, and with the governance backbone typical of Drupal.

First of all: who contributed (people, not just code)

Innovation is driven by people. Our contribution wouldn’t have been possible without a significant structural investment: since June 2025, we’ve dedicated 50% of the working time of two of our best technical talents exclusively to the Drupal AI Initiative.

We’re not talking about spare time, but constant, daily commitment. An amount of resources justified by our internal strategic vision, and often further fueled by personal passion that goes well beyond office hours.

The team’s prior experience was fundamental, because many of our 2025 contributions weren’t theoretical exercises, but technical choices made by those who have already seen what works (and what breaks) when a project has to live in the real world.

How we worked: governance, consistency and alignment

Guiding the strategic vision was our CTO, Paolo Mainardi , who coordinated activities with precise methodology to ensure we produced value continuously (not only for the ecosystem and community, but also to address the real enterprise challenges of our clients).

In 2025, we worked in sprints, with dedicated issues and milestones, aligning with internal weekly coordination calls. Additionally, we always participated in the community’s weekly asynchronous alignments to bring our perspective. This model allowed us to:

• choose priorities and “cut” what didn’t bring value
• explore and deepen various solutions, beyond contributions
• define and evolve PoCs into reusable solutions
• maintain a constant flow of contributions, despite the pressure of commercial projects
• create a stable bridge between technical work and communication.

Regarding the last point, an important aspect was working together with the marketing team: Stefano Mainardi (CEO) and Alessandro De Vecchi worked constantly to tell the story of Drupal, the AI Initiative, and what we were building.

Because open source really works when you build and share.

AI Development Environment in Drupal: our DDEV add-on to lower the barrier to entry (DDEV development environment)

The first major challenge we faced was infrastructural. In June, at the beginning of the Drupal AI Initiative, contributing to development was complex and slowed down by a fundamental bottleneck in terms of Developer Experience (DevEx).

Our first major contribution was therefore aDDEV-based development environment, designed to make local setup replicable and fast, and to allow working on multiple modules simultaneously without going crazy.

More specifically, the main problem was the complexity in configuring a local development environment to work effectively in a context like Drupal AI, where you need to work and test multiple modules simultaneously. Dependency management was decidedly inflexible (with the risk of having to reinstall them every time), only one project at a time could be cloned (making many manual git clones necessary when working on multiple modules), and the need to add (and maintain) some DDEV-specific configuration files made everything tedious and not scalable.

Our effort was therefore directed at lowering these barriers to entry and accelerating the innovation cycle for the entire community, providing developers with a pre-configured AI local development environment working in very short time.

Our strategy evolved in two phases, with a general and a specialized solution. The first step was the proposal of a new DDEV add-on (DDEV Drupal Suite add-on) , a generic tool that can be used by any contrib module, drastically simplifies setup, and makes contributing to multiple modules simultaneously streamlined.

Based on this, we first developed a “Drupal recipe” (AI Dev Recipe) that installs and configures a minimal set of AI modules, then also an interactive CLI wizard (DDEV Drupal AI Add-on) that orchestrates the entire AI functionality configuration, automatically manages dependencies, config and install, and is also easily extensible with simple YAML instructions.

Furthermore, development continued to make the solution even more flexible, for example including support for ready-to-use vector databases (PostgreSQL, pgvector), but also optional support for high-performance scenarios (Milvus) and quality assurance tools (GrumPHP).

Today, this solution is used by the global community and is traceable as an add-on. In parallel, to further facilitate adoption, we also proposed transferring it to the official DDEV namespace, so as to make it the absolute standard for AI development in Drupal. It was one of our first contributions, but it laid the foundation for everything else.

Why does this contribution matter for business too? Because when AI enters an enterprise CMS, the impact is as much functional as organizational. The speed with which a team can do tests, fixes, iterations, and releases determines the real time-to-market. And a standardized development environment is often a first, powerful productivity multiplier.

Guardrails: bringing security, governance, and control to Drupal AI

Every time we talk about AI in production, sooner or later we get here: trust.

AI can create content, summarize, classify, orchestrate actions, call external tools. But it can also “hallucinate” (with great confidence), deviate from company policies, expose sensitive data, generate unsafe or inappropriate output.

Think for example: how can we ensure that a chatbot doesn’t provide inappropriate responses, suggesting a competitor’s product, offending the user, or inventing false information? And how can we prevent sensitive data (PII) from being sent to third-party providers (through our prompts, or through information collected by autonomous agents)?

The risks are real and, in the enterprise world, an AI that “hallucinates” or responds inappropriately isn’t just a bug, it’s an unacceptable reputational risk. And if it shares sensitive data, it’s an even more serious violation. While many focused on text generation, we focused on control.

For this reason, we worked on defining so-called “Guardrails”, intelligent rules that control and guide AI behavior, effectively limiting it to ensure it respects the guidelines, values, and objectives of each organization.

In our vision, guardrails are not optional : they are a strategic requirement to make AI deployable in real contexts.

Definition of guardrails in Drupal AI

Luca’s contribution on this front was substantial, starting with the definition itself of the concept of Guardrails in Drupal (which revealed a much greater breadth than initially hypothesized).

• Guardrails are in fact necessary as a cross-cutting layer for all interactions with LLMs : modules, agents, chatbots, content generators, etc. Importantly, guardrails are also essential for securing communications with other external systems , protecting the exchange of parameters and sensitive data, such as those managed through MCP.
• They must analyze both user input and sanitize data before it reaches the LLM (e.g., removing personal data or blocking forbidden topics), as well as AI output , analyzing the response before it’s shown to the user.
• In case of a failed check, a guardrail can completely block the execution of a request (“Sorry, I can’t respond due to policy violation”) or rewrite input/output by removing problematic data (“Here’s the response omitting personal information”).
• A single filter is typically not sufficient. Rather, a “Set of Guardrails " is needed that operate simultaneously, each specialized in different types of controls (e.g., one dedicated to personal information, one to forbidden content, one dedicated to user permissions).

Our contribution culminated in the creation of a new plugin architecture to manage guardrails. The solution is highly customizable: it not only supports the configuration of individual guardrails, but also the ability to combine multiple controls in different sets.

Both controls on user inputs (pre-LLM controls) and on AI output (post-LLM controls) are supported, and it’s possible to define different checks in the two phases, for different needs. Last but not least, guardrails of two distinct types are implemented: deterministic type (regex) and non-deterministic type (LLM-based topic detection).

For decision-makers, the value of this contribution is immense: guardrails transform Drupal AI from a promising technological experiment to a reliable, secure, and enterprise-ready platform, where AI always works for the business, and never against it.

Support for Bedrock and data sovereignty

During experiments, we explored the main Guardrails solutions already available, with a particular focus on AWS Bedrock, one of the most powerful solutions on the market.

Our tests confirmed excellent compatibility with many languages (including Italian), particularly the PII masking functions, specific guardrails for removing personal information without blocking execution.

But it’s important to tell the reality honestly: an external (extra-European) service introduces privacy implications, compliance questions, and technological dependence (vendor lock-in).

These concerns are particularly relevant in regulated contexts (or in public administration), where it must be seriously evaluated which data is transmitted externally, how it’s processed, what residual risk remains.

For this reason, while supporting Bedrock, our architecture is designed to be agnostic. It allows integrating other solutions in the future (such as Azure, Google Cloud, Guardrails.ai) and, a very interesting alternative, also local models, to ensure data sovereignty.

Streaming, guardrails, evolutions

Another technical point we addressed is the complexity of guardrails in the presence of streaming responses , i.e., when the AI sends each piece of the response as it generates it, and not just the complete output at the end of generation.

For user experience, streaming is a highly appreciated feature. However, in the presence of streaming, it’s not enough to perform a final output check, because the user might already have been exposed to inappropriate information. Rather, guardrail control must be performed at each update of the response from the LLM (at each new output token).

Validating output token-by-token, managing tool calls in the flow, and simultaneously activating guardrail sets at each update is a non-trivial issue.

The temporary solution was to disable streaming when guardrails are active , pending a more robust approach. It’s an important detail for usability, moving from a “safe” solution to “safe and pleasant to use.”

And there’s another front that will need to be addressed in 2026: guardrails for multimedia content (images, videos). It’s a topic still to be explored in depth, but we already know it can’t be left to chance.

AI Agents in production: asynchronous tasks and streaming with Symfony Messenger (to overcome PHP limitations)

AI Agents are a completely different entity from simple chatbots of the past. A complex agent plans, executes multiple steps, calls tools, handles errors, queries databases, processes data. In short, Agents require time to “reason,” with processes that can last even several minutes.

And this is where the classic synchronous model of a PHP web request shows its limits: timeouts, sessions that close, UI that interrupts execution, difficulty with retry/monitoring.

The problem is therefore: how do we run complex agents on a Drupal site, without the page timing out? A real problem, which also emerged on a project for one of our clients.

To address this limitation, we developed a solution and a PoC of “AI Agent Runner” based on Symfony Messenger, with two clear objectives:

1. asynchronous execution of agentic tasks (robust, retryable, monitorable), decoupling agent execution from the user’s web request.
2. streaming of responses to the frontend when a fluid conversational experience is needed, while continuing to support synchronous execution with (almost) the same code.

This contribution was also brought to a public context: a technical webinar organized together with the team coordinating the Drupal AI Initiative, in which Luca showed how Symfony Messenger can become a key piece to overcome the architectural limitations of Drupal and PHP when talking about agents.

For a decision maker, the point is very simple: with synchronous execution alone, agents remain beautiful but limited and fragile prototypes. With an asynchronous architecture, automation can become complex and reliable.

RAG and Typesense

One of the quickest ways to lose trust in AI is to ask it something it should know… and see a plausible but wrong answer. RAG (Retrieval-Augmented Generation) was born for this: to anchor responses to a real and controllable knowledge base.

SparkFabrik has historically been the maintainer of the Search API Typesense module, which has given us deep experience both in “classic” search and in the evolution towards semantic search and vector databases. With the advent of AI, it was natural for us to evolve this tool.

Roberto Peruzzo worked on implementing Typesense support for RAG in the AI module, with an approach aimed at improving relevance and efficiency.

One of the most interesting elements we introduced is the concept of “Router Agent,” a sub-agent that determines “where to search.” In a complex system with many indexes (e.g., Technical Manuals, Blog, Products), querying everything is inefficient. Given a user input, the main agent activates the su-agent, which selects the most relevant collection to query on Typesense (based on intent), before formulating the final response.

This reduces “noise” (irrelevant data sent to AI) and hallucinations, lowers token costs, and drastically increases response accuracy. Furthermore, dynamic routing avoids having to hardcode the mapping of collections and adding new collections does not require new code.

In short, you get a better user experience, scalable code and cost savings.

MCP: Drupal becoming context and toolchain for agents

MCP (Model Context Protocol) is one of the “pieces” that make Drupal conversant with external systems, tools, and agents in a standardized way. It’s one of the next big frontiers, and in 2025 we worked and contributed on MCP in multiple phases.

Exploration and direction

We started with an exploration of the state of the Drupal MCP ecosystem: understanding what was already possible, what was missing, and where it made sense to invest to generate value also for our real projects. In this phase, we also hypothesized the use of JsonAPI via MCP to build decoupled frontends.

PoC: generating a React frontend via JSONAPI + Tools

After exploration, we carried out a more concrete experiment with the goal of testing the effectiveness of the approach and the potential of the protocol: creating a complete React app through an AI connected to the Drupal MCP server, capable of reading its structure and content (content types, fields…).

Realized through a very detailed prompt divided into different phases (“spec-driven development”), the experiment was a success: it demonstrated that Drupal can expose its structure (“intelligence”) to external systems, allowing AI to act not only as a text generator, but as a junior developer guided by the CMS context (and supervised).

Brainstorming on concrete use cases and work in progress

Subsequently, we did an internal brainstorming to define solid and repeatable use cases, for different stakeholders. Two emerged:

• for Drupal developers: starting from an SDC model and generating entities, paragraphs, and fields via MCP
• for frontend developers/site builders: building a decoupled frontend using only the MCP server

We chose to deepen the first use case, still ongoing today with exploration on automating backend structure generation starting from SDC templates.

Improving MCP in Drupal and becoming maintainer

In parallel, we also contributed directly to improving the implementation of MCP in Drupal.

Roberto became maintainer of the Drupal MCP Client module, modernizing it to support the new Tool API and improving security with support for authentication headers (such as bearer token). Last but not least, Roberto also contributed bugfixes to the Drupal MCP module to make Drupal an MCP server.

Why does MCP matter also for those looking at business? Because it’s an “enabling” technology. It’s what allows agents to not just be conversational interfaces, but operators that know how to use tools, interact with APIs, execute actions, and automate processes.

Lara Translate Integration: enterprise AI translations, superior multi-lingual content

Translation is one of the most immediate and concrete use cases of AI in enterprise content systems: multi-country sites, catalogs, knowledge bases, documentation, compliance.

Parallel to infrastructural work, SparkFabrik responded to a specific client need by developing the TMGMT Lara Translate module. Lara is an AI model specialized in translation tasks, with qualitatively superior output to generalist LLMs (ChatGPT, Gemini, Llama…) while maintaining lexical and stylistic consistency.

The module integrates Lara as a translation provider within Drupal’s TMGMT (Translation Management Tool) system, supporting all of Lara’s unique features and with attention also to practical details such as effective text splitting and error handling logic.

An interesting aspect is that this contribution also triggered direct contact, opening collaboration opportunities and demonstrating how project needs can transform into valuable contributions for the community.

Beyond code: content, outreach and community

Contributing doesn’t just mean writing code. It also means telling the story : explaining what we’re doing, what’s ready, what’s evolving, and especially why it’s worth investing. In 2025, we’re really proud of the collaborative work between the technical and marketing teams to translate our work into shared culture.

Content: Drupal AI Logs and blog articles

We told the story of some of the contributions also on our social channels through the Drupal AI Logs series, making the contribution process transparent, transforming technical updates into usable insights and (we hope) inspiring other contributors and teams to experiment.

A great effort was also dedicated to producing blog articles dedicated to Drupal and Drupal AI (and in our tech blog), sharing our perspectives and promoting the ecosystem of our favorite CMS (in 2025 alone we shared 13 vertical articles on Drupal).

DrupalCamp Italy 2025: two talks, two complementary perspectives

In November 2025, we didn’t just contribute to organizing DrupalCamp Italy. We also brought the Drupal AI Initiative to the stage, with two talks that, together, tell our approach well.

• The state of the Drupal AI Initiative.
  Luca Lusso shared the overall state of the initiative and some of our contributions, offering an insider vision, realistic and hype-free. The goal: to inspire the Italian community and promote the initiative. (Talk recording and slides).
• AI Agents in Drupal and MCP (with PoC)
  Roberto showed how to implement AI agents in Drupal, both via UI and via code. In the talk, he showed a PoC of AI Customer Assistant for e-commerce : an agent that converses with the user, searches for products, suggests options, adds to cart, and notifies events in Slack via MCP. (Talk recording and slides).

Technical webinar: AI Agents on Symfony Messenger for “robust” AI agents

As mentioned above, we also contributed to an international technical webinar , organized with the team coordinating the Drupal AI Initiative (James Abrahams and Marcus Johansson).

Luca showed his PoC based on Symfony Messenger, demonstrating agents capable of executing asynchronous tasks and supporting message streaming (even in case of tool invocation).

The goal was to show how SM can become a key piece to overcome the architectural limitations of Drupal and PHP when talking about agents. Interestingly, in the same webinar a second demo focused on FlowDrop was shared and other community members intervened to participate in the discussion.

An extra that comes from the initiative: workshop on GitHub Copilot

In the study and R&D path related to the Drupal AI Initiative, we also invested in training and sharing on AI development tools, such as GitHub Copilot.

We shared our experience in a technical and practical workshop held by Luca Lusso, to explain in practice how to integrate Copilot as a partner in the development cycle in VS Code.

The Copilot workshop is free and freely accessible, not vertical on Drupal but intentionally more open to the development world.

A year of innovation and a look to the future

2025 closed with an extremely positive balance for the Drupal ecosystem, a year of construction in which SparkFabrik contributed to laying the fundamental bricks: a solid development environment, a security framework (Guardrails), a robust execution engine (Async Runner on Symfony Messenger), and interoperability protocols (MCP).

Under the guidance of our CTO Paolo Mainardi, our contributions focused on high-value areas and critical nodes to bring AI into real client projects , with strong emphasis on governance and security, autonomous AI agents capable of performing complex actions (from site building to configuration).

We also recognized (and promoted) the need to support completely open source and local stacks (technological agnosticism), anticipating the digital sovereignty and data privacy needs required by European enterprise clients, subject to regulations such as GDPR, AI Act, and Cyber Resilience Act).

**Summary of main technical contributions 2025 (Drupal AI)

Area | Main Contribution | Impact / Result
Infrastructure | Unified DDEV development environment | Standardization of setup for all global contributors.
Security | Guardrail Agents Architecture | Framework for AI input/output security, viewable and configurable.
Performance | AI Agents on Symfony Messenger: Async Runner & Streaming | Execution of complex agents without timeouts, synchronous and asynchronous execution, reactive UX thanks to real-time streaming.
Search | RAG and Router Agent | Intelligent system to route queries to the correct index, reducing costs and noise.
Interoperability | Drupal MCP Server & Client | POC for generating React frontend from Drupal via AI with MCP; modernization of MCP client.
Localization | TMGMT Lara Translate Provider | Integration of professional translation service into Drupal editorial workflow.

Looking to 2026, our vision is clear. Drupal is no longer “just a CMS.” It’s positioning itself as the ideal platform for Enterprise AI : a place where data is structured, secure, and accessible, and where artificial intelligence isn’t a toy just for “wow effect,” but a tool governed by precise compliance and security rules. It’s exactly the type of AI needed for production, not for demos.

SparkFabrik will continue to be at the forefront. We won’t just use AI; we’ll continue to write the code that makes it possible, open, and secure for everyone, for real projects.

At SparkFabrik, we combine deep technical expertise in Drupal with advanced skills in AI integration, composable architectures, and enterprise governance. Our Drupal development services cover the entire spectrum: from strategic consulting on the AI readiness of your current architecture, to implementation of custom AI-powered solutions, through to security, ongoing support, and optimization.

If you’re evaluating how to integrate AI into Drupal (or into a broader enterprise ecosystem), and you want to do it with a partner who has really put their hands in it (at the product, community, and delivery level), let’s talk.

This article is part of our series dedicated to Drupal. To explore other aspects of the platform, we invite you to consult our previous articles on features and benefits, comparison with alternatives, migration strategies, security and compliance, composable architecture, Design System, Drupal headless omnichannel, and overview and news of Drupal AI.

In a market that rewards agility, rapid adaptation, and the ability to scale when demand grows, adopting the cloud is no longer simply an IT decision, but a strategic choice that directly influences competitiveness and business results.

As we explored in depth in our guide on cloud transformation, companies that successfully integrate cloud technologies into their processes achieve concrete results in terms of time-to-market speed, flexibility in resource allocation, and support for continuous innovation.

A strategic choice: cloud models and key market players

To navigate the market correctly, it’s useful to first understand the three main cloud computing models : Public Cloud, Private Cloud, and Hybrid Cloud. Let’s start with this simple distinction.

• Public Cloud means the infrastructure resides on shared platforms managed by an external provider, making it ideal for startups or e-commerce businesses that need to scale rapidly without high initial investments.
• Private Cloud , on the other hand, is reserved for a single company (or group) that directly manages the infrastructure or outsources it: this option becomes relevant when compliance, security, or absolute control of data represent business priorities.
• Hybrid Cloud combines the two models, allowing critical workloads to be managed in a private environment while leveraging the benefits of public cloud for variable loads or innovative services: a fantastic mix that, however, requires skills and orchestration.

Having clarified the different infrastructure models (you can explore further in this article), the next obvious question is: which provider should you choose? In the global market, players like AWS , Azure , and Google Cloud Platform stand out, capable of offering a wide range of services, a widespread geographical presence, and the solidity of a mature ecosystem. But how do you navigate these options without getting lost in technicalities?

Alongside the big names, Alibaba Cloud also deserves attention, the undisputed leader in the Asian market and a strategic partner for all those companies looking with interest at internationalization in China and the Asia-Pacific region. A concrete example? Caleffi , a company that, with the goal of strengthening its digital presence in China, chose a multi-cloud approach together with the SparkFabrik team (details can be found in our case study: Caleffi Hydronic Solutions).

Cost analysis: comparing pricing models

Once you’ve understood the models and main providers, a often decisive aspect in the choice comes into play: the cost structure. Understanding the different pricing models is essential, both for those evaluating cloud migration and for more mature companies wanting to expand their infrastructure consciously. The topic concerns IT Managers, CTOs, or even Marketing Managers of e-commerce businesses planning large-scale digital investments.

The three main models worth keeping in mind are pay-as-you-go, reserved instances, and volume-based discounts. Here’s how they differ:

• The pay-as-you-go model allows you to pay only for resources actually consumed, ideal for startups or projects with variable demand.
• Reserved instances , with one or more year commitments, offer significant discounts if you anticipate constant usage.
• Finally, volume-based discounts reward those who reach high usage or purchase thresholds through Enterprise contracts.

Beyond pricing models, price as we mentioned is one of the aspects that attracts the most attention when choosing a business cloud. So which is the most cost-effective provider: AWS, Azure, or GCP? In reality, in most cases, pricing doesn’t represent a real differentiating factor. For equivalent usage scenarios, in fact, the main platforms offer very similar rates, at least in the most consolidated markets.

However, some variations emerge looking eastward. Alibaba Cloud, for example, offers significant advantages in the Asian context or for specific workloads, confirming itself as a strategic choice for those targeting those markets.

It’s important to emphasize that simply comparing prices of individual resources isn’t enough to determine overall cost-effectiveness: pricing must always be part of a broader evaluation , taking into account both technical needs and anticipated growth dynamics.

On this note, before continuing with the provider comparison, we think you might be interested in exploring the ebookwe created based on our experience in Cloud Transformation projects for SMEs and Enterprise companies. Discover which cloud solutions to choose to remain competitive and keep pace with continuous market demands (ebook in Italian).

Main features and services: what each provider offers

Features** are fully part of the “broader picture” to evaluate beyond price. To facilitate navigation among the many possibilities, in the following table you’ll find a concise comparison of the three main providers (AWS, Azure, and GCP — divided by functional areas.

Compute (Macchine Virtuali, Serverless)

Storage & Database

Networking

AI & Machine Learning

What emerges from this comparison? In summary, the choice of ideal provider depends on context and business objectives.

AWS stands out for scalability and variety of services** : it’s often the preferred solution for startups, e-commerce with demand peaks, and companies seeking reliable, resilient, and global infrastructure.

Azure** , for its part, represents the natural choice for organizations already structured on the Microsoft ecosystem , focused on continuity, native integration, and smooth transition from on-premises to cloud.

Google Cloud Platform** (GCP), finally, offers advantages in customization, advanced analytics, and data-driven solutions.

Security and compliance: how providers protect your business data

And security? When it comes to cloud, security is in all respects an essential requirement that impacts, among other things, business continuity. A fundamental concept to understand in cloud and security is the shared responsibility model. A model in which the cloud provider assumes responsibility for the security of physical infrastructure, network, and virtualization, while the customer company remains responsible for security in the cloud; that is, data, applications, configurations, and user access.

But how does this translate into practice? The main cloud providers continuously invest to offer tools, certifications, and standards that help companies ensure security and compliance, each with its peculiarities and strengths:

• Amazon Web Services (AWS) supports over 140 standards and certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, and FIPS 140-3.
• Microsoft Azure has broad support for regional and local requirements, and places strong emphasis on data compliance and integrated identity within its ecosystem.
• Google Cloud Platform (GCP) has certifications in privacy areas like GDPR/CCPA and offers well-documented “shared responsibility,” with native security tools to help customers meet their share.

Beyond standards, it’s fundamental to evaluate where data resides : the ability to choose the region or data center where workloads are executed is now a decisive point for meeting European regulations (and beyond). From the perspective of localization and regulatory compliance, it’s important to consider in which region or data center workloads are executed. All three providers offer the ability to select European regions, and specifically in Italy.

To explore in a dedicated way best practices and guidelines for protecting business data in the cloud, we refer you to the guide on Cloud Security, where we answer an increasingly urgent question: how to protect data in the cloud era?

Performance and scalability to support your growth

Once data security and compliance in the cloud are guaranteed, the next step concerns the ability to grow your infrastructure without compromising performance. When a company needs to handle more users, launch new services, or face traffic peaks, it’s fundamental that the chosen cloud offers global presence and the ability to scale: this is where concepts like number of regions and availability zones represent the operational foundation. A region is a distinct geographical area, while a zone is an isolated sub-area within the region, connected with reduced latency and designed to ensure high availability.

If the company uses a cloud with geographically distributed presence, it can place services and applications in the region closest to its users to ensure low latency, or in multiple zones to guarantee resilience and higher uptime.

In terms of geographical and infrastructure coverage, here’s how the three main providers position themselves** :

• AWS reports a network composed of over 120 Availability Zones distributed across 38 global geographical regions.
• Microsoft Azure boasts availability in more than 46 regions (with additional regions coming) and support for Availability Zones designed for latency below 2 ms between zones in the same region.
• Google Cloud Platform operates in locations in the Americas, Europe, Asia Pacific, Middle East, and Australia, with regions and zones designed to offer scalability and availability.

In summary, AWS is currently the provider with the widest geographical coverage globally, thanks to the high number of regions and availability zones already operational. Azure follows closely with constant growth and widespread presence, especially in Europe and rapidly developing areas. Google Cloud Platform offers broad international distribution, particularly appreciated for its ability to bring performance-driven services to all major areas of the world.

This vast coverage allows all three platforms to offer high performance globally, but AWS, on paper, remains the reference point for those seeking maximum geographical distribution and enterprise-level resilience.

How to Choose the Right Provider: Our Field Experience

After exploring in detail the main evaluation criteria, it becomes evident how much the comparison between cloud providers is a complex process , requiring a broad vision and deep technical and business knowledge. Precisely for this reason, relying on a specialized company like SparkFabrik can make the difference: our role as a strategic partner allows us to support the client both in the objective evaluation of solutions offered by AWS, Azure, and Google Cloud Platform, and in choosing the most coherent path with respect to the real needs and digital transformation objectives of the organization.

In our approach, provider selection is never limited to a “technological” choice, but also takes into account organizational context , business priorities , and level of digital maturity. Here are three practical examples where we supported our clients in choosing the best solution. In the table below you’ll find three different scenarios, to which we’ve associated the most suitable provider and the case study that tells the story of the project we realized.

Scenario 1: Provider AWS

Ideal Use Scenario

Scenario 2: microsoft azure

Scenario 3: google cloud platform

The Hybrid and Multicloud approach: the flexibility of AWS, Azure, and GCP

Do you really have to choose just one provider? The answer obviously is no. In business reality, the cloud choice doesn’t have to be “all or nothing.” Often the most effective strategy involves a mix , combining a primary provider with on-premises extensions or other clouds.

If you want to explore advantages, risks, and real use cases of these strategies, you’ll find a complete analysis in our guide Pros and Cons of Multi-Cloud: Is It Right for Your Company? A parallel analysis is also available in the guide on What is Hybrid Cloud: When to Choose It, Examples, Advantages. If, instead, you’re interested in understanding how to orchestrate a multicloud environment efficiently, you can consult the in-depth article Multi-cloud Orchestration: Tips.

Returning to the comparison between Amazon aws vs azure vs GCP: below you’ll find a table showing, for each provider, the main offering in terms of hybrid/multicloud and how these solutions respond to the needs of scalability, governance, and integration of enterprise IT.

AWS

Azure

Google Cloud Platform

Beyond comparison: the strategic partner for your cloud transformation

Choosing the most suitable cloud provider, as we’ve seen in the comparison between AWS, Azure, GCP, and Alibaba, represents only the starting point in a broader cloud transformation journey. The real value isn’t exhausted with the chosen platform, but is built over time thanks to an articulated strategy of adoption, management, and optimization capable of adapting to your business evolutions.

To face this challenge, relying on specialized skills like those of the SparkFabrik team can facilitate not only the solution selection, but also the management of all subsequent phases: from architecture design to daily management, to continuous optimization of performance and costs. Approaches like Managed Cloud Services and the adoption of dedicated DevOps platforms allow reducing complexity and freeing resources for the most strategic business areas.

If you want to evaluate a cloud transformation path tailored to your company, you can request a consultation and explore the options most suited to your scenario.

What is code refactoring and why it’s a strategic lever for business

Code refactoring is the process of restructuring existing source code without changing its external behavior. It’s not about fixing bugs, as happens in debugging, nor about introducing new features: its goal is to improve the internal quality of the software, making it simpler to understand, test and evolve over time. In other words, it’s an investment in code health, not a cosmetic intervention.

The real impact of refactoring emerges when we observe it as a strategic lever for business. Every application accumulates technical debt over time (those necessary quick choices or temporary solutions that, if not managed, eventually start to slow down development). Through systematic refactoring, this debt is reduced, freeing up resources and time to focus on innovation.

Cleaner and more coherent code allows teams to work with greater speed and confidence, fostering organizational agility, that is, the ability to respond quickly to new market or customer needs. Moreover, clear and easily understandable code translates into a reduction of regression risks (that is, the risk that code modifications damage other functionalities or introduce new bugs) and a reduction in lead time for each new release.

But refactoring, as we’ll explore further in the article, is not just a technical practice, it’s also a key element in keeping development activities sustainable and fast, in situations where code quality becomes a growth accelerator, and not, as sometimes happens, an obstacle.

The main refactoring techniques: a practical approach

Doing refactoring is not a one-shot activity but rather a series of targeted and systematic interventions that allow, over time, to simplify the complexity of the codebase and make it more easily evolvable over time.

One of the most widespread techniques is Composing Method, which consists of breaking down functions or methods that are too long into smaller, more readable blocks. Let’s take an example. Imagine a function that, in the context of an e-commerce application, handles calculating the total price of an order: it applies any discounts, adds taxes and finally returns a report. If all these operations are enclosed in a single long and complex function, understanding the role of each step becomes difficult both for those writing the code and for those who will need to modify or test it in the future. Through refactoring, each operation becomes a distinct function, with a clear name and precise responsibility. The result is code that’s more linear, clearer and more easily isolatable for a potential unit test.

Another essential technique is conditional simplification, which aims to make decision logic more readable. Nested expressions like “if X is true and Y is false or Z is null” not only slow down reading, but increase the probability of errors. Refactoring in this case leads to introducing intermediate variables with explanatory names, or replacing complex conditions with methods that clearly express the intention: “isEligibleForDiscount” is much more immediate than a long chain of logical operators.

Finally, with Abstract Refactoring we intervene on duplicated elements or common concepts distributed in the code, extracting them into a reusable class or function. For example, if different parts of the application calculate a commission or validate an input in similar ways, creating a shared abstraction reduces redundancy and simplifies future maintenance. Every modification thus becomes centralized and coherent throughout the system, strengthening the overall stability of the application.

How to do refactoring with AI: a guide to GitHub Copilot

Artificial intelligence is becoming a valuable ally in code refactoring as well, and among the most effective tools there’s undoubtedly GitHub Copilot: an assistant that interprets the code context and proposes cleaner, more efficient or idiomatic rewrites. Used methodically, Copilot can significantly accelerate software maintenance and improvement work.

Do you already know this tool? Whether the answer is yes or no, we suggest diving deeper with the workshop: So you think you know Copilot?

But how does Copilot concretely integrate into the refactoring process? The first step consists of understanding the existing code, leveraging Copilot Chat commands like /explain. This function generates a textual explanation of what a code block does, clarifying intents, dependencies and potential critical points. It’s a quick way to orient yourself in complex or poorly documented code portions, before intervening. You can also ask to add comments to the code to make it clearer even in future readings.

Once the necessary understanding is acquired, it’s possible to ask for generic improvement suggestions, for example with prompts like “How can I make this method more readable?” or “Is there a more efficient way to handle this logic?”. Copilot will propose alternatives that respect the semantics of the original code, but simplify its structure or improve its performance.

Finally, the real value emerges when moving to targeted refactoring instructions. You can explicitly ask “Reorganize this code applying the Composing Method pattern” or “Extract the validation logic into a separate function”. Copilot will generate a refactored version consistent with the request, keeping the software behavior intact.

It’s fundamental however to remember that Copilot is an intelligent assistant, not a human substitute. Proposals must always be reviewed, understood and validated by the development team. The expert judgment of the programmer remains the balance point between automation and quality. Because, on closer inspection, every refactoring must not only be technically correct, it must also respect the architecture and business objectives.

Speaking of artificial intelligence, have you already downloaded our white paper?

Agentic refactoring: Claude Code and the Model Context Protocol (MCP)

In the White Paper you’ll find all the potential of AI agents, and yes, it also concerns refactoring. Agentic refactoring indeed represents the new frontier in the evolution of AI-assisted development.

This is demonstrated by the evolution of tools like GitHub Copilot itself, which today no longer limits itself to suggesting improvements or code snippets, but now integrates different interaction modes graduated based on task complexity (you’ll find everything in our Workshop on Copilot). In particular, if the Ask mode is perfect for brainstorming without altering the code and Edit allows targeted modifications to open files under supervision, it’s with the Agent mode that things really change pace.

Agentic systems in fact act directly on the code, operate autonomously on multiple files and autonomously invoke external tools to reach the goal, understanding its context, dependencies and the global structure of the project. AI is no longer just a suggester, but an active collaborator that can execute complex transformations in an autonomous and controlled way.

In this scenario, Claude Code comes into play, one of the most advanced tools currently available for coding and agentic refactoring. Based on a next-generation language model and integrated with the Model Context Protocol (MCP), Claude Code is able to access semantically the entire codebase of a project. Thanks to MCP, the agent truly understands the application context: it knows how the different parts of the software connect to each other, which modules depend on others and where to intervene without compromising system stability. This makes deep refactoring possible - such as the reorganization of entire components or the replacement of architectural patterns - while maintaining code safety and coherence.

As Enrico Zimuel emphasized in our event Talk on my machine: GenAI x business: the ability of AI to understand code written by other developers (and to explain it to other developers) is the first crucial step toward truly effective collaboration between human and machine. Agentic refactoring is born precisely from this deep understanding: no longer a set of specific suggestions, but an intelligent process that interprets the team’s intent and translates it into concrete actions on the code, accelerating the development cycle and increasing the overall quality of the software.

Watch the video: Software, uncertainty and generative artificial intelligence

When to do refactoring (and, above all, when to avoid it)

Understanding when to do refactoring is as important as knowing how to execute it. Not every moment is suitable, and intervening in the wrong way can transform a good intention into a risk for project stability. Thinking of refactoring as a form of preventive maintenance helps to insert it into the development cycle with criteria, avoiding perfectionist drifts or waste of time.

When to do it: the ideal moment is before adding new features, especially if these need to integrate with dated or barely readable code. Refactoring at this stage allows building on solid foundations, reducing the probability of introducing bugs. Also after launching a project is an excellent occasion: once the software is in production, the team has a clearer vision of problematic areas and can optimize them in a targeted way. Another frequent case is when a module becomes excessively complex or difficult to maintain; in this scenario, refactoring serves to restore linearity and favor collaboration between teams.

When to avoid it: refactoring should not be tackled under pressure of tight deadlines. In those cases, the goal must remain the delivery of functional value, not code perfection. It’s also discouraged on obsolete software or software destined for dismissal: improving something that will soon be abandoned means investing time without return. Finally, it should never be started if the code is not covered by tests: without a safety net, every modification risks introducing regressions that are difficult to detect.

A good criterion, ultimately, is to consider refactoring as a measurable investment: it should be executed when the benefits in terms of stability, development speed or technical debt reduction clearly exceed the cost of the intervention.

From refactoring to app modernization: our strategy (the 5 Rs)

Refactoring is not just a code cleanup practice, but one of the central levers of a broader path: Application Modernization. We’re talking about the strategic path that allows evolving IT architectures toward greater efficiency, scalability and innovation. (If you want to explore this process in depth, read the in-depth article Application modernization: what it is and what are the benefits).

When an organization decides to evolve its digital ecosystem, it doesn’t just optimize what already exists: it defines an overall strategy to make applications more agile, scalable and ready for change. In this context, refactoring becomes the balance point between preserving existing value and the push toward innovation.

Among modernization strategies, there’s also replatforming, often the ideal choice for those who want to migrate from legacy applications to a new cloud platform, without having to rewrite all the software from scratch. To learn more: Replatforming: from legacy to a new cloud ecosystem (+ examples)

Regarding app modernization, at SparkFabrik we adopt a structured approach based on the 5 Rs framework: Rehosting, Refactoring, Rearchitecting, Rebuilding and Replacing. Each “R” represents a different level of intervention, from simple movement of the application to a cloud infrastructure to its complete reconstruction. Refactoring, in particular, occupies an intermediate position: it allows improving the architecture and code without disrupting the overall functioning of the system, making it more maintainable, performant and ready for further evolutions and for cloud optimization.

In this sense, refactoring is often the first concrete step toward modernization, the one that prepares the ground for deeper initiatives like containerization or transition toward a microservices architecture. It’s the phase in which quality is sown that will allow subsequent transformations to take root in a stable and lasting way.

To explore our approach in depth and discover how the 5 Rs guide modernization strategies at SparkFabrik, visit the page dedicated to the Application Modernization service.

Reducing technical debt: a measurable benefit of refactoring

We’ve already mentioned technical debt, which is the IT equivalent of a variable-rate loan: it allows gaining speed in the short term, but generates interest that becomes increasingly heavy over time. Every shortcut taken in development (duplicated logic, an outdated dependency, a poorly scalable structure) accumulates until it slows down the pace of innovation and increases maintenance costs. Teams find themselves dedicating more time to understanding and correcting code than to developing new functionalities, with a direct impact on productivity and time-to-market.

Refactoring is the main tool for reducing this debt in a systematic and sustainable way. By improving the internal quality of the software, it increases its readability and coherence, reducing errors and simplifying future evolution. In business terms, it means cutting down the hidden costs of development (those related to complexity and slowness) and returning to the team the ability to innovate quickly. It’s an investment that doesn’t produce immediate value, but builds the foundations for more solid technological and organizational growth in the long term.

Choosing the right partner for your application transformation

Modernizing applications doesn’t just mean updating technology, but realizing a strategic transformation that aligns your company’s digital assets with business objectives, making it more flexible, scalable and ready for future challenges. Tackling this transition requires specialized competencies and, above all, requires an overall vision that knows how to unite cloud-native architectures, DevOps practices, process automation and modular and API-first design strategies.

At SparkFabrik we work with a structured approach, guided by application modernization best practices and our experience in the field. We follow every phase of the journey: from rehosting to the adoption of microservices, artificial intelligence integration and UX/UI redesign. The goal? Transform legacy applications so they truly respond to business needs.

Want to see how this approach can make a difference in your company too? Explore our application modernization services or write to us: sometimes a new point of view changes the direction of the project.

The new NIS2 and DORA regulations have marked a transformation in cybersecurity in Europe. Adapting to this new standard is a complex challenge for thousands of companies, particularly those operating in Cloud Native environments. However, it’s not just about meeting an obligation; it’s about seizing the opportunity to strengthen operational resilience and gain a competitive advantage.

In this second deep dive of our series on NIS2 and DORA, we explore the concrete strategies and best practices we’ve identified for effective implementation, starting with a DevSecOps approach and a culture of security. If you haven’t yet, you can start with our first article to discover the characteristics of the regulations and the specific challenges for the world of Cloud Native architectures.

DevSecOps: The Framework for Integrating Security

The DevSecOps approach represents a solid foundation for implementing the requirements of NIS2 and DORA in Cloud Native environments, thanks to its ability to integrate security into every phase of the software development lifecycle, including the initial stages of development.

How to Implement Security Shift-Left in Practice

Considering security aspects from the earliest stages of the development cycle is a significant change for organizations and a major improvement in the security score of any application.

This approach aligns perfectly with the proactive risk management requirements of the new European regulations. Furthermore, it allows for identifying and resolving vulnerabilities not only more promptly but also when the cost of remediation is still low, thus providing benefits in terms of both security and business.

Some best practices for effectively implementing security shift-left are:

• Threat Modeling : Adopt a structured internal process to identify potential threats and define appropriate countermeasures. Through dedicated sessions at the beginning of a project, security can be integrated directly into the application’s design (“security by design”). Such sessions should be conducted not only in the initial phase but also before new functionalities or significant architectural changes. Furthermore, threat modeling becomes truly effective when it involves all relevant stakeholders (developers, architects, security specialists, and potentially other stakeholders). This way, not only are varied perspectives considered, but a shared understanding of security risks and consequent mitigation strategies is fostered.
• Security requirements as user stories : Integrate security requirements into the normal development workflow, treating them as user stories in the product backlog, with clear and measurable acceptance criteria. In other words, security aspects should be considered on par with other “business” functionalities and as integral parts of the product. This also helps to reflect and solidify a “security by design” culture, where security is a “normal” piece of the development process, not a later consideration.
• Security Champions : Identify developers with an interest in security and invest in their specific training. These champions will be the promoters of security best practices within the team and the entire organization, fostering their understanding and adoption. Identifying Security Champions is a particularly effective strategy for distributed teams or organizations with limited resources to dedicate to security topics.

Automating Security Controls in the Development Cycle

As in many other areas, automation in the world of cybersecurity is one of the most effective ways to streamline operations and processes. With increasingly complex applications and infrastructures, integrating automated security controls is now an essential best practice.

A mature security approach involves implementing different types of automated controls to reduce risks and errors, avoid delays in the development cycle, identify vulnerabilities in a timely manner, and intervene quickly. The main security tools that can be integrated into development pipelines are summarized in the following table.

Integrating these controls into CI/CD pipelines requires a balance between security and speed. While these tools act automatically, it is also important to configure them precisely to minimize false positives and prioritize vulnerabilities based on their severity and context. A gradual approach to implementation, starting with the most critical controls and then progressively extending coverage, can facilitate team adoption and integration into development processes.

Best practices also suggest defining clear policies on which vulnerabilities block the pipeline and which can be managed as non-blocking warnings, also formalizing the process for managing exceptions. This approach allows for maintaining the right balance between development agility and security, ensuring that critical vulnerabilities are addressed promptly.

The importance of these controls also extends to supply chain security , a crucial aspect for Cloud Native architectures. Supply chain security refers to the security of the software and hardware components that make up an application, including all dependencies, libraries, and container images that are not developed internally but come from external sources. Protecting the supply chain means ensuring that these components do not introduce vulnerabilities or malicious code into our systems, a fundamental requirement for compliance with regulations like NIS2 and DORA.

For a deeper understanding of this topic, we invite you to watch the talk by our CTO Paolo Mainardi (in Italian) who explains its importance and how to manage it effectively. For more insights on common vulnerabilities, mitigation strategies, case studies, and best practices, the recordings of our Talks On My Machine event dedicated to Supply Chain Security are also available (in Italian).

Monitoring and Threat Detection

NIS2 and DORA regulations place particular emphasis on the ability to identify, classify, and respond to security incidents in a timely manner. Cloud Native environments, being by their very nature distributed, ephemeral, and dynamic, require advanced approaches to monitoring and threat detection.

An effective monitoring system in a Cloud Native environment must certainly include:

• Log centralization : Collect logs from all components of the ecosystem (applications, containers, orchestrators, infrastructure) and aggregate them into a single central repository. This provides complete visibility and facilitates event correlation, allowing for the identification, mapping, and patching of vulnerabilities and security breaches. To manage the volume and complexity of logs generated in Cloud Native environments, dedicated log management tools are available, including Elasticsearch, Splunk, or Loki. These solutions allow for storing and indexing complex, large-scale logs, and are equipped with advanced search and automatic analysis functionalities that facilitate the identification of anomalies.

• Runtime security monitoring : Identify anomalous behaviors that could indicate an ongoing attack, such as privilege escalation attempts, abnormal access to sensitive resources, or unauthorized communications. Runtime monitoring through dedicated tools is particularly important in containerized environments, given that the ephemeral nature of the components makes it difficult to identify anomalous behaviors.

• Network security : Implementing a zero-trust approach, where no communication is considered secure by default, is particularly suitable for Cloud Native environments. Other best practices include network segmentation, in-transit encryption, and providing granular controls over communications between services.

• Compliance dashboards : It is a good practice to create specific visualizations that track relevant metrics such as open vulnerabilities by severity, remediation times, and the implementation status of security controls required by regulations. A shared dashboard also helps to hold the team accountable for security and compliance issues.

Operational Resilience and Business Continuity

Operational resilience , which is the ability to maintain operational services even in the presence of incidents or disruptions, is a fundamental pillar of both NIS2 and DORA. It is a genuine requirement of the two regulations to ensure the continuity of key services in the European economy, with a particular emphasis on the financial sector. Let’s look at the main best practices for maximizing resilience.

Fault-Tolerant Architectures

Cloud Native architectures offer inherent advantages in terms of resilience: by nature, they have the ability to distribute workloads across different infrastructures and scale dynamically. However, conscious design is still necessary to fully exploit their features and functionalities. It is also essential to anticipate inevitable failure scenarios and the consequent mitigation strategies.

• Geographical distribution of workloads across multiple availability zones or regions
• Autoscaling mechanisms to adapt dynamically to load variations
• Resilience patterns like circuit breakers and bulkheads to prevent cascading failures
• Automatic failover systems to minimize downtime

Chaos Engineering for Testing Resilience

Chaos Engineering, initially adopted by advanced technology organizations, is becoming an increasingly mainstream practice as a tool to verify that systems respond as expected in case of problems. This methodology allows for proactively identifying weak points that might remain hidden until a real incident occurs.

• Controlled experiments of deliberate failure to test recovery capabilities
• Incremental approach starting with simple tests in non-production environments
• Monitoring results to identify weak points in the architecture
• Continuous improvement based on experiment results

Structured Backup and Recovery

A true constant since the dawn of IT, a solid backup and recovery strategy always remains a fundamental element of any cybersecurity strategy, even in Cloud Native architectures. Backups protect against human errors and technical malfunctions. Furthermore, they are also an important line of defense against ransomware attacks, which are an increasingly widespread and sophisticated threat.

• Clear and complete backup policies (frequency, retention, coverage)
• Periodic recovery tests to verify the effectiveness of procedures
• Security measures to protect backups from unauthorized access
• Automation of backup processes to reduce the risk of human error

Documented Incident Response Procedures

Documenting incident response procedures, in addition to being an explicit requirement of the regulations, is essential for ensuring a rapid and effective response in case of an incident. Periodic drills allow for verifying the effectiveness of procedures and help build practical experience, which is necessary to respond effectively in stressful and truly emergency situations.

• Detailed playbooks for different incident scenarios
• Clearly defined roles and responsibilities
• Communication templates for internal and external interactions
• Periodic drills to test the effectiveness of procedures

5 Best Practices for Implementing Compliance

The effective implementation of NIS2 and DORA requirements requires not only appropriate tools and technologies but also a cultural and organizational approach that integrates security as a fundamental value and a constant objective.

1. Adopt a security by design approach. By integrating security into the DNA of the development process, organizations can prevent many problems that would otherwise require costly and complex interventions. Security by design allows for identifying vulnerabilities and security flaws as early as possible, intervening promptly and reducing the cost and complexity of late remediations.
   Best practices:
   • Integrate security from the initial design phases
   • Define security principles that guide architectural decisions
   • Use already security-hardened patterns and reference architectures
   • Conduct threat modeling sessions regularly
2. Automate as much as possible. Automation plays a fundamental role in making compliance sustainable over time. Investing in automation may seem costly initially, but it offers significant returns in the medium to long term, reducing the manual workload and minimizing the risk of human error.
   Best practices:
   • Implement security controls in CI/CD pipelines
   • Automate the generation of compliance documentation
   • Use policy-as-code for automatic enforcement
   • Implement automated alerts and remediations where possible
3. Invest in training and culture. Training and organizational culture are often underestimated but crucial elements for success. By creating an environment where security is everyone’s responsibility, not just that of the specialized team, a significantly higher level of protection is achieved. Security Champions are an effective way to promote a security culture.
   Best practices:
   • Train all teams on regulatory requirements
   • Create security champions in every team
   • Incentivize the reporting of security problems
   • Promote a culture of shared responsibility for security
4. Adopt a risk-based approach. This approach allows for allocating resources efficiently, concentrating efforts where they can have the greatest impact. Always relevant, it becomes fundamental in contexts with limited resources where it is necessary to maximize the return on security investments.
   Best practices:
   • Evaluate the criticality and sensitivity of systems and data
   • Allocate resources based on risk assessment
   • Define controls proportional to the value to be protected
   • Implement more robust protections for mission-critical systems
5. Document systematically. Documentation allows for having an always updated snapshot of assets and resources, as well as internal best practices that allow for quickly understanding how to act in an emergency.
   Best practices:
   • Maintain an updated inventory of assets and resources
   • Document architectural decisions and risk mitigations
   • Prepare audit-ready documentation
   • Implement an effective document management system

The Path to Compliance: Where to Start

Implementing compliance, especially for organizations approaching the security requirements introduced or strengthened by NIS2 and DORA for the first time, requires a structured and incremental approach that balances the urgency of meeting regulatory requirements with the need to maintain business operations. An effective implementation path typically consists of the following phases:

1. Awareness and initial training. The first step is to create awareness at all levels of the organization. It is important that training involves not only developers but also management and other functions. Only in this way is it possible to lay the foundations for a widespread security culture.
   Best practices:
   • Introductory workshops on regulatory requirements and their impact
   • Awareness programs for technical teams
   • Executive briefings for strategic management alignment
   • Industry benchmarks to understand how other organizations are addressing compliance
2. Assessment and gap analysis. In any methodology, a fundamental step is always a thorough evaluation that allows for understanding the current state and identifying priority areas for intervention.
   Best practices:
   • Security posture assessment to evaluate the current state
   • Analysis of all relevant aspects: architecture, processes, technologies
   • Identification of gaps against regulatory requirements
   • Definition of a baseline to measure progress
3. Roadmap definition. Planning is crucial for effective implementation. The implementation roadmap must be realistic and balanced, considering not only the regulatory urgency but also the operational impact of the interventions.
   Best practices:
   • Prioritize interventions based on risk and business impact
   • Identify “quick wins” that can be implemented quickly, which are invaluable for creating momentum and visibility for the entire compliance program
   • Plan more complex and long-term interventions, with clear and measurable objectives
   • Allocate resources and define realistic timelines
4. Fundamental controls. Even if the initial state and gaps vary for each organization, there are certainly some fundamental controls that every organization should implement with the highest priority.
   Best practices:
   • Access management: implementation of robust access controls and strict application of the Principle of Least Privilege (PoLP)
   • Vulnerability management: structured process of identification and remediation
   • Security monitoring: implementation of basic detection systems
   • Incident response: definition of initial incident response procedures, a requirement explicitly provided by NIS2, including the obligation to notify authorities (notification within 24 hours, full report within 30 days)
5. Incremental implementation. Cybersecurity is constantly evolving; after implementing the fundamental features, a process of continuous improvement is necessary. The incremental approach is particularly suitable in complex contexts like Cloud Native environments. This allows for testing the effectiveness of solutions on a small scale before extending them to the entire organization, with a significant minimization of risks. But it’s not just about features; it’s also about culture and experience in the face of real emergencies: a maturity that is built over time.
   Best practices:
   • Adopt an iterative approach with implementation-verification-adaptation cycles
   • Initial focus on fundamental and high-impact elements
   • Expansion of implemented controls
   • Involvement of key stakeholders in every phase
   • Adaptation of the roadmap based on feedback and results
6. Verification and continuous improvement. Security practices cannot be limited to the initial development phase of a project or to the moment the journey towards regulatory compliance begins. Instead, security must play a central role and be considered on par with “business” features, providing for continuous monitoring and improvement. From this perspective, security itself becomes a “business feature” in every respect.
   Best practices
   • Conduct regular internal audits
   • Periodic vulnerability assessments
   • Review and update procedures
   • Adapt to new threats and the evolution of regulatory requirements

Cybersecurity is an extremely vast and delicate subject that requires skills and expertise that must be built over time. In the initial phase of a security approach, it is particularly important to balance regulatory urgency with operational sustainability. Trying to implement all functionalities and controls at the same time can be counterproductive, leading to superficial implementations and a dangerous organizational resistance.

The incremental approach, instead, allows for obtaining tangible results in a reasonable time, while building the skills and culture necessary for an effective implementation of the most advanced controls. By identifying and starting with “quick wins,” it is possible to quickly achieve easy victories that create internal momentum. Each success obtained then contributes to creating momentum and gaining support for both the subsequent phases of the adaptation journey and the future commitment to continuous improvement.

Strategic Approach to Compliance

By adopting a modern and strategic perspective on compliance, it is possible to transform a regulatory obligation into a competitive advantage. It’s a mental, cultural, and organizational shift that turns a simple mandatory fulfillment into an opportunity to improve our processes and architectures.

The security enablement approach, in contrast to traditional security enforcement, fits perfectly into this vision. Rather than imposing controls from above that could be perceived as obstacles, with security enablement, the focus shifts to empowering teams to implement security, providing them with tools, knowledge, resources, and support.

A methodology that is also effective in the security field is that of continuous improvement. Security is not only integrated into existing processes, but continuous controls and verification of adopted protection measures are also integrated, as well as the evaluation and integration of new measures. This cycle of continuous improvement allows for adapting to the constant evolution of cyber threats, also becoming more reactive to new regulatory requirements.

Within the organizational culture , there must be a shift aimed at considering security on the same level as all other functionalities. But not only that: for a true “security culture ” to be established, transparency and collaboration must be fundamental values. Only in this way is it possible to create an environment of open communication about security problems, based on incident analysis and learning rather than blame, and on the creation of spaces for discussion and sharing.

Last but not least, a sustainable vision of security, while maintaining compliance requirements over time without sacrificing agility and innovation, cannot do without automation. Automation allows for reducing the manual workload, integrating security into daily workflows, implementing continuous monitoring, and intervening promptly—all of which are essential aspects of effective cybersecurity.

Conclusion and next steps

As we have seen, implementing the NIS2 and DORA requirements in Cloud Native environments represents a significant challenge, especially for organizations facing these aspects for the first time. However, with the right approach, it becomes an opportunity to improve security, operational resilience, skills, and organizational culture.

Organizations that adopt a structured approach, with an emphasis on automation, training, and continuous improvement, will be able not only to meet regulatory requirements but also to gain competitive advantages in terms of reliability, security, and innovation capability.

To start the compliance journey, we recommend:

1. Evaluate the current state through an initial assessment
2. Define a realistic roadmap with clear priorities
3. Implement fundamental controls and proceed incrementally, starting with “quick wins”
4. Measure progress and celebrate successes
5. Adopt a continuous improvement approach

At SparkFabrik, we follow the evolution of security regulations and their application in Cloud Native contexts with great attention and interest. Our CTO, Paolo Mainardi , personally leads the company’s commitment to security, acting as a Security Champion and promoting internal specialization in supply chain security and DevSecOps. This focus is also reflected in our active participation in international communities, as we are members of key organizations such as CNCF, Linux Foundation Europe , and OpenSSF.

Our experience in the sector allows us to offer strategic consulting and support in the implementation of solutions that balance compliance, security, and innovation. To support organizations on their compliance journey, we have also created the NIS2 & DORA Compendium, a complete and free guide to help you navigate the regulatory requirements and challenges of Cloud Native environments.

To learn more about these topics or discuss the specific needs of your organization, we invite you to explore our service offerings or contact us directly:

• Supply Chain Security
• Cloud Native Journey
• DevOps & Automation
• Kubernetes Consultancy
• Managed Services
• Cloud Migration

Or contact us directly for a personalized consultation on your specific context.

We spent four days at DrupalCon Vienna 2025 (October 14-17) attending over twenty technical sessions, workshops, and BOFs. The strongest message? Drupal isn’t chasing trends but consolidating technical leadership in three critical areas: enterprise-grade AI with real governance, Canvas as the first “design system native” CMS, and operational maturity for projects at scale.

This isn’t a marketing report but a practical account of what we saw working in production, which problems remain open, and where you should invest attention over the next six months. For Italian teams planning 2026 projects, there are decisions to make now, not later.

October in Vienna has that dry cold that makes everything sharper. Perfect for four days of total immersion in what turned out to be one of the most technically dense DrupalCons in recent years. It wasn’t a conference of sensationalist announcements, but of working demos and field-tested solutions, as well as that rare combination of strategic vision and operational pragmatism that distinguishes mature communities from those in the hype phase.

All session videos will soon be available in the official DrupalCon Vienna 2025 playlist .

Dries Buytaert’s keynote set the tone: four pillars (Canvas, AI, Orchestration, Site Templates, Marketplace) and a clear statement. AI is a technology that’s here to stay , regardless of whether the financial bubble bursts sooner or later. Drupal is one of the best-positioned open-source CMSs to leverage it. No defensiveness, no “we have AI too,” but a clear strategic implementation roadmap.

What struck us most? The distance between announcements and reality was minimal. Canvas isn’t vaporware: it’s in working alpha with agencies already running pilots with real clients. AI isn’t a tacked-on chatbot: it’s architecture designed for enterprise governance with production-grade observability. Site templates have moved beyond the concept phase: the first ones are already here.

We’re organizing this report by thematic areas, not chronologically. What matters isn’t “what was said on Tuesday” but “what changes for your 2026 projects.”

Canvas: demo vera, risposte vere

Drupal Canvas (the new name for Experience Builder) is Drupal’s brand new visual builder that promises to simplify and streamline how we design and build pages in Drupal. We’ve already discussed it in our article on Drupal CMS 2.0 innovations and in the comprehensive overview of Drupal AI, where we analyzed the architecture and strategic positioning. In Vienna, we saw what it means to bring it to production, and especially where gaps still exist.

The “Drupal Canvas Unleashed” session sold out with over 400 participants. The key message: Canvas combines Single Directory Components (SDC) and blocks as “backend” components, but with Canvas you no longer need to know how they work once they’ve been developed.

Settings in Canvas are the properties of SDCs, while a left panel controls slots, a new “entity” that allows managing the component tree in layers, potentially nested within each other. Additionally, in the theme configurations there’s a setting to let Canvas manage global regions like header and footer, importing them with just a few clicks into every new page. Truly effective and intuitive: anyone familiar with Figma or other visual builders like Framer and Webflow will find themselves in a very familiar environment.

But the most interesting feature? Code Components , which support writing React components directly in the browser. These components can use elements and CSS components defined in Canvas, also support props to add dynamic data (for example, a title). Furthermore, it’s also possible to query via JSON:API to build dynamic components that retrieve data from the backend.

What already works:

• Content Templates for defining structured content type layouts (perfect for landing pages)
• Global regions and reusable components
• AI (in beta) that allows building code components directly via prompts
• Views natively supported

Gaps still open:

• Paragraphs and layouts are still work in progress
• Some contrib modules that only work on nodes aren’t compatible
• Some contrib field types don’t work yet
• Multilingual isn’t fully supported
• Server-side rendering isn’t implemented (blocked by security implications, support isn’t guaranteed for all server providers)
• APIs to extend Canvas (not just in terms of module integration, but also embedded web apps in Canvas) and offer truly rich user experiences
• Standard permissions system (e.g., to create new components or use existing ones)

The “Strategies for Integrating Drupal Canvas in Your Existing Platform” session provided practical guidance. Canvas creates a new “canvas pages” content type, so modules that only work on nodes might have compatibility issues. Canvas is a React app on the frontend, compilation and rendering in the editor happen in the browser in real time.

For frontend developers, the “JavaScript Frontend Development with Drupal Canvas: Beyond Decoupling” session showed advanced workflows. It’s possible to develop external JS components and sync them with dedicated utilities. There’s a bidirectional workflow to move from Drupal to Storybook and vice versa. Canvas supports adding global CSS for preview. Each component passes data to Drupal, the component is rendered with nuxt client-side, and external components are standard Vue components.

Practical takeaway: If you’re planning Drupal projects for Q1-Q2 2026, Canvas is production-ready (stable release November 2025, default in Drupal CMS 2.0 from January 2026). In the budget, it is essential to account for component library development time, rather than individual page implementation. The ROI is immediate for teams with high page creation volume.

Native design system: finally a CMS that understands design

The “Drupal, the first design-system native CMS” session by Pierre Dureau (Beyris) presented a paradigm shift that deserves attention.

Indeed, in Drupal themes present significant historical problems : they’re not shareable (a theme is for a specific project), they’re not plug-and-play (there’s always a missing template), they have unfriendly DX.

The proposed solution: business agnostic coding. Like the backend, the frontend must be decoupled from business through plugins—that is, a design must be conceived independently of business and brand. This is where well-structured design systems come in, enabling a major strength: “one design, many products.”

And Drupal is an ecosystem that particularly effectively leverages a design system , as a structured, organized, and well-described design is one that Drupal can easily understand and use (we also discussed this in our recent Design System and Drupal CMS article).

Very interestingly, the talk introduces a method that proposes an inversion of the traditional Drupal workflow (site builder / backend dev → templates → frontend dev). Instead, now it’s the frontend developer who provides modular frontend plugins, and this also implies ownership for the frontend developer and YAML as the primary working tool.

More than a mere stylistic exercise, supporting this method and this shift are concrete features already available directly in Drupal core:

• breakpoints.yml for breakpoint images
• layouts.yml for layout grid system (layouts in Layout Builder)
• SDC for UI components
• icons.yml for icon packs

Certainly, feature coverage is still quite limited. However, coming in Drupal 11.3 and 11.4 will be important new design-dedicated API endpoints that will significantly raise the bar and further separate theming from the Drupal app:

• Styles API with Utilities & Helpers (set of mutually exclusive, self-descriptive, single-purpose, and universal HTML attributes like Typography, Borders, Colors, Spacing, Elevation) and Themes & Modes (predefined branding switch, color scheme, accessibility settings)
• Design Tokens API with scoped values available for local or global overrides, which become CSS variables only at runtime

Despite several gaps remaining, this talk emphasizes an ambitious but achievable goal for the first time in Drupal’s history: the possibility of a fully automatable design workflow, from the design phase in Figma to final rendering in the browser.

But it wasn’t the only talk focused on the winning Design System + Drupal pair. Truly remarkable is the session on Nestlé’s scalable multi-brand design system, which showed a real implementation. This case study discussed reorganization and design system design on three levels: core, ui components, brand overrides.

This structure proved fundamental both for managing the complexity of dozens of different brands and for giving overall coherence to the brand ecosystem. The Drupal theming system based on starterkit ensured rapid deployments, efficient updates, and the ability to instantiate new sites in days instead of weeks. Now, over 100 sites developed in Drupal adopt this approach.

Practical takeaway: If you’re building or rethinking your design system, consider a “design system first” approach instead of “Drupal theme first.” The initial investment is higher but scalability and maintainability are orders of magnitude better. For multi-brand organizations, it’s practically mandatory.

Digital accessibility: EAA and AI

One of the main advantages of a design system is optimization and consistency of user experience. But today, the design system is also a strategic tool for complying with the European Accessibility Act. Two talks addressed the accessibility theme, and in particular the “AI in EAA” session explored how AI can support compliance with accessibility standards, increasingly critical with the EAA in effect since June 2025.

AI can accelerate QA teams (automated crawling), content editors (summaries, automatic alt-text, intelligent text editors), designers (color and contrast analysis, object recognition, ARIA property and state suggestions), and developers (linting tools, IDE extensions, autocomplete to create accessible components) in catching accessibility issues.

However, it cannot replace genuine human testing. Even in this area, it’s essential to mitigate the risks of over-reliance on AI, maintaining human oversight to overcome limitations and biases of automated tools, such as cultural and linguistic peculiarities, cultural sensitivity, linguistic particularities, and misinterpretations of context.

Fundamental in any case is understanding accessibility issues , no longer an accessory element, but both an obligation and a business opportunity. We’ve explored the topic in two key resources: the whitepaper Accessibility and Design System and the operational accessibility checklist.

Practical takeaway: For many organizations, accessibility isn’t yet a clear priority. Automated tools and AI can offer significant support, but education on requirements, internal training, and communication are indispensable pillars. To truly be compliant and truly embed accessibility into the company DNA requires an approach that integrates accessibility from the design phase: a “design-to-code” method that combines technical interventions, training, and culture, which only a specialized partner can orchestrate.

Enterprise AI: governance first

We’ve already written an in-depth article on Drupal AI analyzing features like content generation, context management, autonomous agents, and observability. In Vienna, we saw concrete implementations and discovered patterns that work (and some that don’t).

The “The AI Agent Swarm has come to Drupal Canvas” session showed practical integrations. Canvas template agent can build entire landing pages by assembling components, and the AI beta configured in Canvas allows building code components via prompts (some settings are preconfigured to accelerate adoption, but everything is customizable).

The session also explored how agents can be used everywhere in Drupal for small or large tasks , even building sites from scratch with external tools via MCP (Model Context Protocol), all without writing a line of code.

For effective LLM use, “context is king.” In our previous article, we examined the ability to define context for specific actions callable through Field Widget Actions. This system was still quite cumbersome and embryonic.

A nice leap forward in this regard is represented by the Context Control Center , which allows centrally defining all context information, such as your brand, persona, and topic (much like what happens in Claude Code or Copilot through claude.md or agents.md files, but directly in the Drupal UI).

Furthermore, centralization of contexts enables decidedly more effective governance. The various contexts are then easily callable and usable by different Drupal AI features and agents. If you want to delve deeper into Context Engineering, we refer you to the very interesting talk by Enrico Zimuel during our GenAI-focused event.

Pattern that works. AI for content generation with human supervision for approval (Human in the Loop): AI creates a draft, a person reviews and approves before publication. This approach resolves the trade-off between speed and control, and aligns with Drupal’s philosophy where AI empowers people, not replaces them.

Pattern that doesn’t work well yet: Full automation without human supervision. Even with a well-configured Context Control Center, AI can generate content that technically respects guidelines but has wrong nuances that only a human can catch. Full automation therefore risks not aligning with brand quality level, and human supervision is strongly recommended.

Practical takeaway: Invest in AI to accelerate execution (drafting, research, assembly), not to replace strategic decision-making. The Context Control Center is the key differentiator: without centralized governance, enterprise AI scales poorly and introduces risks. Budget time for robust initial Context Control Center configuration, don’t think it’s “plug and play.”

DevOps and Release Management: lessons from the field

Some of the most practically valuable sessions were on DevOps, CI/CD, and release management: topics that truly make the difference between projects that scale and projects that collapse.

GitHub Actions + Docker + Cypress = CI/CD Nirvana

The talk describes an ideal configuration (the “CI/CD Nirvana”) for the development process: tools for local development that automate QA (grumPHP), visual regression testing (BackstopJS), e2e testing (Cypress), and security audits. These same tools must also be used in CI to ensure safe code release without regressions.

On GitHub, this is possible with GitHub Actions. Ideally, write your own custom Actions, customized for the specific use case. This way, the obtained advantages are evident: you avoid using Docker images with unnecessary software, you can insert specific tools (e.g., debug), you have full control of what gets deployed.

But it’s imperative to pay close attention to security implications. GitHub Actions can also act on production code and therefore access must be limited, ssh keys must be kept secret, close attention must be paid to third-party Actions and database dumps. As always, it’s essential to schedule regular code audits and reviews.

Mastering the Release Flow: 5 years of continuous improvement

Very instructive case study that includes a Drupal instance distributing content to 5 React apps, 20 connected external services, 40 countries with up to 3 languages each (multilingual was absolutely essential in this project), 13,000 test steps distributed across 700 Behat feature files.

The tests in particular followed a very rigorous approach: they were structured in adherence to identified user journeys, separating production and non-production tests, core functionality and country-specific, running every night. The goal? Identify bugs and anomalies before users (and the client).

Despite the meticulousness, some emerging problems made it evident that it still wasn’t sufficient. In particular, the problems encountered by the team were:

• Behat is no longer actively developed
• The Mink extension had a critical bug for the latest Chrome versions for a long time (not fixed for 3 months)
• Nightly tests on AWS now lasted more than 8 hours

To overcome these limitations, the team created a new framework called Cuppet that combines Cucumber (to avoid rewriting tests) and Puppeteer (actively maintained by Google), based on NodeJS.

Our takeaways from this case study?

• If it’s “painful,” automate it or solve it
• Operational excellence is not optional
• Make it work → make it right → make it fast (in this order; in this case study, the process lasted a full 5 years of iterative improvements)
• Reliability is more important than new features (address technical debt)
• Being a “good person” is more important than technical skills, even more so in a world where everyone interacts with AI, but where developers and end users are always people.

This last point emerged in several sessions. The keynote “Neurodiversity: An Underrated Superpower in Business” opened the second day with discussion on neurodiversity and how peculiar capabilities of people often set aside can bring valuable contributions to teams and organizations.

Testing in the AI Era

The “Test All the Things” session emphasized that with AI generating more and more code, testing takes on even greater importance. LLMs make coding accessible to everyone, even those without prior skills, developing a false sense of security. Growing reliance on these tools increases the probability of defects or unexpected behaviors that are difficult to identify.

Very interesting is the overview of different testing approaches in different environments, for example:

• Running tests in an environment that replicates production ensures high fidelity, but it’s a complex process, with privacy implications and long times, especially with large databases
• Installing a site with test content is instead much faster and manageable, ideal for more agile development and verification cycles, necessarily at the expense of production environment fidelity

Static code analysis (PHPStan, psalm) is a valid tool for preventing bugs and keeping overall code quality under control. The workflow described in the talk is very similar to what we adopt at SparkFabrik , thus confirming its quality, with the difference that this year we adopted Symfony Panther for behavioral tests, replacing Behat. Also interesting is the mention of Pa11y for accessibility analysis, an often underestimated tool but of great support for ensuring standards compliance and inclusive experiences.

Practical takeaway: If you’re adopting AI for code generation, invest proportionally more in test automation and static analysis. AI-generated code often works but has unexpected edge cases that only robust tests will catch.

Security by Design: from requirement to culture

At SparkFabrik, security is particularly close to our hearts. Beyond being a regulatory requirement for many companies, security is fundamental for protecting data, user trust, and companies’ online reputation.

The “Secure by Design: Integrating Security into Drupal Development” session presented a valid overview on the “secure by design” approach , with theoretical and practical guidance on strategies to implement to ensure security of sites and portals developed in Drupal, from business requirements to technical implementations.

The starting assumption: Security must be understood as a core business requirement , not as an “afterthought.”

And in Drupal, this assumption is taken very seriously, with a dedicated Security team that regularly publishes security advisories. In October 2023, the Security by Design Initiative in the Drupal community also launched, supported by the U.S. Cybersecurity and Infrastructure Security Agency, along with international partners, including European states like Germany and the UK.

The talk shares practical guidance (also very technical and specific), including:

• Implement security from the requirements phase
• Periodic code review with security focus
• Automated security scanning in CI/CD
• Regular penetration testing for critical projects
• Security training for the entire team (not just developers)

Also worth mentioning is the “Better Debugging with Xdebug” session, which presented advanced debugging features, including experimental features like “control sockets” for debugging running processes, and the concept of “time traveling” to “go back in the execution process.”

If you want to delve deeper into security topics, check out our articles on security and compliance with Drupal CMS, on Software Security, Cloud Security, DevSecOps and on the impact of NIS2 and DORA in Cloud Native (we also created a complete operational guide).

Practical takeaway: For enterprise projects, it’s important to budget specific time and resources for security activities (threat modeling, security testing, security reviews), ideally a budget of 10-15% of total time. It may seem like a lot, but it’s a minimal fraction of the cost of a security incident.

Marketplace and Site Templates: real economics

Ryan Szrama from Centarro presented “How to Sell Drupal Site Templates” with rare honesty.

First, what is a site template? It’s a combination of Drupal CMS, frontend theme, possibly also a backend theme, recipes that provide functionality, and predefined content that, together, create a Drupal installation tailored for a specific purpose and allow quickly starting a new project. Think for example of a Template for SaaS companies, or an ecommerce site: use cases with specific needs that can be packaged.

Commerce Kickstart is precisely one of the first available Site Templates. From Drupal distribution, it was converted into a site template, enriched with recipes for eCommerce, with modern checkout experience, various configuration options, and installation simplification.

The appeal of Site Templates is quite clear: provide a specific solution to a specific problem. Even from a sales perspective, it should be a “better” sales strategy, or at least more immediate and direct, compared to a project idea, an “abstract solution.” This is where the most interesting and pragmatic points of the talk emerge: the critical points and the experience so far.

Three are the most critical points :

• In practice, how and where to publish a site template? Currently, there’s no centralized marketplace on drupal.org yet, there’s no transaction management system, and not even file distribution. For templates to take off, it’s fundamental to find an operational answer, avoiding having to manage purchases manually and individually.
• How to protect intellectual property when distributing the entire product as code? Very hot topic, and here too there’s no clear answer.
• But the priority point is: how to convince a real client to buy a Site Template? The focus is on this point, testing sales in the field. The value proposition being leveraged is monetary and time savings for the end client, accepting however the trade-off of lack of customization (“off the shelf” product). Important disclaimer, at the current state, no sale has been completed yet (prospects weren’t clear what they were buying and requests veered toward coaching needs, customization, dedicated services).

For Site Template sales to be sustainable, three things are therefore fundamental: a way to distribute them effectively, and clear communication about what the package includes.

In this regard, the “Decision-making at Scale: Drupal Marketplace Process Behind the Scene” session showed how a committee of 12 people handled deciding whether Drupal should create a marketplace for site templates (a process that lasted 14 weeks). The answer is positive, with a gradual release.

On the official page of the Drupal Marketplace Initiative, the overall plan on Site Templates and Drupal Marketplace is detailed:

• by DrupalCon Vienna, a pilot with the simple release of 1-2 templates;
• by DrupalCon Chicago (March 2026), release of an MVP of the Marketplace, with 10-15 templates, both free and paid;
• initially, Site Template Makers will be limited to some selected Drupal Certified Partners, then progressively expand to other makers;
• for paid templates, requirements of transparent pricing, guaranteed maintenance, clear support terms must be met;
• the MVP will include experiments in terms of pricing models and revenue division;
• it’s hypothesized that initially 10% of revenues will go to the Drupal Association;
• in future iterations, the marketplace will directly manage transactions and revenue division could change to 60% to the creator, 30% to DA, 10% to a fund supporting the ecosystem.

Practical takeaway: The marketplace will officially launch in the coming months, and will evolve gradually but quickly. For agencies, consider developing vertical site templates (e-commerce, non-profit, education) for your target market, as soon as possible (and prepare to sell it as a product, not as a solution). The economic model is still emerging but the timing is ideal for early movers.

Orchestration e Architetture Composable

The “From CMS to Platform: How to Build Future-Proof Digital Ecosystems with Drupal” session presented an important vision. When a client asks for a website, in reality the request often hides the need for a complete digital ecosystem , composed of websites, applications, integrations with third-party systems for specific services.

In the Drupal Core Strategy published in July, Dries explicitly defined Drupal as a “platform” because talking about CMS is now limiting. Drupal has potential to serve as the heart of a digital platform for various touchpoints.

This talk also presented an example, a project based on NodeHive, but the basic architecture can be generalized for any platform that leverages Drupal as a single headless backend, with an Orchestration layer that allows managing various touchpoints.

As we discussed in our article on composable architecture, this approach is increasingly relevant for organizations that need to serve experiences across web, mobile apps, digital signage, voice assistants, and more, simultaneously and consistently.

Finally, in terms of workflow orchestration, an important new feature is Drupal’s support for no-code/low-code automation tools such as Activepieces (an open-source orchestration platform licensed under MIT). This was announced during Driesnote and discussed in detail in Dries’ dedicated article.

Practical takeaway: Don’t think “Drupal site” anymore but “Drupal as content hub.” Architect from the start for multi-channel content delivery. The initial cost is slightly higher but future flexibility is incomparably greater.

Managing scope change: the art of saying NO without saying NO

Beyond technical talks, the “Navigating Scope Creep” session was particularly appreciated by project managers. Indeed, it addressed a universal theme in software projects: scope creep , the uncontrolled expansion of requirements, features, and deliverables of a project beyond what was initially approved.

Typically, scope creep manifests during certain phases: requirements gathering, client feedback, near project completion (last-minute changes are particularly risky), and when stakeholders change (for example, new team members, who can bring new ideas).

The main causes? Unclear objectives or requirements, inadequate communication, desire to avoid conflict (probably the most common problem), but also constantly evolving regulatory and market frameworks.

The talk proposes a clear approach: accept scope change, but do it effectively. The approach is based on three pillars:

1. Awareness: it’s fundamental to know the project in detail, monitor stakeholder behavior and the change request process.
2. Alignment: from the early phases, create a shared vision of objectives, align priorities, discuss expectations, formalize scope documentation.
3. Clear processes: implement clear Change Management processes, don’t accept verbal requests, document requests and decisions, set clear limits.
4. Avoid misunderstandings: Communicate openly and transparently (even expressing your disagreement, with motivation), involve the client in testing, explain using wireframes and prototypes.

Cherry on top: four concrete tactics were shared in conclusion.

• The alternative offer: we can work on the new request, but we’ll need to adjust the timeline and budget.
• Priority shift: adding the request means removing something else from the backlog, what should we deprioritize?
• Future release: let’s plan this addition for phase two, after completing core features.
• Data-driven approach: based on our analysis, this addition would bring little value, especially compared to development cost (if you have statistics against a feature, bring them to the table).

Practical takeaway: Invest in formalizing the Change Management Process from kickoff. It seems like an initial cost, but it prevents hours (or weeks) of rework and tensions with stakeholders. Use tools like AI notetaker for automatic meeting notes that become “single source of truth” shared by everyone.

Real Talk: Drupal vs Storyblok

Another session was a breath of fresh air: “Why We Left Drupal, Tried Storyblok, and What Happened Next”. An agency attempted the switch from Drupal to Storyblok , driven by the desire to diversify tools and this alternative CMS’s massive marketing. In short? The new solution didn’t measure up.

The main frustration was the absence of basic features almost taken for granted in Drupal, like building modules, complexity in managing URLs and redirects, configuration management (and related versioning) in Git. The team essentially found itself in the position of having to innovate autonomously to replicate basic features already available in Drupal ("We literally rebuilt Drupal’s Configuration Management for Storyblok “).

No less important, the limited tech stack. The team had chosen Storyblok + Next.js, given their expertise, but Storyblok was optimized for Vue.js. As a result, the agency had to build workarounds autonomously, even to leverage features of the new Next.js version released during the project.

Features aside, Storyblok’s support itself didn’t meet expectations, with non-timely responses and unclear guidance that caused significant delays. You can’t even rely on the community , being extremely small and poorly engaged. Essentially, every problem requires a custom solution.

The discovery: A technology like Storyblok can be useful in very specific contexts, but for enterprise solutions, Drupal continues to represent a high standard. Solid, tested over 20+ years of community work, with proven solutions we risk taking for granted, forgetting not all CMSs have them.

A memorable tagline: “Product before marketing.” This resonates with the general theme of the conference. Drupal isn’t doing aggressive marketing but is consolidating its positioning as an excellent product in critical areas that truly matter for business. As we discussed in our CMS comparison, Drupal excels where complexity, governance, and longevity are primary requirements.

Practical takeaway: If you’re evaluating alternative CMSs, look beyond feature lists on paper and shiny UI. Ask hard questions: how do you handle multi-brand? How do you manage configurations and versioning? How do you ensure granular access control? How do you migrate when you’ll inevitably need to? How is the support and community around the ecosystem? Drupal has proven answers, alternatives often have promises.

Performance: HTTP/3 and network-level optimizations

As evident from the title “TCP Fast Open and HTTP/3: Network-Level Optimizations for Lightning-Fast Drupal”, this was an interesting examination of how the HTTP/3 and TCP stack works and its performance-level optimizations. That is, how to save precious milliseconds with the right configurations , and attention to possible attack vectors.

According to shared data, among the top 1000 sites, 60% support HTTP/3, of which 85% via CDN (Cloudflare, Fastly, etc.) and 15% directly. For Drupal specifically, Drupal.org, Acquia Cloud, and Platform.sh/Upsun support HTTP/3.

A technical talk, but the key message is clear: It’s time to enable HTTP/3.

Practical takeaway: If you haven’t enabled HTTP/3 yet, now is the time. Performance gains are significant and measurable, especially for mobile connections and applications requiring low latency. Check with your hosting provider if it’s available (Acquia, Platform.sh, Pantheon all support it).

Conclusion: concrete action items for your projects

Four days in Vienna confirmed a thesis: Drupal is going through a moment of profound technical renewal without losing the enterprise reliability that characterizes it. This is a rare and valuable combination.

For Italian teams planning 2026 projects, here are concrete action items to consider carefully.

If you’re planning a new Drupal project:

• Budget Canvas as authoring layer (stable since November 2025, default since January 2026)
• Architect for design system first, not for Drupal theme first
• Include AI Readiness Assessment in the project discovery phase (introducing AI features like Context Control Center requires planning)
• Plan for composable architecture even if starting with a single touchpoint

If you have Drupal in production:

• Review CI/CD pipelines to include automated security scanning
• Evaluate a pilot with Canvas, limiting yourself to one section of the site (not full migration immediately)
• Check compliance for accessibility in view of new EAA requirements (but also as a new opportunity)
• Verify HTTP/3 support

If you’re an agency or system integrator:

• Consider developing vertical site templates for your target market, as soon as possible (and prepare to sell it as a product, not as a solution)
• Invest in design systems, reusable and consistent across projects
• Evaluate partnerships to integrate AI solutions and features into your offering

If you have an in-house team:

• Propose a Canvas pilot, to facilitate future creation of high volumes of pages and content
• If you need content generation, experiment and define business cases to set up in the Context Control Center
• Do a review of your change management process (reduce scope creep problem, it costs more than the formalization process)
• Plan intensive training on the new stack of features and tools (Canvas, AI tools, design system approach)

The feeling leaving Vienna? Drupal made architectural choices in 2015 (structured content, API-first, rigorous configuration management) that at the time seemed overkill. In 2025, those choices are proving winning. They’re exactly the infrastructure needed for enterprise-grade AI, visual page building without sacrificing governance, and scalable composable architecture.

As Dries said in the keynote: “AI is the storm, but it’s also the way through it.” Drupal isn’t avoiding the storm. It’s navigating better than anyone else.

At SparkFabrik, we combine deep technical expertise in Drupal with advanced skills in AI integration, composable architectures, and enterprise governance. Our Drupal development services cover the entire spectrum: from strategic consulting on the AI readiness of your current architecture, to implementation of custom AI-powered solutions, through to security, ongoing support, and optimization.

If your organization is considering adopting AI for its digital initiatives, we invite you to:

1. Explore our case studies of enterprise Drupal implementations
2. Contact our team for an assessment of your specific needs
3. Discover how our suite of Drupal services can support your AI strategy

This article is part of our series dedicated to Drupal CMS. To explore other aspects of the platform, we invite you to consult our previous articles on features and benefits, comparison with alternatives, migration strategies, security and compliance, composable architecture, Design System, Drupal headless omnichannel, and overview and news of Drupal AI.

Every day a new AI tool is born promising to revolutionize our habits. The software we use is filling up with intelligent features, social feeds are exploding with demos, and we, in all of this, need to understand what’s really worth knowing and testing.

It’s not easy to navigate a new world that’s still evolving: between genuine hype and fleeting illusions, between tools that actually accelerate workflow and others that end up complicating it: a reasoned approach is needed.

That’s why we thought of an overview that shines a light on what both the tech giants and the emerging names on everyone’s lips are doing. To have a map that brings together all those tools that, in one way or another, will end up redefining how we think about and create design.

Why we’re talking about AI revolution in the design world

This isn’t the first time design has changed its skin, but this one has all the makings of a much deeper transformation. The arrival of Artificial Intelligence is revolutionizing the way we design. Not just for the speed at which we work, but for how we think about design, which phases of the process we can automate, and which still need human intuition, sensitivity, and experience.

This change is already reality and doesn’t only concern experimental tools but the platforms we use every day, from Figma to Google, which integrate AI functionality directly into the workflow. And they’re not just doing it to keep up, but because AI is really changing how we think, organize, and produce design.

We’re in a totally open, exploratory phase, as if it were a big wild west. Some tools are in beta, others work in fits and starts, still others need to be trained, tested, adapted to your own context. But waiting isn’t always the best strategy. Those who start exploring AI possibilities now can make more conscious choices, avoid the risk of chasing fleeting trends, and, above all, fine-tune a process that really works for their team.

Before moving forward, let’s talk for a second about another topic that today more than ever is fundamental for a designer (and anyone working in the digital field) to know well: accessibility. We’ve created a white paper (in Italian) to help teams adapt and work with an accessible by design approach, save it for later!

AI for UX, or how to empower the designer and not replace them

If we had earned a cent every time someone asked us: “But will AI steal our jobs?”, by now we could buy all of Silicon Valley.

Our short answer is: “No”.

The designer’s answer is: “It depends”. It depends on how we choose to use it.

The truth though is that we’re getting caught up in panic and if we thought more calmly the right question we should ask ourselves is: “How do we want AI to help us in our work?”.

Because AI, if used critically, can really become our creative copilot. It should be the secret weapon to unblock us when we’re stuck, to show us alternatives, to help us see more clearly in chaos, not to take our place.

Imagine it as a colleague always in a good mood and available for brainstorming, suggesting a structure or helping you order your thoughts. And yes, also for taking on the most boring activities like transcribing, summarizing interviews, extracting insights or generating a wireframe skeleton. But deciding the direction, giving meaning and coherence, making the choices that matter always remains with flesh-and-blood people.

This is exactly what’s happening in the development world. The arrival of tools like GitHub Copilot hasn’t replaced coders but has made their work faster and more productive. This is what’s now called vibe coding, whose mantra states: less repetitive code and more creative problem solving. Similarly, in design, we’re witnessing the birth of its natural parallel, vibe designing which could be translated as less pixel pushing and more strategy.

The goal isn’t to automate everything, but to enhance human ingenuity, free up time, create space for reflection and experimentation. AI can do a lot, but it still can’t, and perhaps never will, replace the ability to read between the lines (especially of project briefs), to intuit people’s deep desires, to imagine solutions where there aren’t any yet.

ALSO READ: UX Developer: chi è e cosa fa? (Italian)

10 UX/UI AI tools that every design team should know

To discover AI tools with the greatest impact, there’s no need to go far. All the big players in the sector are already integrating intelligent features directly into their products, gradually transforming our daily work.

These are no longer isolated experiments or plugins for tech enthusiasts: it’s a profound change, because it’s happening within workflows we already know. Behind familiar interfaces, there are already radical innovations.

Alongside the giants, platforms born for digital design that make AI their main leverage are emerging, but also hybrid tools that experiment right on the border between design and development. Here we’re not talking about additional features, but tools built around AI from the beginning.

The Big Players: How AI Enters Everyday Tools

1. Figma AI

Figma didn’t just integrate an AI assistant, it rethought the role of artificial intelligence in collaborative design. Today its ecosystem moves in three directions: accelerating creative flows, expanding automatic generation, and simplifying publishing.

Main features:

• FigJam AI: useful for automatic clustering of ideas, workshop summaries, creating mind maps and auto-layout for collaborative boards.
• Figma Make: is one of the most promising innovations. It allows you to create UIs and complete flows starting from text prompts, using existing components and logic.
• Figma Sites (in rollout): born to generate responsive landing pages starting from content present in the file, optimizing layout and structure for web publishing. In its current state, the code underlying the generated design isn’t exactly optimized and accessible, but improvements are constant.

Ideal for: UX/UI designers who want to move faster from wireframe to prototype, distributed product teams working iteratively on shared boards, and content designers or marketing managers who need to quickly validate layouts and landing pages.

In our talk dedicated to AI’s role as the designer’s copilot (in Italian), we illustrate the entire process in Figma to move from the wireframing phase, to defining the design system library, to generating a prototype. A realistic example of effective use of artificial intelligence’s generative functionality, supervised and governed by the expert hand of a designer.

2. Adobe Firefly & Sensei

Adobe has chosen a systemic approach: AI becomes part of the creative flow, reducing the distance between the initial idea and the final output of assets. The integration is designed to enhance human work, not replace it, and is guided by the logic of helping designers and creatives realize complex ideas faster, without sacrificing quality or visual coherence.

Firefly works on generating images, effects, graphic elements and branded styles from text prompts. Sensei instead optimizes and speeds up with automatic selections, intelligent crops, assisted fills and colorings. Together they form a pair that covers the entire flow, from experimentation to execution.

Main features:

• Adobe Firefly: now an integral part of Photoshop and Illustrator, generates images, vector elements, effects and branded styles from text prompts. It was trained on Adobe Stock to ensure commercially safe outputs.
• Adobe Sensei: AI system that powers functions like intelligent object removal, automatic selections, composition and color suggestions. Includes Firefly-powered technologies like Generative Fill for image modifications via text prompts and Generative Recolor for rapid colorings of vector works.

Ideal for: visual designers and art directors creating original and branded assets, graphic designers managing color variants and revisions in rapid times, and creative teams that need to maintain visual coherence across campaigns, sites, and multiplatform materials.

3. Google Workspace AI

Google has transformed its productivity suite into an AI-powered ecosystem that supports every phase of the design process. Under the Gemini umbrella and with experimental projects from Google Labs, tools are multiplying to support research, analysis, writing, and prototyping.

Main features:

• NotebookLM: AI research notebook for synthesis and insights from documents and multimedia content (texts, PDFs, audio), ideal for summarizing and organizing large quantities of content, like user interviews, or doing competitive analysis.
• Gemini AI for Workspace: integrated assistant in Gmail, Docs, Sheets, Slides, Chat and Meet that helps with writing, brainstorming, summaries, visual generation and collaboration in daily workflow.
• ImageFX (currently not available in Italy): image generator for moodboards and visual prompt-driven. Let’s not forget technologies like Nano Banana (image editing via prompt) and Veo3 (video generation), which complete Google’s offering.
• Stitch (in beta): experimental tool for rapid prototyping, to go from prompt to UI in a flash.
• AI Studio: Google’s free web platform that includes various technologies, models and AI tools and includes advanced features. It allows you to explore and develop prompts with Gemini models, test creative ideas and generate text, code or images starting from personalized prompts.

Ideal for: UX teams doing user-centric research, designers or product managers who need to prototype quickly, create visual assets, manage large quantities of content or documents, and make collaboration super fluid.

In our talk, we offer a concrete example of how AI supports the designer in the Discovery phase. With the support of NotebookLM, as well as a good dose of prompt engineering, it’s actually possible to synthesize a large quantity of information (reviews, interviews, analytics, raw data), elaborate mindmaps that help exploration, generate complete reports to share with the team and client.

4. Microsoft Copilot

Microsoft has integrated Copilot natively into the Microsoft 365 suite, offering AI features that support business workflows, between content production, automation and design.

Main features:

• Copilot in PowerPoint and Word: helps generate presentations from prompts or reference documents, rewrite texts, create intelligent summaries and apply consistent layouts.
• Microsoft Designer: tool for creating graphics and marketing assets with AI assistance, using templates, styles and visual/textual inputs.
• Power Automate with AI: allows building automated flows starting from natural language, diagnosing and repairing errors in workflows or adding generative actions in business processes.

Ideal for: enterprise teams, product managers and project managers who need to prototype presentations and internal documentation quickly but above all improve internal automation of recurring processes.

Vibe designing and vibe coding: the future is hybrid

If there’s one point where design and development are really merging, this is it. New hybrid platforms are transforming text prompts, sketches and flows into real digital products, navigable, functional. Here AI isn’t just support, it’s the main tool to create, iterate, validate and publish faster.

5. Lovable

Lovable is a low-code platform designed for those who want to create functional web applications starting from a text description. Just a simple prompt and in a few seconds you have a first navigable draft, with interface, flows and interactions already ready to test.

The logic is “design while you build”: perfect for projects in exploratory phase or for small teams that want to immediately understand if an idea holds up. Great for gathering feedback on something already tangible, without starting from scratch every time.

6. Replit

Born for those who write code, Replit today is an AI-powered playground perfect also for designers, strategists and those working in discovery. With Ghostwriter (its AI assistant), you can test components, try micro-interactions and explore alternatives in real time.

It’s a highly collaborative tool for working with multiple hands on the same prototype, seeing what happens when you change something and receiving suggestions from the model. It’s a bridge between those who design and those who develop, perfect for making tests without blocking the sprint.

7. Visual Studio Code

Visual Studio Code, now an indispensable editor for those who develop (even design-driven projects), today integrates powerful AI features thanks to GitHub Copilot and dedicated extensions. It’s possible to generate, correct and document code starting from natural language prompts and receive real-time suggestions while working on UI and front-end flows.

Various integrations, like Figma to Code extensions or the use of MCP servers, allow transforming layouts and interfaces created in Figma directly into ready-to-use code, reducing times and error risks between design and development.

Among emerging alternatives, it’s worth mentioning editors like Cursor and Windsurf, which follow the same AI-driven approach. They’re ideal tools for teams collaborating between design and dev, and for those who want to automate the writing of UI components or quickly test new ideas starting from prototypes.

AI-powered visual CMS

In recent years, new visual CMS have raised the bar by integrating AI to simplify and accelerate design, development and publishing of sites and applications. Platforms like Framer, Webflow and builder allow even those who don’t write code to create, iterate and put online professional digital products, combining an evolved visual editor with AI components for layouts, copy, images and automations.

8. Framer AI

Framer AI is a tool designed to shorten the distance between concept and publishable result. With AI features you can generate complete layouts starting from text prompts, set visual hierarchies, animations, content and interactive elements in a few steps. Ideal for designers and teams who want to test ideas fluidly, explore alternatives without touching the code again and validate prototypes directly in the field.

9. Webflow AI

Webflow is establishing itself as the king of no-code for designers, and AI now adds another level. With Webflow AI you can ask for suggestions on layouts, texts, page structure. It’s possible to modify elements in natural language and see the result in real time. Its real strength is in precision: the result isn’t just a draft, but a base already ready to be published or refined by hand. Perfect for those who want to maintain visual control but lighten the more technical part.

10. Builder.io

Builder.io isn’t a simple visual editor: it’s an AI-powered visual development platform that unites design, code and content. Its AI engine, called Visual Copilot, intervenes in the existing flow, supporting designers and developers in automating the most mechanical parts, leaving them creative control.

What if we told you that even Drupal is AI-Driven?

When talking about hybrid platforms that merge design and development (the so-called vibe designing), it’s easy to think of tools born in recent years. But AI innovation is also involving the most robust enterprise CMS platforms.

This is the case with Drupal, historically known for enterprise stability and scalability, as well as for its open-source nature, which is taking giant steps in integrating AI directly into the workflow, including those involving UX/UI. In other words, Drupal today offers designers a modern playground as much as other emerging tools. Let’s see the main aspects.

Experience Builder and Component Generation

If the future of design is composable, AI must operate within clear rules. This is where Drupal’s new Experience Builder (XB) comes in, a drag-and-drop visual editor that allows building interfaces and layouts by composing sections and components, embracing modern frontend technologies.

This is where the AI Assistant comes into play (in active development), which allows the designer to create entire templates from text prompts (“Create a homepage template for a university”, “Create a product page to launch this new product”, “Add a section with two paragraphs and a vertical slider of five images”).

The most important point: AI doesn’t invent code from scratch, but reuses and orchestrates Single Directory Components (SDC) already approved by the design system. This way, the output is always consistent, accessible and adherent to company standards.

In Drupal, AI doesn’t replace the designer, but multiplies governance effectiveness, freeing up time from “pixel pushing” to focus on strategy and creativity (the real added value of designers).

Design System and Visual Coherence

A design system is the backbone of any scalable project (regardless of the AI factor). Drupal integrates natively with Storybook, the de facto standard for developing and documenting UI components (we talked about it here). This allows:

• Developing UI components in an isolated environment
• Guaranteeing the visual contract between designer and developer.
• Speeding up QA and prototyping.
• Always keeping the component library updated

To push automation further, specific AI-based addons for Storybook can help automatically generate documentation (stories) and quality tests and controls, ensuring that the entire component catalog (those that XB’s AI will use to compose pages) is always updated and precise. An integration that, when it reaches full maturity, will transform GenAI’s operational speed into governed and coherent output.

Drupal MCP Server

A perhaps less visible but truly revolutionary aspect is Drupal’s ability to become a source of strategic context for LLMs. Thanks to support for Model Context Protocol (MCP) in fact, Drupal can expose its own data (content nodes, taxonomies, information architecture) as Resources and its own functions as Tools directly usable by external LLM models.

Translated into practice: an LLM can query in real time the structure of Drupal’s contents to analyze user paths, suggest microcopy or CTA optimizations, or propose UX modifications based on the live and updated context of the site.

But Drupal MCP’s possibilities look truly unlimited, allowing connection of tools and resources to AI agents in the most diverse processes, to the advantage not only of designers, but of many other business functions.

Drupal’s AI features are really in continuous evolution: many functions are already available, some aspects are still in development, others are experimental, still others are only sketched. But the future is rosier than ever, with really tight development by an extremely dedicated and fierce community (SparkFabrik actively contributes too!).

How LLMs Can Support UX Strategy

When we think of AI tools for design, visual tools often come to mind. But Large Language Models (LLM) like ChatGPT and Claude are becoming fundamental allies also for those working on research, strategy and information architecture.

They don’t design interfaces, but they can help think them better.

These models are particularly useful in the initial phase of the process, when you need to gather, rework and connect a lot of information often in tight times. Here are some concrete use scenarios:

• Analysis of usability heuristics: you can ask an LLM to evaluate a page or interface according to Nielsen’s 10 principles. It doesn’t replace a real UX review, but can help you do a first quick and reasoned check.
• Analysis of key user paths: feed it the site map or a user flow and ask for an analysis of possible frictions or weaker calls to action.
• Synthesis of user interviews or tests: when you provide transcripts, the model can help you summarize pain points, recurring insights and suggestions (as we did with NotebookLM in our talk).
• Writing and testing microcopy: you can rapidly iterate on interface texts (titles, CTAs, error messages) and evaluate tone and clarity alternatives.
• Support for UX documentation: generation of personas, use scenarios, flow descriptions, even just as a first draft to then refine by hand.

Even those who build AI, like the Anthropic team, use it every day to simplify their work. Claude, their language model, isn’t only used to write code or generate texts, but also to do research, think about products, organize ideas.

In an internal document, the Anthropic team tells of using it to write UX project plans, reformulate value propositions, reorganize insights gathered in interviews and improve product documentation. A concrete example of human-AI collaboration that improves efficiency and strategic depth.

ALSO READ: UX Strategy: l’usabilità è al servizio del tuo brand (Italian)

How to introduce these tools in your team, strategically

The way we see it, AI shouldn’t be a sprint to keep up with the latest trend to embrace at all costs, but an opportunity to rethink the way we collaborate, create, test. And to do it effectively requires a clear, shared and scalable strategy.

The most classic advice is also the most effective: start with a pilot project, perhaps internal or low-risk. Experiment in a controlled context, measure what works (and what doesn’t), then expand adoption. AI can accelerate processes, but without a solid upstream system it risks creating only confusion. If you already have a well-structured design system (more details in our design system deep dive), use it as a guide to select and configure tools: components, naming, tone of voice and accessibility must remain consistent.

And then create sharing moments: adoption works better if it’s participatory. It’s important to leave space for individual experimentation, but also to plan moments when the team can compare what they’ve tried and discovered. AI is a new tool and company culture is also built this way: experimenting and talking openly together.

ALSO READ: Design system: guida strategica per coerenza, UX e accessibilità (Italian)

How we integrate AI Tools in our projects

To understand what really works you need to get your hands dirty. At SparkFabrik we do it in the field: we experiment on internal activities, test tools and processes and bring to client projects only what generates real value.

An example is EAA, a site dedicated to the European Accessibility Act. Here we used Replit to accelerate the cycle between design and development: create, test, improve. The site was designed to be accessible, readable and sustainable, and AI helped us reduce times without losing coherence with our design system.

Another interesting case is DrupalCamp Italy, created with Lovable to prototype and iterate while always keeping our designers’ vision alive. And we emphasize that it’s not a matter of “doing faster” but of testing a new way of working, more fluid, more collaborative, closer to how we imagine the design of the future.

In both cases it wasn’t about replacing our work, but making it more fluid, fast and connected. Designing with our method, with our style.

If you’re thinking of introducing AI tools in your workflows, we can help you do it the right way: starting from your priorities, respecting your processes, and choosing together what can really improve your team’s daily work. Ask our Design Unit how you can walk in balance between method, creativity and technology.

In this guide to Kubernetes as a Service (KaaS) , you’ll find everything you need: from tangible benefits to best practices for security and management, up to DevOps and AI scenarios. Without neglecting the limitations and practical advice for truly effective adoption, also thanks to SparkFabrik’s profound experience.

What is Kubernetes as a Service (KaaS) and How Does it Work?

Kubernetes as a Service (KaaS) is a managed cloud solution that provides ready-to-use Kubernetes clusters, such as AWS EKS, Google GKE, or Azure AKS. The main feature of KaaS is the so-called managed Control Plane : everything needed to coordinate and “orchestrate” the cluster’s operation is managed directly by the provider, so the IT team can focus solely on their applications.

A quick note before we continue: to better understand KaaS, it’s helpful to have some knowledge of the basic components of Kubernetes. If you want to delve into the Control Plane, Worker Nodes, and other key elements of this technology, check out our guide to Kubernetes architecture (Italian).

Let’s take a closer look at how this platform works. In a traditional cluster, teams have to handle the installation, configuration, and updates of Kubernetes’ central elements. With the managed Control Plane of KaaS, however, all these responsibilities are in the hands of the provider: the API server, etcd, controller-manager, and scheduler are automatically replicated and updated by the service itself. The advantage? High availability, resilience, and security are guaranteed, with no extra effort for the internal team.

Another key aspect is the configuration of internal cluster services. KaaS allows you to easily set up different types of Kubernetes services, such as ClusterIP for internal communication, NodePort for external exposure, LoadBalancer to balance cloud traffic, and ExternalName to connect to external DNS. Furthermore, the Ingress controller (often NGINX or Traefik) simplifies the entry of HTTP/S traffic into the infrastructure, correctly routing requests and automatically managing TLS security, eliminating the need to manually configure a LoadBalancer for each service.

To summarize: compared to manual Kubernetes management, KaaS eliminates the complexity of daily cluster installation and maintenance , automates patches and updates, reduces risks and errors, and speeds up deployment (we’re talking about going from weeks to a few hours). This way, company teams can avoid the typical mistakes made with Kubernetes. Most importantly, they can focus on their applications, with significant savings in time and resources.

The Main Advantages of Adopting a KaaS Solution

Adopting a Kubernetes as a Service solution brings numerous concrete advantages: first, deployment and scaling become immediate and reliable operations thanks to the native integration of features like the Horizontal Pod Autoscaler (HPA) and the Cluster Autoscaler. These automatically adjust the number of pods or nodes based on real demand, preventing waste or overload and reducing provisioning times from hours to minutes.

Secondly, automated cluster management is completely delegated to the provider (including updates, security patches, backups, and recovery), with tools like Azure AKS or GKE offering integrated SLAs and restore tools, which relieves the DevOps team of these responsibilities.

Another important benefit is access to other advanced features , which would require complex manual setups in a DIY context. In addition to the more common HPA and Cluster Autoscaler, you can easily leverage:

• Vertical Pod Autoscaler (VPA) , which optimizes resource allocation for each individual pod, ensuring that every application has exactly the resources it needs to function efficiently;
• Event-based scaling systems like KEDA (Kubernetes Event-Driven Autoscaling). Instead of relying only on metrics like CPU usage, these systems allow for autoscaling in response to specific events, such as messages in a Kafka queue or database activity, making them particularly effective for asynchronous workloads.
• Scaling to zero , a feature that reduces the number of replicas of an application to zero when there are no requests or events to handle. It’s ideal for serverless workloads or applications that are not used continuously, allowing you to completely eliminate resource costs when they’re not needed.
• Custom metrics to monitor performance and make autoscaling more flexible and targeted.

The result of all this? Cost savings due to a more efficient use of resources : think of 24/7 services with variable loads that scale up during peak hours and then completely reduce costs based on real consumption. For example, companies that adopt KaaS in production report a 20-30% reduction in infrastructure costs , simply by enabling autoscaling and managed backups.

Of course, there’s a flip side. Later, we’ll discuss the potential disadvantages of KaaS. However, we’ll also show how an expert technology partner like SparkFabrik can effectively mitigate these drawbacks.

Best Practices for Effective Use of Kubernetes as a Service

To effectively adopt Kubernetes as a Service, you need to rely on specific best practices. First, it’s crucial to plan regular updates and patches for the control plane and nodes, preferably by enabling the automatic updates offered by providers like GKE or AKS, to reduce the attack surface and immediately benefit from the latest patches.

In parallel, an effective access management strategy must be implemented. Best practices involve strictly applying the Principle of Least Privilege (PoLP), which assigns each user only the minimum necessary permissions. This can be applied in conjunction with Role-Based Access Control (RBAC), defining specific roles and bindings for users, service accounts, and applications, avoiding excessive permissions like cluster-admin and periodically reviewing policies.

Network Policies become essential for isolating traffic between Pods, reducing the risk of lateral movement within a network in case of compromise. In a microservices architecture, an attacker could exploit the compromise of a single pod (e.g., the frontend) to reach other pods (like the backend or a database) that would otherwise be protected. Network Policies address this risk by setting precise rules on which pods can communicate with each other.

To ensure availability and scalability, it is essential to configure HPA/VPA to automatically adjust replicas and resources based on real metrics. In the same way, you must define Pod Disruption Budgets to maintain a minimum number of active Pods during maintenance or updates.

Monitoring and logging must transition to centralized structures with Prometheus/Grafana for metrics, EFK/ELK for logs, and Alerting configured to track errors, anomalous resources, and unauthorized attempts.

The security of container images is obviously fundamental to prevent vulnerabilities and malware from spreading in the cluster. This must be managed by adopting several strategies:

• automatic scanning of images (using tools like Trivy, Clair) to identify known vulnerabilities, misconfigurations, and obsolete dependencies. The scan is integrated directly into CI/CD pipelines to automatically block the distribution of insecure images.
• use of reliable, secure, and private registries that offer access control and protection functions.
• minimal images, meaning they are stripped down to the essentials, reducing the amount of potentially vulnerable software in the container, and effectively reducing the “attack surface.”
• immutable signature/digest, a unique identifier that guarantees the integrity of the image and prevents unauthorized modifications after creation.

No less important is the protection of the etcd datastore , a critical Kubernetes component that stores the configuration and state of the entire cluster. Its compromise would have extremely serious consequences, which is why its protection is of utmost importance. It must be encrypted in transit and at rest (protecting encrypted data from interception or direct access), as well as isolated with TLS, which ensures secure communication. It must also be subjected to frequent backups (using native tools like etcdctl or solutions with snapshots in object storage), but having backups is not enough: it’s essential to regularly test the restore procedures as well.

Finally, introducing Admission Controller (such as OPA/Gatekeeper, components that intercept and can reject requests directed at the cluster), setting resource requests/limits to prevent oversubscription and overloads, and ensuring readiness/liveness probes (periodic checks to monitor a pod’s “health status”) increases security and resilience.

Thanks to all these measures, a KaaS cluster becomes highly secure, performant , and ready to handle incidents, providing a solid foundation on which to build mission-critical applications.

If you want to delve deeper into Kubernetes security, check out our insights on Container Security or more generally on Cloud security (Italian).

KaaS for DevOps: Optimizing the Application Lifecycle

As we’ve seen, Kubernetes as a Service (KaaS) revolutionizes the DevOps application lifecycle by offering a robust infrastructure abstraction that allows teams to focus on code, automation, and release quality. Native support for CI/CD is clearly evident: Kubernetes allows you to integrate pipelines with tools like GitLab CI/CD, Jenkins, or Azure DevOps , enabling automatic builds, tests, and deployments directly on clusters, with rollbacks and updates without downtime (blue/green, canary).

Containerization ensures consistency across environments and prevents classic “works-on-my-machine” problems, improving productivity and predictability and accelerating time-to-market. Thanks to automatic scalability (HPA, VPA, cluster autoscaler, KEDA), pipelines can dynamically adjust resources based on load, ensuring efficiency and optimized costs.

Kubernetes maintains the “desired state” by automatically replacing downed pods and supporting end-to-end resilience, freeing DevOps from the overhead of managing standard infrastructure. The infrastructure abstraction that characterizes KaaS means that DevOps teams no longer have to worry about VM provisioning or networking: they can operate in a declarative GitOps environment , where every change is traceable, versioned, and deployable via commit.

Furthermore, the operational impact is drastically reduced: DevOps teams can spin up on-demand runners for CI, test in isolated namespaces, and then destroy them afterward, eliminating costs related to ad-hoc activated servers. KaaS therefore allows for the creation of robust, resilient, and agile CI/CD and IaC pipelines , with a total focus on application value, not on the underlying infrastructure.

We’ve mentioned many concepts that deserve further exploration. To do so, you can check out the resources we’ve created on Infrastructure as Code, GitOps, and Continuous Integration and Delivery.

Kubernetes as a Service and Artificial Intelligence: Scenarios and Opportunities

Finally, we must mention the context of Artificial Intelligence. Indeed, Kubernetes as a Service is proving to be a strategic platform for the deployment and scaling of AI/ML applications , thanks to infrastructure abstraction and built-in features like HPA, VPA, and Cluster Autoscaler.

Tools like the ones just mentioned allow for dynamically allocating resources based on load and GPU or CPU requirements, while the Cluster Autoscaler extends scalability to the node level, preventing waste and ensuring optimal performance for training and inference. In addition, services like Azure AKS offer native integration with GPUs and spot nodes to reduce training costs, while separate Node Pools allow for differentiated workloads (e.g., training vs. inference).

Added to this are auto-scaling solutions based on predictive AI , capable of anticipating traffic spikes and proactively allocating resources, reducing lag during spikes and cutting costs by up to 40-50%. These results are also confirmed by real cases, such as Alibaba CS with AHPA (Adaptive HPA), which increased CPU usage by 10% (reducing wasted or idle CPU capacity) and overall reduced costs by 20% through more efficient use of cloud resources.

Furthermore, KaaS supports complete AI/ML ecosystems through platforms like Kubeflow , which offer interactive notebooks (writing and running code to experiment with models), training pipelines (automating model training and data preparation), operators for frameworks (which allow popular ML frameworks like TensorFlow and PyTorch to be run directly on K8s), and serving via KServe (to make the model usable in production via APIs). In short, these are complete platforms with a suite of specialized tools that provide everything data scientists and ML engineers need to orchestrate the entire model lifecycle on Kubernetes, from the initial experiment to production deployment, without having to worry about the underlying infrastructure.

On the operational front, there are also intelligent plugins and operators (e.g., KubeAI, kgateway, Kubectl-AI) enhanced by AI that simplify the operational management of Kubernetes, for example by generating YAML manifests or providing automated cluster introspection.

Other solutions like kubernetes-sigs/lws (LeaderWorkerSet API) are designed to simplify the deployment and scaling of complex AI models, especially multi-host and multi-node ones, by allowing a group of pods to be treated as a single unit of replication.

To concretely and easily serve LLMs on Kubernetes, there’s also vLLM , a tool that allows LLM models to be run in a distributed and scalable way, supporting deployment on both CPUs and GPUs, optimizing resource usage across multiple nodes, and ensuring high availability and resilience in inference. Our Cloud Native Engineers delve into these aspects in the talk “Deploy, scale, serve: gestire motori di Inference AI su Kubernetes” (in Italian).

In summary, KaaS for AI/ML offers a scalable, predictable, secure, and economically efficient foundation for managing complex workflows, with the added benefit of integrated predictive features to optimize costs and performance—a competitive advantage that more and more teams are adopting.

Challenges and Disadvantages to Consider with KaaS: The SparkFabrik Perspective

After dwelling on the benefits, it’s time to talk about the limitations of the KaaS solution. In fact, although Kubernetes as a Service (KaaS) offers numerous advantages in terms of simplification and automation, it’s essential to approach this technology with a full awareness of the potential challenges you may face.

So let’s look at the main issues and how SparkFabrik’s consultative approach and specialized services can help mitigate them.

The (Not Always Easy) Shared Responsibility for Security

With KaaS, the security of the Kubernetes infrastructure is inevitably shared between the provider and the customer. Fully understanding where the provider’s responsibilities end and the user’s begin is fundamental, but not always immediate.

The SparkFabrik Approach: To prevent this risk from becoming a threat, we work alongside our clients to clearly define the perimeters of responsibility. Through personalizedKubernetes consulting and the structured path of the Cloud Native Journey, we guide teams in implementing the security best practices that are the company’s responsibility (and not the provider’s). This includes adopting the Principle of Least Privilege (PoLP) with RBAC, configuring strict network policies, secure container image management, continuous monitoring, and much more.

Risks of Vendor Lock-in

Relying on a single KaaS provider can, unfortunately, create a strong technological dependency , making future migrations to other providers or to on-premise solutions complex and costly.

The SparkFabrik Approach: At SparkFabrik, we favor solutions based on open standards and Open Source technologies precisely to ensure maximum portability and flexibility. Our goal is to transfer knowledge and tools to make the team autonomous, avoiding the creation of technological or contractual dependencies (no lock-in). Therefore, our consulting is aimed at designing architectures that, while leveraging the benefits of KaaS, minimize the risk of lock-in, for example through the use of standard Kubernetes configurations and the adoption of DevOps practices that facilitate hybrid or multi-cloud management.

Limited Control Over Infrastructure and Network Configurations

KaaS, by offering a “Managed Control Plane,” abstracts much of the infrastructural complexity. By its nature, this leads to less direct control over the underlying hardware and some advanced network configurations compared to a self-managed Kubernetes deployment.

The SparkFabrik Approach: Every organization has different control needs, and we know this well. That’s why we support you in selecting the KaaS provider and the service level that best aligns with your specific needs for governance and customization. We work to optimize the available configurations on the chosen platform, maximizing your control within the service’s limits. If more granular control is an essential requirement, don’t worry. We have all the experience necessary to guide you in the implementation and management of dedicated Kubernetes clusters or hybrid solutions, balancing the advantages of abstraction with the need for flexibility and direct control.

To conclude, we can say that addressing these challenges requires expertise, experience, and method. Exactly what we can offer you to transform the potential pitfalls of KaaS into opportunities for growth and optimization.

With an ever-growing number of digital channels and touchpoints, organisations are facing a more complex challenge: creating, managing and distributing consistent and personalised content, across a constantly growing ecosystem of platforms. From websites and mobile apps to digital kiosks, digital signage, voice assistants, and IoT devices, the proliferation of channels requires a radically new approach to content management.

In previous articles in our series, we explored the general features of Drupal CMS, its advantages over alternatives, migration strategies, security aspects, integration with Design Systems, and solutions for specific vertical sectors. In this article, we examine one of the most innovative and promising architectures: Drupal in headless mode, which enables the creation of a truly omnichannel CMS.

Omnichannel CMS: Beyond the Traditional Web

Before exploring the technical aspects, it is important to understand what we mean by “omnichannel CMS” and why this approach is becoming increasingly crucial for managing content across a myriad of different channels.

The omnichannel approach is based on the idea of a cohesive and continuous user experience**. Rather than simply adapting content for different channels, it is managed in a unified way to ensure consistency and relevance at every point of contact.

The Evolution of Digital Needs

The concept of a CMS (Content Management System) has undergone a profound evolution in recent years. In fact, we can identify three macro-phases, determined by both technological evolution and the changing of user needs, expectations, and behaviors.

• First phase (1990-2010) : CMS were monolithic systems focused almost exclusively on managing websites.
• Second phase (2010-2020) : Multichannel CMS became widespread, with extensions to manage mobile apps and other channels, while still maintaining a predominantly web-centric approach.
• Current phase (2020+) : The paradigm is evolving towards omnichannel CMS, which act as a single, central content hub capable of feeding any channel, present and future.

According to Gartner research, by 2025 over 75% of medium and large-sized organizations will adopt an omnichannel approach to content management, up from 40% today.

This trend is driven not only by the proliferation of channels but also by a growing expectation of personalization and consistency in the user experience.

Difference Between Multichannel and Omnichannel

It’s important to distinguish between a merely multichannel approach and a truly omnichannel one:

• Multichannel : Content is adapted and distributed across different channels, but these often operate as separate silos. Consequently, there is a significant duplication of effort and content.
• Omnichannel : Content is created in a “channel-agnostic” way and managed centrally. Subsequently, it is orchestrated to provide a consistent but personalized experience across all touchpoints. The brand can thus offer a unified and cohesive experience across all platforms, while also meeting the typical personalization needs of modern users.

The omnichannel approach requires a fundamental rethinking of CMS architecture, moving from monolithic systems to headless or decoupled solutions that clearly separate content management from its presentation.

Drupal Headless: Key Concepts

Drupal in headless mode represents a significant evolution from the traditional approach. But what exactly does it consist of?

What is Headless Architecture

Headless architecture, which literally means “without a head,” is based on the separation between the backend, which manages content, and the frontend, which handles its display. In this model, a headless CMS involves:

• The “backend " (in this case Drupal) acts as a centralized content hub. It deals exclusively with content management, its structuring, and business logic.
• The “frontend " (how our content looks and how the user interacts with it) is completely separated and implemented with specialized technologies (React, Vue, Angular, Swift, Kotlin, etc.).
• The communication between backend and frontend , which happens exclusively via APIs.

This “API-first " approach allows Drupal to be used as a central content repository that can potentially power any digital channel or touchpoint. This extreme flexibility in content usage and delivery is one of the main advantages of this model.

Drupal’s APIs: A Mature Ecosystem

In a headless architecture, the API link is the fundamental element that makes the separation between content and presentation possible.

Drupal stands out in the CMS landscape for the maturity and completeness of its API ecosystem**. This leadership is the result of an “API-First” initiative launched by the Drupal community back in 2016, long before many other CMS began to seriously consider the headless approach.

Drupal’s API framework includes:

• JSON:API : Integrated into Drupal’s core, it offers a complete implementation of the JSON:API specification, an industry standard for REST APIs.
• GraphQL : Supported by stable modules, it allows for precise and optimized queries.
• Custom REST APIs : The ability to create custom REST endpoints for specific needs.

According to a 2023 Forrester report, Drupal is ranked among the leaders in the enterprise headless CMS segment, precisely because of the maturity of its API offering. A recognition that demonstrates it is a reliable choice for complex projects.

Advantages of the Headless Approach with Drupal

Adopting Drupal in headless mode offers numerous strategic advantages for organizations aiming for an omnichannel strategy. The headless approach is not just a technical solution, but an opportunity to optimize processes, improve the user experience, and future-proof the investment.

Flexibility and Future-Proofing

The clear separation between content and presentation is undoubtedly one of the main advantages of headless architecture, ensuring unparalleled flexibility. This advantage is reflected in several ways:

• Content editors can focus on creating quality content, regardless of how and where it will be displayed.
• Frontend developers can use the most suitable technologies for each channel and touchpoint.
• The addition of new channels does not require changes to the backend, guaranteeing the longevity of the investment.

As Dries Buytaert, the founder of Drupal, observed: “With a headless approach, you get a content repository that can last for decades, while frontends can evolve rapidly following emerging technologies.”

Performance and Scalability

Load times are a crucial aspect of any digital experience. Empirical evidence shows that every extra second of loading leads to a worsening of fundamental metrics such as bounce rate and conversion rate.

Modern users expect speed, and attention is won by offering instant experiences.**

Headless architecture allows for significant performance improvements thanks to a series of optimizations:

• The ability to implement aggressive caching strategies on Drupal APIs to drastically reduce response times.
• The use of Content Delivery Networks (CDNs) and edge computing** to distribute content more efficiently, serving it to users from the closest geographical location.
• Client-side rendering to reduce the load on the server, freeing up resources for other critical operations.
• The reduced size of payloads , which transfer only the data that is strictly necessary, speeds up loading and reduces bandwidth consumption.

These combined factors lead to a significantly faster user experience. In our headless projects, we have seen improvements in Core Web Vitals of up to 45% compared to traditional implementations.

Advanced User Experience

The complete separation of the frontend allows for the development of richer and more interactive user experiences. Development teams can free themselves from the need to adapt to a monolithic framework, instead gaining the freedom to choose the most suitable frontend technology for each scenario.

This approach favors the development of Progressive Web Apps (PWAs) with offline functionality, which ensure service continuity even without a connection.

Interfaces** can integrate smooth transitions, complex animations, and latest-generation visual effects, while the use of technologies like WebSockets allows for real-time content updates , for a dynamic and constantly current experience.

The absence of technological constraints on the frontend therefore allows for the customization of the interface and interactions to adapt perfectly to every device and context, offering a tailored experience for users. This flexibility is fundamental in an omnichannel context, where each touchpoint has specific characteristics and constraints.

Implementing Drupal Headless for Omnichannel Scenarios

To successfully implement Drupal headless in real-world scenarios, it is necessary to consider various practical aspects that go beyond the simple separation of backend and frontend.

First and foremost, the separation of data and frontend makes a deep consideration of content structuring essential. To serve this content, an accurate design of the APIs is required, while on the frontend side, a strategic approach is needed to maintain user experience consistency across various channels, for example through the definition of a Design System.

Content Structuring for Omnichannel

The first fundamental step for an omnichannel implementation is to rethink the approach to content structuring from a channel-agnostic perspective.

In fact, instead of creating content specific to each channel, the strength of this approach is the centralized definition of content, which is then orchestrated across the various touchpoints. This approach therefore involves:

• Structured content modeling : Creating highly structured and semantic content types that facilitate reuse.
• Content/presentation separation : Avoiding references to layout or visual aspects within the content itself.
• Rich metadata : Adding metadata that allows for the selection and personalization of content for different channels.
• Atomic content : Content is broken down into components that can be reused across different channels.

In a recent project for a retail client, we implemented a “content atoms” model in Drupal that allowed the same content to be reused on the website, mobile app, in-store kiosks, and digital signage, with an estimated saving of 60% in editorial work.

Strategic API Design

APIs are the bridge connecting the backend to the frontends, and their effectiveness determines the flexibility and scalability of the entire ecosystem. API design is a critical aspect that requires a strategic approach, clearly defining specifications before even starting implementation:

• API contracting : Defining API contracts before implementation, including rules, specifications, and expectations, ensures clarity, consistency, and stability throughout development.
• Versioning : A clear strategy for API versioning ensures backward compatibility and orderly management of changes.
• Response optimization : The configuration of sparse fieldsets and includes reduces payload sizes, optimizing performance and data transfer.
• Caching : Implementing advanced caching strategies allows content to be served more quickly and efficiently.
• Authentication and authorization : Adopting robust and granular security mechanisms is essential to protect data and prevent API abuse.

In our approach, we use a “design-first” process for APIs, with tools like OpenAPI to document and validate API contracts even before implementation begins.

Frontend Architecture for Omnichannel

Managing multiple frontend implementations requires a well-structured architectural approach. Just as content duplication is avoided in the backend, reusable elements can also be defined on the frontend for different contexts and devices, making development more efficient and reducing technical debt:

• Shared component library : Developing validated and reusable UI components across different platforms.
• Cross-platform Design System : Defining principles and patterns that adapt to different contexts, while maintaining the brand’s identity.
• Centralized state management : Consistent management of the application state, including customizations for each user and channel.
• Unified authentication strategy : Single Sign-On across different touchpoints.

A pattern we have found particularly effective is the implementation of an “API middleware” that acts as an orchestration layer between Drupal and the various frontends, managing caching, personalization, and channel-specific transformations.

Equally strategic is defining a Design System that guarantees visual and functional consistency, while also reducing development times. Read our dedicated resources to find out more: the article on how to implement a Design System with Drupal CMS, the guide on Design System and UX (Italian), and our downloadable guide on Accessibility and Design System (Italian).

Case Study: Omnichannel Implementations with Drupal Headless

To illustrate the omnichannel headless approach in practice, let’s examine some real-world cases implemented by SparkFabrik. The implementation of this architecture makes it possible to meet the flexibility and performance needs of both editorial teams and complex e-commerce platforms, generating tangible and measurable business results.

Omnichannel Retail: Integrated In-Store and Digital Experience

For a major retailer, we implemented an omnichannel platform based on Drupal headless that powers:

• An e-commerce site with a React frontend.
• A native mobile app for iOS and Android.
• Touchscreen kiosks in stores.
• In-store digital signage and screens.

The tangible results obtained in this project include:

• A 70% reduction in the time needed to launch new cross-channel marketing campaigns.
• A consistent user experience with a 35% improvement in Net Promoter Score (NPS).
• Optimization of operational costs thanks to centralized content management.

“The headless approach with Drupal has radically transformed our ability to offer consistent and personalized omnichannel experiences. The separation of content and presentation has given us unprecedented flexibility to innovate across different touchpoints.” - Digital Director

Media and Publishing: Efficient Multichannel Distribution

For a publishing group, we implemented a content hub based on Drupal headless. This backend distributes content to:

• A responsive website with a Next.js frontend.
• A mobile news app.
• Personalized newsletters.
• Feeds for smart speakers and voice assistants.
• Integrations with social platforms.

The results of the headless approach include:

• A 40% increase in editorial productivity.
• Simultaneous publication across all channels with one click.
• A 25% improvement in mobile device loading times.

“Our editorial team can now focus on creating quality content, knowing that it will be optimally distributed across all our channels. A headless implementation of Drupal has allowed us to evolve our digital offering quickly without having to constantly rethink the backend.” - Chief Digital Officer

Challenges and Solutions in Adopting Drupal Headless

While there are many advantages, adopting a headless approach with Drupal also presents specific challenges that are important to address proactively to ensure project success.

Content Preview

One of the main challenges in any headless implementation is previewing content before it is published.

Unlike a traditional CMS, in a headless architecture there is no native interface to preview how content will look on different channels before publication.

To solve this problem, we implemented a “headless preview” system that allows content editors to see in real time how the content will appear on various channels directly from the Drupal interface, using simulated renderings of the different frontends.

Layout and Presentation Management

In a purely headless approach, editors lose the ability to control layout and presentation aspects of the content, which can be a limiting factor in some contexts.

We have developed a “content-as-configuration” approach that allows layout structures and presentation rules to be defined in Drupal and exposed via APIs, which are then interpreted by the various frontends, giving control back to editors without compromising the benefits of the headless architecture.

Operational Complexity

Headless architecture inevitably introduces greater operational complexity. Managing multiple frontends, APIs, and environments requires more sophisticated DevOps processes and a more diverse skill set within the team.

To address this challenge, we implement automated CI/CD pipelines that manage the entire ecosystem as a single unit, with end-to-end testing that verifies the integrity of the experience across all touchpoints. In addition, we provide detailed documentation and centralized monitoring tools that offer visibility into the entire ecosystem.

Best Practices for Success with Omnichannel Drupal Headless

From our experience in implementing headless projects with Drupal, we have distilled some fundamental best practices that go beyond simple technology and involve project strategy and organization.

1. Adopt an “API-First” Approach at Every Stage

The success of a headless implementation depends heavily on a true “API-First” approach that must permeate all stages of the project. This approach involves several aspects:

• Content Strategy : Define the content strategy from an API perspective before thinking about implementation.
• Design Thinking : Include API aspects in the project’s ideation and design phase.
• Development : Use methodologies like test-driven development (TDD) for APIs.
• Documentation : Invest in comprehensive and actively maintained API documentation.

This approach ensures that APIs are not an afterthought but the foundation of the entire architecture.

2. Build a Scalable and Maintainable Architecture

Scalability** and maintainability are critical aspects for an omnichannel ecosystem. In this context, the Cloud Native approach ensures attention to both, for example:

• A microservices architecture can be considered for critical components.
• Manage the entire infrastructure as code (Infrastructure as Code) to ensure consistency and scalability.
• Implement comprehensive monitoring and alerting systems to keep performance and anomalies under control.
• It is appropriate to define (and monitor) performance budgets for each channel.

In a recent project, we implemented a “micro-frontends” architecture that allowed different teams to work autonomously on different channels, while maintaining consistency and performance.

3. Invest in Tools for Content Editors

The long-term success of any platform depends heavily on adoption by content editors. Investing in tools for editorial teams can make the difference between enthusiastic adoption and resistance to change.

These tools include effective preview systems, such as simulators that show a preview of content for various channels and devices, and the integration of cross-channel analytics to measure the performance and effectiveness of each piece of editorial content.

4. Plan for Evolution and Growth

An omnichannel ecosystem is, by definition, in constant evolution. For effective evolution, a clear strategy is necessary. This involves several aspects:

• Versioning Strategy : Define the API versioning strategy in advance.
• Deprecation Policy : Have clear policies for deprecating features.
• Canary Testing : Implement mechanisms to test new features on subsets of users.
• Feature Flagging : Use feature flags to enable/disable functionality on different channels.

This planning allows the ecosystem to evolve smoothly, without interruptions and while maintaining compatibility with existing channels.

The Future of Omnichannel with Drupal Headless

Looking ahead, we can identify several emerging trends that will further shape the evolution of the omnichannel headless approach with Drupal, making it even more effective and powerful. The Drupal ecosystem is constantly evolving, and these innovations are designed to anticipate market needs.

Composable DXP and the Evolution of Drupal

The concept of a “Composable Digital Experience Platform” (DXP) is gaining ground, with Drupal positioning itself as a central component in composable architectures.

Instead of a single monolithic platform, the Composable DXP is based on the combination of specialized tools that work together in an integrated ecosystem.

Drupal acts as a central hub that manages and distributes content in an agnostic way, allowing organizations to build customized technology stacks composed of the best solutions (“best of breed”) for every aspect of the digital experience, such as e-commerce, personalization, and data analytics.

Learn more in our article Composable architecture with Drupal CMS and in our downloadable guide Drupal as a Marketing Asset, from CMS to DXP (in Italian).

AI and Omnichannel Personalization

Artificial intelligence is establishing itself as a central element in the Drupal ecosystem. The community has launched the Drupal AI Initiative to accelerate the development of AI features, an initiative that SparkFabrik is also actively contributing to.

The AI capabilities in Drupal are growing at a rapid pace and offer significant opportunities for personalization and automation, even in omnichannel contexts. Examples include:

• Content Intelligence : Automatic analysis and tagging of content.
• Predictive Personalization : Predictive personalization based on cross-channel behaviors of each user or user category.
• Automated Content Transformation : Automatic adaptation of content for different channels.
• Conversational Interfaces : Integration with conversational interfaces and virtual assistants.

In a previous article, we provided an overview of AI in Drupal, mentioning many other features such as assisted content generation, automatic tagging, and smart SEO optimization.

Drupal, with its flexible architecture and robust APIs, provides an ideal foundation for integrating these emerging AI technologies, supporting different AI models and allowing any functionality to be extended with AI capabilities.

Edge Computing and New Delivery Models

Edge computing, which involves processing data as close as possible to its source to increase speed and reduce latency, is redefining how content is distributed to users.

This approach enormously improves performance , distributing content and logic closer to the end user to optimize “at the edge” rendering, including personalization aspects. In this way, specific and personalized functionalities can be delivered more quickly and closer to users, while other higher-level functionalities can reside in different geographical areas.

Edge-first architectures, such as those that combine so-called “static generation” and “dynamic hydration” (e.g., Jamstack and SSG), offer an optimal mix of performance and flexibility, combining the advantages of static systems with those of dynamic systems. This geographical distribution also improves operational resilience, a critical factor for companies operating globally.

Conclusion and next steps

The headless approach with Drupal represents a strategic response to the modern challenges of omnichannel. By clearly separating content management from its presentation, Drupal headless offers the flexibility, scalability, and agility needed to effectively manage a constantly expanding ecosystem of touchpoints.

As we have seen in the case studies, organizations that adopt this approach can achieve significant benefits:

• Greater operational efficiency in content management.
• Richer, faster, and more consistent user experiences across different channels.
• Reduced time-to-market for new digital initiatives.
• Protection of investment in a rapidly evolving technological landscape.

At SparkFabrik, we combine deep technical expertise in Drupal with advanced skills in API architecture and modern frontend development, positioning ourselves as the ideal partner for organizations that intend to implement omnichannel strategies based on Drupal headless.

If your organization is considering a headless approach for its omnichannel initiatives, we invite you to:

1. Explore our case studies of headless implementations.
2. Contact our team for an assessment of your specific needs.
3. Discover how our Suite of Drupal services can support your omnichannel strategy.

This article is part of our series dedicated to Drupal CMS. To explore other aspects of the platform, we invite you to consult our previous articles on the features and advantages of Drupal CMS, its comparison with alternatives, migration strategies from other systems, security and compliance with a focus on regulated sectors, composable architecture, Design System, and overview and news on Drupal AI.

Artificial Intelligence is redefining how websites and digital experiences are built, managed, and experienced. This transformation shifts the focus from manual workflows to results-oriented AI orchestration, where users define goals and AI contributes to achieving them. In this dynamic context, Drupal positions itself as a proactive leader in AI integration , distinguished by its open-source and responsible approach and its robust community.

AI adoption in Drupal has seen remarkable acceleration. During DrupalCon Atlanta 2025, Dries Buytaert, founder of Drupal, highlighted how AI framework adoption has tripled in just one year, involving even large organizations like the European Commission and the United Nations, actively engaged in experimenting with Drupal and AI. Furthermore, in the AI Initiative announcement, over 290+ AI modules are already highlighted as available.

This trend is not about replacing human capabilities, but rather enhancing them, freeing up time for creative and strategic work while AI handles routine activities, suggests improvements, and responds to feedback in real-time.

After outlining the main innovations of the ecosystem in our article “The future of Drupal CMS 2.0: All Innovations expected in 2025", this deep dive focuses on the latest innovations in the AI field for Drupal, exploring in detail the functionalities of the Drupal AI module and the progress of the strategic Drupal AI Initiative. We will also outline SparkFabrik’s active role in this evolution, demonstrating constant commitment and a clear vision for the future of the ecosystem.

The Drupal AI Module: The Heart of Innovation

At the center of Artificial Intelligence integration in Drupal lies the Drupal AI module, a unified solution that enables the use of various AI technologies within the platform. This module provides a complete framework for easily integrating AI into any Drupal site , supporting a wide range of models and providers. Its primary goal is to offer a suite of modules and an API that serve as the foundation for generating textual content, images, audio, video, translations, but also entire components and sections and much more.

The AI module’s strength lies in its abstraction layer , which enables seamless integrations with third-party AI providers like OpenAI (ChatGPT, DALL-E), Anthropic (Claude and also Claude Code), Google (Gemini, Vertex), Perplexity, Fireworks, and Mistral, or more specialized ones such as DeepL and ElevenLabs. It’s also possible to use open-source models hosted on user-controlled servers through integrations with Olama, LMStudio, and Huggingface, among others. This functionality is particularly appreciated by organizations operating in regulated sectors.

This flexibility ensures that the AI module is a powerful tool both for site-builders, who can create complex applications without writing code (we discussed Drupal’s first-class low-code/no-code capabilities in a previous article), and for developers and administrators, who benefit from simplified integration and immediate support for multiple providers.

The Drupal AI module aims to be the foundation of AI functionalities, offering a set of standard tools to use directly or on which to develop custom integrations. Indeed, the core functionalities are already extensible with a series of sub-modules, recipes, and other compatible modules. To mention some, among these stand out:

• AI Core: Provides access to common AI models (ChatGPT, Claude, Gemini…) and is extensible to any needed model.

• AI Automators: These are various sub-modules that allow populating and modifying any field in Drupal. Each Automator has specific functionalities, such as automation, web scraping, OCR extraction, chart data extraction, summary generation, transcript production, email address extraction, etc. The great versatility allows creating complex AI applications, where different prompts and different automators can be chained in custom workflows.

• AI Assistants API + Chatbot: A framework for configuring chatbot functionality, enabling advanced forms of AI search and enabling conversational search.

• AI Content: Offers assistance tools for content creation and editing, such as precise tone-of-voice adjustment, summary creation, taxonomy suggestions, moderation violation control. This level of flexibility and control is fundamental for quality output that respects your brand guidelines.

• AI Translate: Provides AI translations with one click, ideal for multilingual sites. For translations, there are several other alternative modules, specific to your needs and configurations.

• AI Search: Improves traditional search with semantic understanding, allowing the search engine to understand the meaning of users’ terms. To achieve maximum results and reduce hallucinations, it’s necessary to use vector databases and provide access to your own data (RAG). SparkFabrik also proposes a semantic search solution based on Typesense.

• Vector Databases: Enhance semantic search, chatbot, assistant, and other features. They allow expanding LLM knowledge by extending it to proprietary business data, which is vectorized and saved in the database.

LLMs can then recall this data and generate more relevant responses through the so-called Retrieval Augmented Generation (RAG) process. Various vector databases are supported, including Postgres, Milvus, Pinecone, Azure, and SQLite.

• AI Agents: A framework for creating custom AI agents (currently, text-to-action type) capable of manipulating the website based on provided instructions, both on the content side (e.g., text and image generation) and on the configuration side (e.g., creating taxonomies or new page types).

• ai_image_alt_text: Automatically generates alternative text for images, increasing accessibility and improving SEO. Relevant and descriptive alt-text is also a fundamental accessibility requirement to ensure compliance with the European Accessibility Act.

• ai_seo: Provides SEO analysis and reports for individual nodes. Thanks to targeted feedback, administrators, content managers, and marketing teams can optimize both technical SEO and semantic SEO of their content.

Thanks to AI-powered analysis, not only basic aspects are considered, such as structure, headings, meta tags, image optimization, and URLs, but also more advanced aspects like Topic Authority, Topic Depth, keyword usage and natural language, responsiveness, and loading times. In short, a 360° analysis that also includes new SEO aspects that emerged in the AI era.

• ai_text: allows easily creating an ai.txt file to give instructions to AI systems that interact with the site (in a way completely similar to robots.txt for web crawlers).

• AI Providers: To enable AI functionalities, you obviously need to choose one or more providers and enable the related module, for example Anthropic, OpenAI Perplexity, EvelenLabs, DeepL Translate. Many providers are supported, from the most well-known to local models, ensuring maximum flexibility.

These integrations (only some among all those already available or under development) demonstrate the depth and breadth of AI capabilities that Drupal can offer, covering a vast spectrum of digital needs.

Recent Evolutions: Drupal AI 1.1.0 and 1.2.0

The Drupal AI module is constantly evolving, with releases that introduce increasingly sophisticated and user-friendly functionalities, add AI providers, and resolve issues. In the spirit of sharing typical of the Drupal community, on the occasion of major releases, the Drupal AI Initiative team details the latest news.

In particular, after the initial launch, we have already enthusiastically witnessed two main releases of Drupal AI : 1.1.0 in June and 1.2.0 in July. Recent innovations aim to further simplify interaction with AI for editors and developers, enhancing content creation, automation, and site management. Let’s see the main ones in detail.

Content Power-up, Between Creation and Content Management

The new functionalities make content creation and editing more intuitive and AI-assisted:

• Field Widget Actions: It’s now possible to call an AI function through special buttons that can be added to any field in the interface (entity form).

These allow editors to easily interact with AI: in one click they can generate content to populate fields and, if not satisfied, generate again or intervene manually, always maintaining control over the final output. This functionality integrates with AI Content Suggestions, AI Automators, and AI Agents modules, supporting a wide range of uses.

For example, it’s possible to rewrite an attachment’s filename so that it’s relevant to the content (finally goodbye to dozens of “image01.png” in your system) or generate alt-text for an image. Furthermore, you can request assistance in generating titles and summaries, based on page content and adopting your personal style thanks to a custom prompt. It’s also possible to select or generate system tags to classify your content, or extract specific information like email addresses.

Important, for each of these widgets it’s possible to provide specific instructions and context, enabling the generation of truly personalized content.

To ensure flexibility for the most diverse use cases, multiple widgets can also be connected to each field (for example, imagine having two buttons to generate a 50-character summary or a 200-character one, or to generate images with different styles).

In this video, a complete overview of Field Widgets is available, including their configuration.

• Content Suggestions extended to other entities: Content suggestion functionalities, previously available only on Nodes, have been extended to Block and Taxonomy Terms entities as well.

Additionally, AI content suggestions can be generated based on an entity’s rendered HTML, therefore on its final appearance, role, and content (for example, for a button, a CTA will be suggested, not a multi-line paragraph).

• New types of Automators: AI Automators now include new available types. Among these, “Image Alt Text” stands out (which analyzes an image and context to generate appropriate alt text), “Image Filename Rewrite” (to rename image files for SEO purposes), and “Summary Generation for Text with Summary” (to generate summaries from main text).

Thanks to the Field Widgets Actions we saw earlier, Automators can also be easily activated by editors, directly from the user interface.

Agentic Framework and Developer Tools

The keyword of AI’s latest frontiers is “Agents”. The introduction of the new agentic framework in Drupal and advanced tools for developers accelerates innovation and customization:

• New Agentic Framework: The big news of v1.1.0 is the introduction of the Agentic Framework, which allows anyone to build AI agents without writing a single line of code.

The AI Agents module simplifies and optimizes the creation of every type of AI agent, including “text-to-action” agents that can create or modify content types, fields, and taxonomies based on natural language instructions. This transforms users’ simple words into concrete actions within Drupal.

A notable aspect is that agents are stored as configurations, making them exportable and reusable across different systems. They can be activated from various points, including Chatbots, CLI, widgets, and through APIs, making Drupal an ideal platform for agent execution thanks to its flexibility and stability.

Furthermore, Drupal’s native support for the Model Context Protocol (MCP) allows agents to connect to potentially any tool, exponentially extending their capabilities. Equally importantly, human intervention will always be possible (the so-called “human in the loop”), ensuring human governance.

• Prompt Library: Like agents, all prompts can now also be distributed as configurations, facilitating the provision of suggested prompts from third-party modules.

This is crucial for a well-functioning AI ecosystem: prompt engineering is a complex field, and a predefined library with best practices streamlines processes, enables users, reduces uncertainties and dependencies on maintainers.

• Mocking Library for testing and replay of AI requests: This is a new functionality designed specifically for developers to facilitate development. Instead of making a real request, it’s now possible to simulate a request to an AI provider and reproduce it during development or automated testing. This allows alleviating both long waiting times and high costs associated with prompt processing by AI providers.

• Support for more file types for AI models: The AI Core module base has been modified to support any file type (including PDFs and videos) to provide to AI models, in response to the evolution of LLM models.

• Recipes, abstraction from Providers and Vector Databases: Recipes are predefined, reusable configurations that simplify the implementation of specific features, such as automating module installation or configuration implementation (we go into more detail in this article).

Previously, Recipes that added AI features such as “chat with your documents” or similar required you to specify exactly which providers and vector databases were used, as well as certain settings. With the latest update, however, AI providers and vector databases have been “abstracted,” meaning they no longer need to be specifically defined at the Recipe level, as well as some common features. It’s a small change, but it has made AI Recipes much more modular, versatile, and maintainable, as well as more reusable.

• AI Agents Testing Tool: A new visual tool for testing AI agents has been added, allowing the configuration of complex scenarios and repeatedly retesting them without needing to be a developer.

Interface Creation: AI + Experience Builder

Experience Builder is the evolution of all previous Drupal site building solutions. Modern features like completely visual and drag-and-drop interface, integrated previews, and on-the-fly creation of new components make it a truly advanced solution for creating new digital experiences (we already talked about it here and here).

The integration of AI with Experience Builder has the potential to even more profoundly revolutionize not only the authoring experience, but also the design and development processes themselves in Drupal.

During the March 2025 Driesnote, it was demonstrated how an image from Figma can be transformed into a UI component in real-time. The user can interact with the AI agent through chat, requesting iterative changes and refinements to colors, button shapes, and other elements, with changes immediately visualized in a code editor integrated into Experience Builder.

Creating a single component is just the first step: the vision is to create entire pages or sites, ideally even with migration from other systems. In this vision, AI will help users build and perfect sites faster, more intuitively and creatively, while maintaining human oversight.

Enhanced Semantic Search

Search functionality in Drupal has been profoundly improved thanks to AI. The AI Search sub-module elevates traditional keyword-based search with semantic understanding, allowing the site to grasp users’ intent rather than limiting itself to typed words. This translates into more relevant results, even when search terms don’t directly match the content.

The overall impact can be truly significant, both in terms of user experience and economic return for the organization (think for example of product search in ecommerce, or information search on a university portal by a potential student).

This functionality uses two search indexes, one traditional and one semantic, powered by vector databases like Milvus or Pinecone, fundamental for reducing AI “hallucinations,” those situations where AI produces inaccurate information but presents it with confidence. These vector databases contain data and information specific to your organization , chunked and vectorized. LLMs can then use this data to provide more precise and contextualized answers (or search results).

An example of technology that integrates with Drupal to enable these advanced functionalities is Typesense , an open-source search engine that offers AI-powered semantic search capabilities, providing faster, more accurate, and personalized results. The Typesense module is developed and maintained by the SparkFabrik team. You can explore this solution in the following presentations.

Overall, these innovations demonstrate a continuous commitment to improving usability, efficiency, and versatility of AI within Drupal, facilitating developers, making it accessible to a broader audience, and supporting increasingly complex use scenarios.

The Drupal AI Initiative: A Coordinated Drive for the Future

The Drupal AI Initiative represents an important strategic step for Drupal’s future, channeling community energy in a coordinated and funded direction.

Although the ecosystem of Artificial Intelligence functionalities, integrations, and modules in Drupal is experiencing significant growth, as we have seen, to ensure bringing real strategic impact to the market, the need to go beyond simple voluntary contributions from contributors has been recognized. To build a truly powerful and competitive AI ecosystem, a professional and dedicated team is needed, focused only on Drupal AI.

From this awareness was born the Drupal AI Initiative , officially launched on June 9, 2025, whose goal is to bring structure, strategy, and a shared direction to AI innovation in Drupal. By ensuring continuity and quality, it guarantees that Drupal doesn’t fall behind with the rapid evolution of AI in the market.

The central strategy is to fund a team of full-time contributors to accelerate AI innovation in the Drupal ecosystem. Over $100,000 has already been allocated to be entirely dedicated to the initiative, but the aim is also to attract sponsors, defined as “AI Makers.” These sponsors will be able to contribute not only financially, but also by dedicating full-time human resources (at least ½ FTE, Full Time Employee), with the expectation that involved companies are fully dedicated to the coordinated development of the ecosystem.

The initiative leverages a clear organizational structure, with a Leadership Team dedicated to guiding product direction, fundraising, and collaboration between different work areas, fundamental aspects for ensuring coordinated effort at a global level. A funded Delivery Team, equivalent to several full-time roles, is dedicated to execution, including technical leads, UX, and project managers. Active work tracks cover key sectors like AI Core, AI Products, AI Marketing, and AI UX.

Initial progress has seen the initiative gain momentum , primarily with the release of the latest major releases of the Drupal AI module. On the marketing front, dedicated pages have been created on Drupal.org and collaborations have been initiated for a series of webinars with the European Commission. The team also participated in the AI Summit London, an important artificial intelligence conference, to present Drupal AI to a broader audience.

One goal is to organize regular webinars to keep the community informed about progress and raise awareness among potential clients and end users about Drupal AI’s potential. The community is also constantly aligned through asynchronous meetings held every Monday in the #ai-contribute Slack channel, where all contributors can participate and align through messages for 24 hours, with conversations subsequently published publicly on Drupal.org.

Importantly, the initiative fully embraces Drupal’s philosophy regarding AI , built on fundamental principles that guide innovation. The heart of everything is the conception of AI itself, whose role is to enhance human capabilities, not replace them. Based on this, the aim is to implement a framework that promotes responsible AI management, ensuring oversight and approval of workflows (Human in the Loop), audit trails, and compliance tools.

Furthermore, in pure Drupal spirit, innovation must be guided by the community’s real needs, not by roadmaps and a priori decisions. For example, ensuring users full freedom of choice in terms of AI solution providers is considered fundamental, without providing constraints to specific vendors.

Furthermore, a recent survey invited end users to share their needs, contributing to directing development resources to functionalities felt by real users. At the same time, the community and agencies are the foundation of Drupal’s success: developing a platform that grows in synergy with both end users and the agencies that support it therefore proves essential.

SparkFabrik’s Role in the Drupal AI Ecosystem

SparkFabrik is not just an observer of AI innovations in Drupal, but an active and strategic participant in their development. With over a decade of significant contributions to Drupal’s open-source ecosystem, SparkFabrik has always positioned itself at the forefront of its evolution.

It’s clear how the advent of artificial intelligence is requiring a radical transformation of the entire development process, which now becomes increasingly outcome-oriented rather than time-dedicated, but is also opening completely new perspectives and evolutions throughout the ecosystem, with unprecedented speed.

This is why we have initiated an internal strategic initiative dedicated precisely to the Drupal and AI combination , dedicating ½ FTE for all of 2025 (50% of our expert Drupal developer Luca Lusso’s time) specifically to projects in this area. This concrete commitment to strengthening and expanding the ecosystem fits perfectly with the global AI Maker Initiative and translates into constant and deep collaboration with the community.

In our first contribution sprint , we worked on two aspects we consider fundamental for the Drupal AI ecosystem: proposing an effective local development environment based on DDEV and beginning reasoning on how to integrate a “guardrail” system directly within LLM integration flows.

More in detail, regarding the local development environment, we noticed that several contrib modules adopt a pattern based on a DDEV add-on that replicates the functioning of GitLab’s CI pipeline on Drupal.org. For many modules contributed by SparkFabrik, we have also chosen the same approach (Monolog, WebProfiler, …). The broader community has not yet decided if this is the best path to follow, and for the Drupal AI ecosystem this way of working could lead to more complications than benefits.

Indeed, the need to add some DDEV-specific configuration files within the project repository and the way Drupal installation occurs locally make this approach less ideal in a context like Drupal AI, consisting of dozens of modules that potentially need to be tested and developed in parallel.

The solution proposed by Luca Lusso, and accepted by the community, instead saw the proposal of a new generic DDEV add-on, which can be used by any contrib module and capable of simplifying contributions to multiple modules simultaneously. SparkFabrik’s solution resolves previous limitations, streamlining development and testing of all future contributions.

In parallel, we initiated reflection on integrating “guardrail” systems directly into flows involving Large Language Models (LLM). This aspect is crucial for ensuring responsible and safe use of AI within Drupal, ensuring that model output is always aligned with preset values and objectives.

Another tangible example of SparkFabrik’s commitment is active participation in meetings asynchronous in the #ai-contribute channel on Slack. These meetings, which take place every Monday and last 24 hours, allow global alignment through messages, and all conversations are subsequently published openly on Drupal.org.

Luca Lusso’s constant presence in these discussions (for example, see conversations from June 30, 2025, July 7, 2025, and July 14, 2025) provides SparkFabrik with direct access to cutting-edge information and strategic discussions, allowing us to anticipate future developments and influence Drupal AI’s roadmap.

In this scenario of rapid evolution, SparkFabrik’s commitment to developing the Drupal ecosystem, research on AI and its practical application, is not just a technological investment. It rather represents a clear affirmation of our position as a strategic partner and thought leader, well beyond the role of a simple service provider.

Conclusion: Drupal AI, an Intelligent, Open and Collaborative Future

Drupal is actively leading the Artificial Intelligence revolution in the world of Content Management Systems, adopting an approach that is inherently open-source, human-centered, and highly flexible.

Starting from an already excellent foundation, the Drupal AI Initiative is significantly accelerating the development of powerful and responsible AI tools , thanks to a clear strategic vision, dedicated funding, and a rapidly growing community.

From the unified AI module, with its vast range of sub-modules and supported providers, to innovations introduced in recent versions, Drupal offers cutting-edge functionalities that transform content creation, site management, and optimization of digital experiences.

These developments not only improve efficiency and quality of web projects, but also reinforce Drupal’s fundamental principle of maintaining people’s centrality and human governance, ensuring that AI is a tool for enhancement and not replacement.

SparkFabrik is proud to be an integral part of this transformation , not limiting ourselves to adopting new technologies, but actively and strategically contributing to their development and strengthening our position as thought leaders in the Drupal ecosystem.

Our dedicated internal initiative, significant resource commitment, participation in the community and strategic discussions, our expert Drupal developers’ commitment to directly contributing to code demonstrate our vision and ensure that SparkFabrik is not only at the forefront, but contributes to defining the future direction of AI in Drupal.

If you wish to explore AI’s potential for your Drupal site, or if you are considering implementing a Drupal environment, SparkFabrik is available to support you in navigating and excelling in this new and dynamic digital landscape.

We invite you to:

1. Explore SparkFabrik’s Drupal services
2. Consult our case studies that illustrate implementations in various sectors
3. Contact our team for an evaluation of your specific context and objectives

Explore more features and aspects of the Drupal platform in our dedicated articles.

User experience has evolved into a crucial distinctive factor in the digital world, and in this context, effective collaboration and synergy between designers and developers pose a primary challenge for organizations. The fragmentation of digital channels, the continuous evolution of user expectations, and the need to maintain visual and functional consistency across different touchpoints, as well as the need to adapt promptly to technological innovations and new regulatory requirements, have made the management of digital interfaces increasingly complex.

In this complex scenario, Design Systems emerge as a strategic solution, acting as a bridge between the world of design and that of development. When integrated with flexible and robust platforms like Drupal CMS, Design Systems can radically transform how organizations create, manage, and evolve their digital experiences.

In our talk presented at Talks on my Machine (available in Italian only), we explored this topic in depth. In this article, we delve further into the concept of Design Systems and their integration with Drupal CMS, highlighting how this synergy not only creates a common language among teams but also generates real and substantial value for organizations.

This article is part of our series dedicated to Drupal CMS: we invite you to read the previous articles for further insights, from its advantages to alternatives, security aspects, and architectural considerations.

What is a Design System and why is it important

A Design System is much more than a simple component library or a style guide. It is a complete and living ecosystem, a cohesive framework that includes guiding principles, interaction patterns, reusable components, and clear guidelines. These elements collectively define the visual and interactive language of a brand across all its digital products, ensuring consistency and scalability on a large scale.

The three pillars of an effective Design System

A well-structured Design System rests on interconnected elements that work in synergy to ensure consistency and scalability of digital experiences:

1. Principles and guidelines: This pillar defines the design philosophy that guides every single decision. It sets the brand’s tone of voice, its personality, and its approach to user interaction. It acts as a compass that guides every aesthetic and functional choice, ensuring that the design is not only aesthetically pleasing but also strategically aligned with business objectives.
2. Component library: This is an organized collection of reusable user interface elements (such as buttons, forms, headers, and cards) and their variations. Each component is meticulously documented, including usage examples, implementation code, and specific use cases. This granularity facilitates reuse, ensures consistency, and reduces development time in every context.
3. Design patterns: These define consolidated and tested solutions for common interaction scenarios (e.g., login flows, shopping carts, search systems). Patterns logically and functionally combine different components from the library, providing optimized schemes to solve specific user needs efficiently and consistently.

As Nathan Curtis, a Design System expert, effectively stated: “A Design System is not a project but a product, which serves other products.” This vision highlights the evolutionary and service nature of a Design System, which must constantly grow and adapt to the evolving needs of the organization and the dynamics of a constantly transforming market.

The tangible benefits of a Design System

Implementing a Design System brings significant advantages at various organizational levels, directly impacting ROI and operational efficiency.

For the organization:

• Up to 50% reduction in implementation time for new interfaces and functionalities. This translates into significantly accelerated time-to-market for new initiatives, allowing the company to react with greater agility to new market opportunities.
• Greater consistency of user experience across different touchpoints. This strengthens brand identity, improves recognition, and contributes to building a perception of professionalism and reliability among the public.
• Significant optimization of maintenance and update costs. Changes to a Design System component propagate to all instances that use it, reducing technical debt and simplifying the long-term management of a digital project.

For designers:

• Less time spent on repetitive and manual tasks, freeing up time for innovation and creative problem-solving, which is the true added value of the design team.
• Faster decision-making process due to pre-existing patterns, clear guidelines, and pre-validated components that reduce uncertainty.
• Facilitated collaboration with developers, establishing a common language that reduces misunderstandings and review cycles, improving overall efficiency.

For developers:

• Reusable and standardized code that accelerates development, reduces the likelihood of introducing bugs or inconsistencies, and increases software quality.
• Reduced technical debt, keeping the codebase cleaner, more modular, and easier to maintain in the long run.
• Faster implementation and fewer bugs thanks to pre-validated and documented components that minimize errors during development.

As observed during our talk, organizations that have adopted a mature Design System have seen improvements in development speed ranging from 20% to 50%, with a parallel reduction in user interface-related bugs. These results are not purely theoretical but translate into a direct impact on operational costs and the company’s ability to innovate.

Integrating Design System and Drupal CMS

Drupal CMS, with its flexible and composable architecture, stands as an ideal platform for implementing and managing a Design System over time. This integration can occur at various levels, each offering specific benefits.

1. Advanced theming with a Component-Based Approach

The evolution of theming in Drupal has seen a progressive and strategic shift towards a component-based model, perfectly aligned with Design System philosophy. This approach ensures greater flexibility, granularity, and reusability in the front-end.

• Twig Components: The use of modular Twig templates allows for direct mapping to Design System components. This ensures that every visual element of your Design System has an exact counterpart in Drupal’s code, guaranteeing design fidelity, aesthetic consistency, and ease of maintenance.
• Single Responsibility: Each component has a specific and well-defined responsibility. This principle ensures that changes to one element do not have unintended side effects on other system components, improving development stability and predictability, and fostering resilience.
• Cross-page reuse: Components can be easily reused in different contexts within Drupal, such as different pages, content types, or even across multiple sites within a multisite architecture. This maximizes efficiency and brand consistency, even at a large scale.

This approach, known as “Component-Driven Development”, fosters a direct correspondence between the components defined in the Design System and their technical implementation in Drupal, significantly reducing the gap between design and code and optimizing the development workflow.

2. Deep integration with Layout Builder

One of the most significant innovations in Drupal CMS is the Layout Builder, which can be extended to natively integrate Design System components. This new Layout Builder enables greater autonomy for editors and marketing teams.

• Custom Block Types: It allows the creation of custom block types that directly represent Design System components. This empowers non-technical users to assemble complex pages using an intuitive drag-and-drop functionality.
• Layout Libraries: The definition of predefined layouts, based on Design System patterns, allows users to choose validated and accessible structural options, accelerating the creation of new pages or sections while promoting consistency.
• Visual configuration: The drag-and-drop interface, combined with Design System components, enables highly intuitive visual page composition. This reduces reliance on technical resources for content creation and modifications, enabling a true no-code approach for editorial teams, without requiring code.

This integration opens up exciting possibilities for promoting the use of the Design System by any role, allowing editors and content managers to create consistent experiences without needing advanced technical skills, while streamlining publishing times and workflows.

3. Design Tokens as a single source of truth

Design Tokens represent a fundamental concept in modern Design System implementation, acting as a “single source of truth” for all visual and stylistic attributes of a brand. Their adoption is crucial to ensure consistency across all platforms:

• Atomic values: Centralized definition of colors, typography, spacing, shadows, and other stylistic elements. For example, instead of defining a color as a hex code (#EB0000, also known as our own Spark Red), it is semantically labeled (e.g., primary-heading-color). This makes global changes quick and error-free, automatically propagating updates to all components that use that token.
• Platform independence: Design Tokens are agnostic to the implementation platform. This means that Tokens can be used in both design tools (Figma, Sketch) and development environments (CSS, JavaScript, Twig), ensuring perfect stylistic consistency across all channels.
• Single Source of Truth: They establish a unique and shared source for visual attributes. When it truly is a single source of truth, it eliminates inconsistencies that systematically arise from multiple, separate sources.

The implementation of Design Tokens in Drupal can occur through Sass variables, CSS custom properties, or more sophisticated systems that automatically synchronize tokens between design tools and code.

As demonstrated in our talk, this approach effectively manages “design drift”, the tendency for technical implementations to progressively diverge from the original design, thus maintaining perfect design-to-code consistency.

Tools and workflows for effective collaboration

The integration of Design System and Drupal CMS requires an ecosystem of tools and workflows that facilitate collaboration between designers and developers, overcoming traditional operational silos. Here are some must-haves.

Storybook: the bridge between design and development

Storybook has become a de facto standard for UI component development, documentation, and testing, acting as a crucial link:

• Isolated environment: Allows for independent component development from the application context, working on individual UI components in an isolated environment. This accelerates development, simplifies debugging, and ensures predictable functionality regardless of the usage context.
• Living documentation: Generates interactive and always up-to-date component documentation, which is always accessible to foster understanding and alignment.
• Visual testing: Automated verification of the visual correctness of components, helping to maintain high quality of the final product.

Integrating Storybook with Drupal allows for developing components in isolation, thoroughly testing them, and only then integrating them into the CMS platform. This approach significantly improves code quality and reduces overall development time, leading to a faster time-to-market for new implementations and features.

ZeroHeight: centralizing Design System documentation

ZeroHeight is an excellent and widely used solution for centralizing and sharing Design System documentation, making it easily accessible to all organizational stakeholders:

• Single Source of Truth: Creates a centralized repository accessible to the entire organization, serving as a single source for all Design System documentation. Guidelines, principles, tokens, components… everything is consolidated in one place.
• Integration with design tools: Automatically synchronizes with leading design tools like Figma, Sketch, and Adobe XD, maintaining alignment without manual effort.
• Versioning and history: Advanced tracking of Design System evolution over time through versioning and history, which is particularly crucial for large organizations with multiple products and projects.

This type of platform greatly facilitates Design System adoption at the organizational level, providing a clear, always up-to-date, and accessible reference point for designers, developers, content managers, and other business stakeholders.

CI/CD for Design System

The application of Continuous Integration/Continuous Delivery (CI/CD) practices, typical of the DevOps field, to Design Systems creates an approach known as “DesignOps”. This elevates the Design System to a higher operational level, ensuring unprecedented continuity, consistency, and speed in updates.

• Automated testing: Automated verification of component compliance is integrated, not only in terms of quality standards but also crucial regulations like the EAA, which requires adherence to WCAG 2.1 AA standards.
• Continuous integration of changes: Continuous integration of Design System changes into the codebase. Development teams can always access the latest valid component versions, resolving version conflicts.
• Automated deployment: Once approved in CI/CD pipelines, Design System changes are automatically deployed to all products using it. The entire ecosystem can be consistently aligned, without manual intervention or delays.

This “DesignOps” approach extends the benefits of DevOps methodologies (such as speed, reliability, and automation) into the design world, guaranteeing quality, speed, and consistency in the evolution of the digital experience.

Successful Case Studies: Design System in action with Drupal CMS

To concretely illustrate the benefits of integrating Design Systems and Drupal CMS, we examine some real cases successfully implemented by the SparkFabrik team. These examples aim to inspire and demonstrate how the strategic adoption of a Design System is not just a theoretical best practice, but a strategic lever for achieving business objectives.

Zambon Group: brand consistency across multiple touchpoints

For Zambon Group, a pharmaceutical multinational with an extensive and complex digital presence, we implemented a Design System integrated with Drupal that allowed them to:

• Ensure visual and functional consistency across their corporate website and dozens of product microsites. Before implementation, each new site required significant design and development effort and often led to inconsistencies. Today, the Design System ensures that every new initiative is immediately aligned with the brand.
• Effectively support a complex multilingual and multicountry context. It is now possible to centrally manage content and design for over 40 corporate and product sites, available in more than 20 languages and countries, maintaining a unified global brand identity.
• Significantly reduce implementation times for new digital initiatives, with resulting optimization of time-to-market and significant cost reduction.

The Design System created a unified visual language that globally reflects the Zambon brand identity, while allowing the necessary flexibility to meet the specific needs of different markets and product lines.

Caleffi: cohesive and scalable digital experiences

For Caleffi, a leading multinational player in the plumbing sector, implementing a Design System integrated with Drupal allowed them to:

• Create a consistent user experience that integrates complex editorial content with a vast product catalog, comprising 12 catalogs and over 20,000 products.
• Ensure responsiveness and consistency across all devices (desktop, tablet, mobile), in 12 countries, and 18 languages.
• Significantly accelerate time-to-market for new digital initiatives.
• Facilitate continuous evolution of the digital experience, rapid and efficient construction of new pages and sections, and timely response to market needs through new digital initiatives.

The Design System defined not only visual components but also specific interactive patterns for e-commerce and catalog management, creating an intuitive navigation experience that enhances both informational and product content and directly contributes to Caleffi’s business objectives.

[Video: Case Study Caleffi New Website]

Bocconi University: a unified visual language

For Bocconi University, a prestigious international educational institution, implementing a Design System integrated with Drupal allowed them to:

• Unify the digital experience across dozens of sites and microsites, from the university’s main site to multiple departmental portals and microsites dedicated to events and initiatives.
• Maintain brand consistency in a multilingual context, crucial for promoting the institution’s international prestige, while supporting unified governance for all properties.
• Reduce the implementation time for new sections by 40% and improve the consistency of institutional communication.

The Design System defined not only visual components but also specific interactive patterns for the educational context, such as course navigation, faculty presentation, and enrollment procedures, creating an intuitive and consistent user experience for all user types: students, faculty, administrative staff, and external stakeholders.

Our experience: lessons learned and value delivered

After years of implementing Design Systems and over a decade of experience with enterprise-grade Drupal platforms, we have gained a unique perspective on what truly works and how to maximize value for our clients. We would like to share some personal reflections that go beyond theoretical best practices.

When a Design System truly makes a difference

Our experience has taught us that not all projects benefit equally from a Design System. The value is maximized, and the investment most justified, when:

There is real multi-touchpoint and multilingual complexity. In Zambon’s case, with dozens of product sites in different languages and a global presence requiring coordinated management, the Design System literally transformed their way of working. Before its implementation, each new product site required several weeks or months of work and inevitably led to visual and functional inconsistencies. Today, launching a new product site takes days or a couple of weeks, and consistency is guaranteed regardless of the involved team.

The client has a medium-to-long-term vision and a commitment to digital evolution. We have observed that clients like Bocconi University, with a strategic vision for their digital ecosystem and a willingness to invest in an asset like the Design System over time, have seen exponential benefits. The initial investment in the Design System is paying off not only in terms of operational efficiency but also in the ability to evolve their digital presence consistently and increasingly faster.

1. Adopt an incremental approach

• Start with a core set of “essential” components, high-impact and frequently used in the user experience (e.g., buttons, form inputs, typography). This allows for obtaining initial benefits quickly.
• Implement an MVP (Minimum Viable Product) and let it grow organically. Launching a minimal but functional Design System allows for gathering real feedback from internal users (designers, developers), and then letting it grow based on needs. This agile approach reduces risk and maximizes adoption and internal learning.
• Clearly define priorities and an evolution roadmap, taking into account business needs and available resources. The introduction of a Design System is not an endpoint: it is essential to keep it alive, evolve it, and enrich it over time to prevent it from becoming obsolete.

This approach not only allows for obtaining value more quickly but also enables validating initial choices and evolving the Design System agilely, based on concrete feedback rather than hypotheses or initial requirements that might change.

2. Establish clear governance and ownership

A Design System is a “product that serves other products,” and as such, it also requires continuous management and maintenance. Without clear governance, its effectiveness can quickly diminish, leading to inconsistencies, frustrations, errors, and, ultimately, obsolescence:

• Define precise roles and responsibilities. Who is responsible for defining design principles, developing components, maintaining them, and promoting the Design System internally? Clear roles are essential to avoid overlaps or gaps in responsibility.
• Establish processes for Design System evolution. How are new components proposed? How are existing ones modified? What is the review, approval, integration, and documentation process? Well-defined and documented workflows are crucial for consistency, quality, and scalability over time.
• Create structured feedback loop mechanisms between Design System users (designers, developers, content editors, other stakeholders) and maintainers. This enables continuous improvement based on real needs and ensures the Design System remains relevant and useful within the organization.

As explained, governance is often the determining factor between a successful Design System (adopted, understood, valued) and one that is progressively abandoned.

3. Invest in documentation and continuous training

Documentation and training are not optional additions but integral parts of the Design System, crucial for its adoption and long-term effectiveness. Indeed, a Design System is only as useful as its documentation and the team’s ability to use it effectively.

• Document not only “what” but also “why” design decisions were made. Explaining the underlying principles, guidelines, and reasons helps users understand how and when to use components appropriately and autonomously.
• Create specific usage guides for different roles (designers, developers, content editors). This way, each guide focuses on the most relevant information for each role, facilitating learning and adoption.
• Organize practical training sessions and workshops regularly. As with any other area, active training is much more effective than simply distributing documents: it helps overcome initial resistance, transfers skills, and promotes the Design System culture.

As clearly emerged in our talk, even the best Design System, technically impeccable, has limited value if the organization does not know how to use it effectively or is not supported in practical adoption.

4. Measure and communicate value

To ensure continuous support for the Design System, it is essential to measure and communicate its impact at all levels of the organization:

• Track quantitative metrics, key indicators such as development time for new functionalities (e.g., a new landing page), bug reduction, existing component reuse rates.
• Collect qualitative feedback from stakeholders and users, understand challenges encountered and areas for improvement, ensuring the Design System and its evolutions effectively meet real needs.
• Regularly communicate successes and lessons learned, such as results achieved, savings generated, successful implementations that demonstrate the tangible value of the Design System.

This data-driven approach, focused on transparent communication, helps solidify the Design System as a strategic asset within the organization and its culture. By positioning it as a strategic investment rather than a mere cost center, its sustainability and evolution over time are ensured.

The future of Design System integration with Drupal CMS

Looking ahead, we can identify several emerging trends that will further shape the integration between Design Systems and Drupal, innovations that will make the CMS platform even more powerful, flexible, and responsive to business needs.

1. Advanced design-to-code automation

Tools that automatically transform design components created in platforms like Figma into functional code implementations in Drupal are becoming increasingly sophisticated. This progress promises to further reduce the gap between design and code and is inherently linked to the concept of low-code/no-code that Drupal CMS is increasingly embracing.

2. Multi-Experience Design System

The evolution of Design Systems is extending beyond mere web development to new digital experiences. The inclusion of voice user interfaces (Voice UI), augmented reality, chatbots, IoT devices, and other emerging channels will require greater flexibility in Drupal implementations. The Design System will become an even more central hub for ensuring aesthetic and functional consistency across all touchpoints.

3. AI-Assisted Design System

Artificial intelligence is beginning to play an increasingly pervasive role in Design System creation and maintenance. Advanced AI functionalities are expected to offer intelligent suggestions for optimal component combinations, proactively identify stylistic and functional inconsistencies, and even generate component variations based on specific parameters or styles. This will further optimize the design and development process, always under human governance, increasing efficiency and speed.

4. Cross-Platform Design System

With the emergence of standardized technologies like Web Components, Design System implementation can become increasingly platform-independent. This finally allows for true cross-platform reuse, not only within the Drupal ecosystem but across all technologies used by the organization.

Conclusions

The integration of Design System and Drupal CMS represents much more than a technological choice: it is a strategic decision that can transform how an organization creates, manages, and evolves its digital experiences.

Our experience has demonstrated that, with the right approach, this integration produces tangible and measurable benefits: greater consistency, faster development, reduced costs, and a superior user experience. The Design System, when treated as a strategic product rather than a cost, becomes a true accelerator of innovation.

To further explore the topic, we recommend:

1. Explore our complete talk on Design Systems and Drupal for in-depth and practical insights (in Italian only).
2. Consult our case studies illustrating successful implementations in various complex sectors and contexts.
3. Contact our team for a personalized assessment of your specific context and objectives.

This article is part of our series on Drupal CMS. To explore other aspects of the platform, we invite you to consult our previous articles on Drupal CMS features and advantages, comparison with main alternatives, migration strategies, security and compliance aspects, ecosystem innovation roadmap, and composable architecture.

Sudden changes in business needs, new channels to support, integration with diverse systems, new regulatory requirements, and the necessity to rapidly adapt to technological innovations. This is the vast and rapidly evolving digital landscape in which organizations operate and face increasingly complex challenges.

In this context, the traditional monolithic approach to digital platforms (that of the “single, large and immutable platform”) is showing its limitations, giving way to a new paradigm: composable architecture.

In previous articles of our series on Drupal CMS, we explored the innovative features of the platform, analyzed its advantages over alternatives, delved into migration strategies, discussed security and compliance aspects, as well as the ambitious innovation roadmap of the ecosystem.

Now, in this article, we examine how Drupal CMS represents an ideal foundation for implementing composable, flexible architectures capable of effectively responding to change.

Composable Architecture: A New Approach to Building Digital Ecosystems

Composable architecture represents an approach to building digital ecosystems based on the flexible combination of modular and interoperable components. Instead of a single, giant, and monolithic system that is difficult to manage and maintain, in the composable approach, our architecture is composed of many components that are assembled, similar to Lego bricks, each of which is independent, performs its function, and can be updated or replaced without impacting the entire system.

More specifically, the “composable” paradigm, formalized by Gartner, is based on four fundamental principles:

1. Modularity : Systems are composed of independent and interchangeable components. This autonomy makes each part easily manageable and replaceable, without compromising the overall system.
2. Autonomy : Each component operates independently, with well-defined interfaces, reducing the risk of propagation of any problems between the different elements of the architecture.
3. Orchestration : Components can be organized and reorganized flexibly, combining and adapting them dynamically according to operational and strategic needs.
4. Discovery : Components are easily identifiable and configurable, with relevant benefits in terms of implementation and configuration times.

This approach allows organizations to build highly adaptable digital ecosystems, where individual components can be replaced or updated without rebuilding the entire system. The result, in addition to technical benefits, is a significant acceleration of innovation and a reduction in time-to-market, fundamental aspects for competitiveness.

Why Composable Architecture is Relevant Today

The interest in and adoption of composable architectures are growing rapidly. This is not merely a technological trend, but a concrete response to a market that is constantly accelerating. Let’s understand in more detail the reasons, which directly impact the core of every business:

Speed of market change : In a world where customer needs and digital trends change at an alarming rate, the ability to adapt quickly has become a fundamental competitive advantage.

Proliferation of channels and touchpoints : Today, it is no longer enough to simply be on the web. Organizations must also offer consistent experiences everywhere, across an increasing number of channels and devices, and this requires agile platforms.

Personalization expectations : Users expect increasingly personalized experiences that understand them, anticipate their desires, and align with their expectations. Such tailored experiences require flexibility, responsiveness, and agility in digital platforms.

Heterogeneous technological ecosystems : Organizations often operate with multiple systems, some of which may be legacy, that need to integrate efficiently. Composable architecture facilitates the connection between different technologies.

A recent Gartner study predicts that by 2026, organizations that have adopted a composable architecture will outperform the competition by 80% in the speed of implementing new functionalities. This important data highlights the urgency and strategic value of this approach.

Drupal CMS as a Foundation for Composable Architectures

Drupal CMS stands out in the landscape of content management systems as a true “champion of modularity,” with native features that make it particularly suitable as a base for composable architectures. The API-first approach has been integrated into Drupal for several versions, and with Drupal CMS, this vision reaches a high level of maturity.

API-first by design

Drupal CMS has been designed with an API-first architecture that natively supports key protocols for modern multichannel and omnichannel implementations:

• Native JSON:API : Integrated into the core, it offers a complete RESTful API that complies with JSON:API specifications. This provides a robust bridge for Drupal to communicate with any other system.
• Natively supported GraphQL : Allows for complex and targeted queries that reduce overhead and optimize performance.
• Flexible Web Services : Natively supports multiple integration protocols (REST, GraphQL, JSON-RPC), ensuring flexibility and integrability with a wide range of systems.
• OAuth and JWT Authentication : Provides robust mechanisms for API security and advanced authentication and authorization management. In Drupal, security is not an option but a fundamental value that characterizes the entire ecosystem.

These features enable Drupal CMS to function effectively as both a headless backend and a hybrid system, where traditional server-side rendering coexists with JavaScript frontend components. This ensures maximum architectural flexibility, allowing you to bring your digital vision to life without compromise.

Flexible and Structured Content Model

The secret to a composable architecture is having well-organized and easily manageable content. Drupal CMS’s entity and fields system offers a powerful foundation for modeling structured content, making it easy to use and manage for any frontend or system:

• Customizable Content Types : You can define complex content structures and articulated relationships between them, tailored to your information.
• Taxonomy System : Allows for advanced content categorization with hierarchical vocabularies.
• Extensible Field API : Natively supports complex content types, such as media, references, and structured data.
• Entity Reference : Enables the creation of sophisticated relationships and connections between different content pieces, interlinking information within your database.

This range of features enables enormous flexibility in implementing complex content models tailored to specific needs. Such flexibility is fundamental for the composable approach, where different parts of the system can access and manipulate content consistently and structurally, through those well-defined APIs we’ve just discussed.

Native Modular System

Drupal was conceived with a deeply modular architecture, where each module adds specific functionality. This modularity perfectly aligns with the principles of composable architecture:

• Extensible Module Ecosystem : Thousands of ready-to-use components are available in the Drupal ecosystem to extend core functionalities, capable of meeting virtually any need.
• Hook System and Event Dispatcher : Standardized mechanisms that allow for further extension and customization of Drupal without needing to modify core code.
• Plugin System : An infrastructure for interchangeable components with well-defined interfaces, providing enormous freedom and flexibility.
• Dependency Injection : A modern architecture that promotes decoupled and easily testable components, ensuring that your system remains robust and reliable.

This modularity is not limited to the internal architecture but extends to the broader ecosystem, allowing for the construction of solutions where Drupal CMS can effectively integrate with other specialized systems, becoming the cornerstone of a “best-of-breed” solution (an example of which is below).

Implementing Composable Architectures with Drupal CMS

Let’s now examine how Drupal CMS can be implemented in various composable architectural patterns, each suited to specific scenarios, requirements, and needs. We are not discussing theory, but rather projects we have successfully delivered.

Pattern 1: Drupal CMS as a Central Content Hub

In this pattern, Drupal CMS acts as a central content hub that feeds multiple touchpoints via APIs:

• Unified Content Repository : Drupal manages all structured content within the organization.
• Multi-channel Distribution : From your website to your mobile app, from digital signage to emails, and various other channels, content is distributed everywhere from the central hub.
• Centralized Governance : Policies, workflows, and permissions are managed uniformly directly within Drupal.
• Decoupled Frontend : Specialized frontend implementations are tailored for different channels and use cases, but all draw from the same source.

This approach is particularly effective for organizations with complex content management needs and multiple channels to support, where content consistency is paramount.

Case study: Zambon Group

The Zambon project represents an exemplary implementation of this pattern. The platform utilizes Drupal CMS as the central content hub, the core that feeds the main corporate website, numerous product microsites in various languages, and all digital marketing initiatives.

The composable architecture allowed us to:

• Centralize content management with unified governance.
• Distribute consistent content across dozens of different touchpoints.
• Implement optimized frontends for various use cases.
• Reduce time-to-market for new digital initiatives by 40%.

Pattern 2: Drupal CMS as a Component of a Federated DXP

Sometimes, you need the “best of every world.” In this pattern, Drupal CMS acts as one of the specialized components within a federated Digital Experience Platform (DXP):

• Best-of-breed approach : Each component of the ecosystem specializes in its function. We choose the most performant solutions for each specific function.
• API orchestration : An integration layer that coordinates different systems, making them work in harmony.
• Specialized Microservices : Dedicated components for specific, agile, and independent functionalities.
• Unified Experience Layer : A frontend that aggregates (federates) content and functionalities from various sources, offering a fluid and unified user experience, even if many different systems operate behind the scenes.

This approach allows organizations to select the best solutions for each functional area, avoiding the vendor lock-in typical of monolithic DXPs.

Case study: Caleffi

The new Caleffi website implements this composable architecture pattern. Drupal CMS manages editorial content, while other specialized systems handle the product catalog, e-commerce, and CRM.

The benefits of this architecture include:

• Flexibility in selecting the best solutions for each function, and freedom from vendor lock-in.
• Ability to evolve individual components without impacting the entire ecosystem.
• Consistent integration of data from different systems (data federation).
• Unified user experience despite the diversity of backends.

Pattern 3: Drupal CMS as a Low-Code Development Platform

Drupal CMS is also evolving into a powerful tool used as a base for rapidly implementing digital applications with a low-code/no-code approach. In this innovative pattern, we find:

• Advanced Layout Builder : A visual interface for creating complex layouts with a simple drag-and-drop.
• Webform System : Creation of interactive forms and workflows, without needing to write code.
• Views Module : A visual query builder for creating customized data views, showing only what you need, in your preferred way.
• Rules and Automation : Implementation of business logic with visual interfaces, automating processes and streamlining work.

This approach allows organizations to significantly accelerate the development of digital applications, making the creation of experiences more accessible and reducing reliance on development resources.

Lessons Learned: Best Practices for Composable Implementations with Drupal CMS

Based on our extensive experience with numerous Drupal and composable architecture projects, we can identify several best practices that maximize the benefits of this approach and can make a difference in project success.

1. Define a Consistent API Strategy

APIs are the heart of composable architectures. Having a well-defined API strategy is fundamental for the success of a composable architecture:

• Standardize formats and conventions : REST, GraphQL, JSON:API—choose your standards and adhere to them.
• Implement API versioning : Ensure the operational continuity of your applications even when you update the APIs.
• Clearly define the authentication and authorization model : It is essential to precisely define who can do what with your APIs. Security comes first.
• Document APIs comprehensively with tools like OpenAPI : Good documentation reduces costs and frustrations, facilitates new implementations, and simplifies maintenance.

A clear API strategy, rooted in standardization and documentation, facilitates integration and significantly reduces maintenance costs over time.

2. Adopt a Design-First Approach

Instead of reactively developing APIs, design their implementation upfront. A design-first approach ensures greater consistency and usability:

• Define API contracts in detail before implementation : What they should do, what they return, and in what format and structure.
• Design APIs with consumer use cases in mind : Make them intuitive and easy for actual users.
• Validate the design with potential consumers : Early feedback allows for course correction when costs are still contained.
• Use mockup tools for early testing : Identify problems when they are still small and continue testing throughout all development phases.

This approach improves API quality and reduces the need for modifications during implementation, thereby containing remediation costs.

3. Implement Advanced CI/CD

A composable architecture requires a mature DevOps approach, with robust development and release pipelines:

• Full automation of build and deploy processes.
• Automated testing at the API level.
• Incremental deployment strategies to reduce risks.
• Continuous end-to-end monitoring of performance and availability.

These practices ensure that individual components can evolve independently without compromising the stability of the overall ecosystem, which is continuously monitored automatically.

4. Consider Governance from the Outset

Governance is a critical aspect of a composable architecture. Without clear governance, flexibility can turn into chaos:

• Define clear responsibilities for each component.
• Implement discovery mechanisms and service catalogs , a clear and easily accessible list of all services.
• Establish quality and security standards.
• Monitor API usage and performance.

Effective governance ensures that the flexibility of the composable architecture does not result in management complexity or inconsistencies.

Overcoming the Challenges of Composable Architecture

While the benefits of composable architecture are significant, it is important to acknowledge and address the challenges this approach entails. Here are the main ones:

• Integration Complexity. Managing multiple components and services can certainly introduce greater complexity.
  • Solution : Implement a centralized API gateway to manage routing, authentication, and monitoring.
  • Drupal Approach : Use modules like Subrequests and Decoupled Router to simplify integration.
• User Experience Consistency. With potentially decoupled frontends and backends, maintaining a consistent user experience can be a challenge.
  • Solution : Implement shared design systems and cross-platform component libraries.
  • Drupal Approach : Use Drupal as a repository for UI components accessible via API, ensuring consistency everywhere.
• End-to-End Performance. In distributed architectures, overall performance depends on multiple systems. Ensuring high performance in all circumstances requires specialized skills.
  • Solution : Implement advanced caching at different architectural levels.
  • Drupal Approach : Leverage Drupal’s built-in caching system, integrating it with CDNs and edge caching for stable and top-tier performance.
• Diversified Skill Set. Implementing composable architectures requires diverse and specialized technical skills, from data architecture to performance, from APIs to security, as well as design and frontend for decoupled solutions. In this scenario, an experienced partner with transversal skills who can collaborate with your team proves to be a winning strategic asset for all future challenges.
  • Solution : Cross-functional teams with complementary skills.
  • SparkFabrik Approach : Our team combines expertise in Drupal CMS, API design, modern frontend, DevOps, and supply chain security, supporting your resources, transferring know-how, and helping you achieve your business objectives.

A Look Ahead: The Future of Composable Architecture with Drupal CMS

Looking ahead, we can identify some emerging trends and innovations in the ecosystem that will make Drupal CMS even more effective and powerful as a base for composable architectures.

Composable Experience Builder

Drupal’s Layout Builder is evolving into a true “Experience Builder” capable of enabling visual composition of experiences across multiple channels. A new, completely WYSIWYG interface, with integrated responsive previews that show real-time rendering on different devices, finally eliminates the boundary between authoring and preview, allowing contextual modifications in real-time.

Furthermore, the flexibility and composability that distinguish Drupal are maintained, allowing for the creation and reuse of custom components within an intuitive interface, the orchestration of content from various sources, and the real-time personalization of the experience based on user data and behavior.

The evolution of Drupal’s Layout Builder into a true “experience studio” will enable:

• Visual composition of cross-channel experiences.
• Content orchestration from various sources.
• Personalization based on data and behaviors.
• Real-time preview on different devices and channels.

AI Integration for Content Orchestration

Artificial intelligence is transforming content management, and there is great excitement in the Drupal ecosystem, so much so that the Drupal AI Initiative was recently launched (SparkFabrik is also actively contributing to accelerate AI innovation in Drupal).

AI features are evolving at a rapid pace. Among others, intelligent suggestions for component combination, automatic optimization of layouts and content, predictive personalization based on behavioral patterns, and automation of tagging and categorization are expected thanks to Agentic AI. Moreover, the modular architecture allows support for various AI models (both cloud-based and on-premise), while the unified API enables extending any functionality with AI capabilities.

Artificial intelligence is transforming content management:

• Intelligent suggestions for component combinations.
• Automatic optimization of layouts and content.
• Predictive personalization based on behavioral patterns.
• Automation of tagging and categorization.

Edge Rendering and Distribution

A composable architecture can greatly benefit from edge rendering, allowing for the creation of high-performance web applications worldwide.

The evolution towards edge-first architectures will involve the distribution of content and logic closer to the end-user, with consequent server-side rendering “at the edge” to optimize performance, particularly for dynamic content and contextual personalization based on local data. In this way, specific and personalized functionalities can be delivered more quickly and closer to users, while other higher-level functionalities can reside in different geographical areas. This geographical distribution also improves operational resilience.

These innovations will further strengthen Drupal CMS’s position as an ideal platform for implementing composable architectures that combine flexibility, performance, and faster time-to-market.

Conclusions

Composable architecture represents a radical shift in how digital ecosystems are built, offering organizations the flexibility and agility needed to tackle a rapidly evolving market. Drupal CMS, with its API-first approach, flexible content model, and native modular architecture, positions itself as an ideal foundation for implementing this new paradigm.

Organizations adopting a composable approach with Drupal CMS can expect concrete and significant benefits, both at a technical level and for their business objectives:

• A significantly accelerated time-to-market for all new digital initiatives, including marketing campaigns.
• Greater flexibility in the evolution of their technological ecosystem.
• Reduced Total Cost of Ownership (TCO) thanks to the ability to update and evolve specific components without overhauling the entire system.
• Improved resilience , thanks to an architecture that is by definition more modular and adaptable.

With an experienced partner like SparkFabrik, which combines in-depth expertise in Drupal CMS, API architecture, and modern frontend, organizations can successfully undertake this transition. We build enabling digital ecosystems that not only meet today’s needs but are ready to continuously evolve to address future challenges.

Next Steps

If your organization is considering adopting a composable architecture based on Drupal CMS, we invite you to:

1. Explore our Drupal Services Suite by SparkFabrik with a focus on the API-first approach.
2. Watch the talk comparing different architectures presented by Luca Lusso, which delves into the pros and cons of various architectural approaches (Italian only).
3. Contact us for an assessment of your specific use case and an analysis of composable implementation opportunities.

This article is part of our series dedicated to Drupal CMS. To explore other aspects of the platform, we invite you to consult our previous articles on Drupal CMS features and benefits, its comparison with main alternatives, migration strategies from other systems, security and compliance with particular attention to regulated sectors, and the ambitious innovation roadmap with all the news from the ecosystem.