MICKAI
Compliance · Network and information security on owned infrastructure

NIS2

The NIS2 Directive raises the cybersecurity and incident-reporting obligations on essential and important entities across the EU, and it makes senior management directly accountable for the security of the systems the organisation relies on, including its supply chain. Mickai reduces the attack surface at source: the sovereign brains run on hardware the organisation owns, fully offline, so there is no cloud AI service to secure, no data egress path to defend and no additional supply-chain link to assess. Because the system, the data and the audit record sit inside the organisation's own perimeter, NIS2's demands for risk management, supply-chain security, incident handling and reporting are satisfied by architecture and evidenced through a post-quantum Open Audit Record.

Why the cloud cannot satisfy this

NIS2 widens the set of regulated entities and sharpens the cybersecurity-risk-management duties they carry, with explicit attention to supply-chain security and personal accountability for management. Every cloud AI service an organisation adds is a new component of that supply chain, a new egress path an attacker can target and a new environment the organisation must assess but cannot fully control. The Directive expects appropriate technical and organisational measures to manage security risks, incident handling with tight notification deadlines, business continuity and the security of the supply chain itself. Each of these becomes harder as the organisation depends more on infrastructure it neither owns nor can inspect. Mickai removes the exposure at source by keeping the models, the data and the audit trail on hardware the organisation owns, fully offline, so there is no cloud AI dependency in the supply chain and no data egress path to defend. Incidents are detected and contained within the organisation's own perimeter, resilience holds even when connectivity is lost, and every action is sealed to an immutable Open Audit Record that evidences security posture and accountability to the competent authority.

How Mickai meets it

The 6 obligations this framework imposes, each met by construction on hardware you own and mapped to the subsystem that enforces it.

Enforced by Air-gapped architectureRemoves Cloud AI endpoints and internet-facing egress paths

Attack Surface Reduction

Because the sovereign brains run on hardware you own with no network dependency, Mickai removes the cloud AI service and the data egress path that would otherwise expand the attack surface a NIS2 entity must defend. There is no external endpoint, credential or tenancy for an attacker to compromise in the inference path. The security perimeter contracts to infrastructure the organisation controls end to end. Risk management starts from a materially smaller surface.

Enforced by SentinelRemoves Cloud AI supplier assessments and vendor security reviews

Supply-Chain Security

NIS2 places direct duties on supply-chain security, and Mickai reduces that burden by removing the cloud AI provider from the supply chain entirely, so there is no additional vendor to assess, contract around or monitor. The AI capability is an owned asset rather than a supplier relationship, which shrinks the third-party surface management is accountable for. Every model and binary loaded is signed and verified locally. The supply chain the organisation must secure is smaller and fully under its control.

Enforced by NomosRemoves Cloud shared-responsibility security models

Cybersecurity Risk-Management Measures

Mickai supports the NIS2 duty to implement appropriate technical and organisational measures by keeping the AI system, its data and its controls on hardware the organisation owns, so access control, integrity protection and monitoring are enforced locally. The measures and their outcomes are sealed to the Open Audit Record for reproducible evidence. There is no opaque vendor environment to factor into the risk assessment. Security posture is grounded in systems the organisation can inspect.

Enforced by Open Audit RecordRemoves Cloud provider incident disclosures and shared telemetry

Incident Handling and Reporting

Because the system runs inside the organisation's own perimeter, security incidents are detected and contained locally rather than inside a vendor environment, which supports the NIS2 incident-handling duties and the tight early-warning and notification deadlines. The sealed audit trail evidences exactly what was accessed, when and with what impact, so notifications are accurate and first-hand. There is no reliance on a provider's incident disclosure. Reporting is backed by tamper-evident local evidence.

Enforced by Air-gapped architectureRemoves Cloud availability SLAs and disaster-recovery dependencies

Business Continuity and Crisis Resilience

Mickai operates fully offline, so the AI capability continues to function even when connectivity is lost entirely, which directly supports the NIS2 business-continuity and crisis-management expectations. An external outage or a targeted attack on a cloud provider cannot take the capability down, because there is no external dependency in the inference path. Continuity is a property of the architecture rather than a recovery plan. The organisation retains its AI function under adverse conditions.

Enforced by Open Audit RecordRemoves Cloud audit reports and vendor security attestations

Accountable Governance Evidence

NIS2 makes senior management directly accountable for cybersecurity, and Mickai equips them with a post-quantum Open Audit Record that seals every action, access and configuration change into a tamper-evident trail. Management can evidence the organisation's security posture and controls to the competent authority from first-hand records rather than vendor assurances. Governance decisions are attributable and reproducible. Accountability is backed by cryptographic evidence the organisation holds.

The sovereign advantages

The advantages hold across every framework, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.

Zero-trust data privacy

The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.

No vendor lock-in or outage exposure

You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.

Data residency by default

The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.

Proprietary advantage stays private

Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.

Predictable total cost of ownership

After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.

The zero-espionage trust vault

There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.

Immunity to regulatory drift

You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.

Questions
How does on-premise AI help meet NIS2?

Mickai reduces the attack surface at source: the sovereign brains run on hardware the organisation owns, fully offline, so there is no cloud AI service to secure, no data egress path to defend and no additional supply-chain link to assess. The system, the data and the audit record sit inside the organisation's own perimeter, so NIS2's demands for risk management, supply-chain security, incident handling and reporting are satisfied by architecture and evidenced through a post-quantum Open Audit Record.

How does Mickai address NIS2 supply-chain security duties?

By removing the cloud AI provider from the supply chain entirely, Mickai leaves no additional vendor to assess, contract around or monitor for that capability. The AI is an owned asset rather than a supplier relationship, every model and binary is signed and verified locally, and the third-party surface management is accountable for shrinks accordingly. The supply chain the organisation must secure is smaller and fully under its control.

How does Mickai support NIS2 incident reporting deadlines?

Because the system runs inside the organisation's own perimeter, incidents are detected and contained locally rather than inside a vendor environment, which supports the incident-handling duties and the tight early-warning and notification deadlines. The sealed audit trail evidences exactly what was accessed, when and with what impact, so notifications are accurate and first-hand rather than dependent on a provider's disclosure.

Does Mickai keep working if connectivity is lost?

Yes. Mickai operates fully offline, so the AI capability continues to function even when connectivity is lost entirely, which directly supports the NIS2 business-continuity and crisis-management expectations. An external outage or a targeted attack on a cloud provider cannot take the capability down, because there is no external dependency in the inference path.

How does Mickai help management meet NIS2 accountability duties?

Mickai equips management with a post-quantum Open Audit Record that seals every action, access and configuration change into a tamper-evident trail, so they can evidence the organisation's security posture and controls to the competent authority from first-hand records. Governance decisions are attributable and reproducible, and accountability is backed by cryptographic evidence the organisation holds rather than by vendor assurances.

Is Mickai a cloud service that would fall under our NIS2 supply chain?

No. Mickai is a Sovereign Intelligence Operating System acquired as an owned asset that runs on your own hardware, not a cloud service you depend on. Because there is no external provider running the workload, it does not add a link to the supply chain you must secure. The public cloud remains useful for non-regulated work; Mickai is the answer for the regulated-data boundary.

Lawful B2B engagement

Bring NIS2 in-house.

Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and we will walk the obligations, the regulatory crosswalk and the deployment that fits.

Other frameworks
Regulated markets this bites hardest in