NIS2
The NIS2 Directive raises the cybersecurity and incident-reporting obligations on essential and important entities across the EU, and it makes senior management directly accountable for the security of the systems the organisation relies on, including its supply chain. Mickai reduces the attack surface at source: the sovereign brains run on hardware the organisation owns, fully offline, so there is no cloud AI service to secure, no data egress path to defend and no additional supply-chain link to assess. Because the system, the data and the audit record sit inside the organisation's own perimeter, NIS2's demands for risk management, supply-chain security, incident handling and reporting are satisfied by architecture and evidenced through a post-quantum Open Audit Record.
NIS2 widens the set of regulated entities and sharpens the cybersecurity-risk-management duties they carry, with explicit attention to supply-chain security and personal accountability for management. Every cloud AI service an organisation adds is a new component of that supply chain, a new egress path an attacker can target and a new environment the organisation must assess but cannot fully control. The Directive expects appropriate technical and organisational measures to manage security risks, incident handling with tight notification deadlines, business continuity and the security of the supply chain itself. Each of these becomes harder as the organisation depends more on infrastructure it neither owns nor can inspect. Mickai removes the exposure at source by keeping the models, the data and the audit trail on hardware the organisation owns, fully offline, so there is no cloud AI dependency in the supply chain and no data egress path to defend. Incidents are detected and contained within the organisation's own perimeter, resilience holds even when connectivity is lost, and every action is sealed to an immutable Open Audit Record that evidences security posture and accountability to the competent authority.
The 6 obligations this framework imposes, each met by construction on hardware you own and mapped to the subsystem that enforces it.
Attack Surface Reduction
Because the sovereign brains run on hardware you own with no network dependency, Mickai removes the cloud AI service and the data egress path that would otherwise expand the attack surface a NIS2 entity must defend. There is no external endpoint, credential or tenancy for an attacker to compromise in the inference path. The security perimeter contracts to infrastructure the organisation controls end to end. Risk management starts from a materially smaller surface.
Supply-Chain Security
NIS2 places direct duties on supply-chain security, and Mickai reduces that burden by removing the cloud AI provider from the supply chain entirely, so there is no additional vendor to assess, contract around or monitor. The AI capability is an owned asset rather than a supplier relationship, which shrinks the third-party surface management is accountable for. Every model and binary loaded is signed and verified locally. The supply chain the organisation must secure is smaller and fully under its control.
Cybersecurity Risk-Management Measures
Mickai supports the NIS2 duty to implement appropriate technical and organisational measures by keeping the AI system, its data and its controls on hardware the organisation owns, so access control, integrity protection and monitoring are enforced locally. The measures and their outcomes are sealed to the Open Audit Record for reproducible evidence. There is no opaque vendor environment to factor into the risk assessment. Security posture is grounded in systems the organisation can inspect.
Incident Handling and Reporting
Because the system runs inside the organisation's own perimeter, security incidents are detected and contained locally rather than inside a vendor environment, which supports the NIS2 incident-handling duties and the tight early-warning and notification deadlines. The sealed audit trail evidences exactly what was accessed, when and with what impact, so notifications are accurate and first-hand. There is no reliance on a provider's incident disclosure. Reporting is backed by tamper-evident local evidence.
Business Continuity and Crisis Resilience
Mickai operates fully offline, so the AI capability continues to function even when connectivity is lost entirely, which directly supports the NIS2 business-continuity and crisis-management expectations. An external outage or a targeted attack on a cloud provider cannot take the capability down, because there is no external dependency in the inference path. Continuity is a property of the architecture rather than a recovery plan. The organisation retains its AI function under adverse conditions.
Accountable Governance Evidence
NIS2 makes senior management directly accountable for cybersecurity, and Mickai equips them with a post-quantum Open Audit Record that seals every action, access and configuration change into a tamper-evident trail. Management can evidence the organisation's security posture and controls to the competent authority from first-hand records rather than vendor assurances. Governance decisions are attributable and reproducible. Accountability is backed by cryptographic evidence the organisation holds.
The advantages hold across every framework, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.
The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.
You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.
The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.
Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.
After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.
There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.
You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.
How does on-premise AI help meet NIS2?
Mickai reduces the attack surface at source: the sovereign brains run on hardware the organisation owns, fully offline, so there is no cloud AI service to secure, no data egress path to defend and no additional supply-chain link to assess. The system, the data and the audit record sit inside the organisation's own perimeter, so NIS2's demands for risk management, supply-chain security, incident handling and reporting are satisfied by architecture and evidenced through a post-quantum Open Audit Record.
How does Mickai address NIS2 supply-chain security duties?
By removing the cloud AI provider from the supply chain entirely, Mickai leaves no additional vendor to assess, contract around or monitor for that capability. The AI is an owned asset rather than a supplier relationship, every model and binary is signed and verified locally, and the third-party surface management is accountable for shrinks accordingly. The supply chain the organisation must secure is smaller and fully under its control.
How does Mickai support NIS2 incident reporting deadlines?
Because the system runs inside the organisation's own perimeter, incidents are detected and contained locally rather than inside a vendor environment, which supports the incident-handling duties and the tight early-warning and notification deadlines. The sealed audit trail evidences exactly what was accessed, when and with what impact, so notifications are accurate and first-hand rather than dependent on a provider's disclosure.
Does Mickai keep working if connectivity is lost?
Yes. Mickai operates fully offline, so the AI capability continues to function even when connectivity is lost entirely, which directly supports the NIS2 business-continuity and crisis-management expectations. An external outage or a targeted attack on a cloud provider cannot take the capability down, because there is no external dependency in the inference path.
How does Mickai help management meet NIS2 accountability duties?
Mickai equips management with a post-quantum Open Audit Record that seals every action, access and configuration change into a tamper-evident trail, so they can evidence the organisation's security posture and controls to the competent authority from first-hand records. Governance decisions are attributable and reproducible, and accountability is backed by cryptographic evidence the organisation holds rather than by vendor assurances.
Is Mickai a cloud service that would fall under our NIS2 supply chain?
No. Mickai is a Sovereign Intelligence Operating System acquired as an owned asset that runs on your own hardware, not a cloud service you depend on. Because there is no external provider running the workload, it does not add a link to the supply chain you must secure. The public cloud remains useful for non-regulated work; Mickai is the answer for the regulated-data boundary.
Bring NIS2 in-house.
Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and we will walk the obligations, the regulatory crosswalk and the deployment that fits.