AI in critical infrastructure is no longer optional. Neither is governance.
NIS2, CER, and EU AI Act high-risk obligations make AI failure a regulatory event. We build the governance and security layers that turn AI from a compliance risk into a compliance asset — for operators in energy, transport, telecom, finance, and healthcare.
The Regulatory Squeeze
Three regulatory layers,
one deadline pressure.
NIS2 / Cyberbeveiligingswet (NL)
Expected Q2 2026 in the Netherlands. Equivalents transposed across the EU. Mandatory risk management, incident reporting, supply-chain security, and — critically — accountability of management bodies. AI systems used in operations fall under this scope.
CER Directive
The Critical Entities Resilience Directive. Operational resilience requirements for essential and important entities. Where AI supports operational decisions, the resilience burden extends to those AI systems.
EU AI Act — High-Risk Categories
Annex III high-risk obligations apply to AI in critical infrastructure management, employment decisions, essential services, law enforcement, migration, and justice. Enforcement begins August 2026. Documentation, oversight, and post-market monitoring are mandatory.
Where AI Sits in Critical Operations
The AI in your operational stack —
visible and invisible.
Anomaly detection in OT systems
ML models watching SCADA telemetry, network traffic, sensor streams. False negatives become safety events. False positives become alert fatigue and erosion of trust.
Predictive maintenance
Models forecasting failure of physical assets. Mistakes here are not "the model was wrong" — they are unplanned outages, regulatory reporting events, or worse.
Decision-support for operators
AI-assisted recommendations to human controllers. The audit question is no longer did the human decide — it is what did the AI tell the human, and could the human reasonably override it.
Sensor fusion for situational awareness
Multiple data sources combined into a single operational picture. Failure modes are emergent — no single model is "wrong," but the fused output is misleading. Standard testing doesn't catch this.
Our Approach
What we deliver for
critical infrastructure operators.
Governance-as-architecture for high-risk AI
Decision logging, traceability, oversight gates, human-in-the-loop policies — built into the AI system, not bolted on. When auditors ask for evidence, evidence exists by design.
Adversarial risk assessment for safety-critical AI
Beyond standard ML eval: adversarial inputs, distribution shift (training data ≠ operational reality), emergent failures in multi-component systems, failure mode analysis aligned with safety-engineering practice.
NIS2 / CER / EU AI Act evidence packs
Documentation in the formats regulators and notified bodies expect. Risk assessments, technical files, post-market monitoring plans, incident response procedures — cross-walked against all three regulatory regimes.
Sector-scoped readiness assessment
AI Readiness Assessment configured for your sector's regulatory baseline. Energy operators don't need a fintech assessment. Transport operators don't need a healthcare assessment. We scope.
Sectors
Where we work.
Energy
generation, transmission, distribution, smart grid
Transport
rail, aviation, ports, urban mobility
Telecom
network operations, cybersecurity, fraud detection
Finance
operational AI in payments, banking, capital markets
Healthcare
hospital operations, diagnostic AI, supply chain
Engagement Models
Three ways operators engage us.
01
Regulatory Readiness Scan
Fixed-scope diagnostic. 2–4 weeks. Maps your AI portfolio against NIS2, CER, and EU AI Act high-risk obligations. Deliverable: gap report, prioritized remediation plan, evidence baseline.
02
Implementation Programme
Multi-month engagement to close identified gaps. Governance architecture deployment, security testing programme setup, evidence pack creation, internal training. Outcome: audit-ready posture.
03
Continuous Compliance Partnership
Quarterly programme. Ongoing security testing on AI system changes, governance updates as regulations evolve, incident response support, board reporting cadence.
Two Starting Points
Map your AI portfolio.
Build audit-ready evidence.
Request a capability briefing for your operational AI footprint, or download our NIS2 + EU AI Act mapping guide.