Strategic consulting, NIS2 readiness, and AI Security for European SMEs. With a focus on data sovereignty and actually implementable measures.
Get in touchThe conditions for cybersecurity have shifted noticeably. Three developments shape the current picture:
My approach: Strategic consulting with implementation depth. Pragmatic roadmaps tailored to the size and maturity of your organisation. Security as an integral part of the business — not as an isolated compliance exercise.
Strategy, architecture, governance, awareness — designed for SMEs, without enterprise overhead.
Honest analysis of your security posture. Concrete roadmap with quick wins, mid-term measures, and strategic investments.
NIS2 readiness check, gap identification, implementation guidance. Risk management, incident reporting, supply chain security.
Protection against prompt injection, data poisoning, model theft, data leaks. Governance that controls AI use without blocking innovation.
GDPR and EU AI Act built directly into the architecture, not retrofitted. With focus on what is actually necessary.
Design of secure IT landscapes. Zero Trust instead of perimeter security. Permission concepts that work with AI agents.
Realistic phishing simulations, AI-specific risks (deepfakes, voice cloning, prompt engineering tricks).
MH-Services is strategic consulting with implementation depth. For 24/7 operations, large penetration testing engagements or tool resale, I'm happy to refer you to specialised partners in my network — so you get the right specialist for every need.
Security assessment + stakeholder interviews
Action plan + prioritization with management
Quick wins (often 60% of risk reduced with 20% of effort)
Strategic measures + ongoing support
Principle: Security is a process, not a one-off event. I build structures that grow with your organisation and hold up in everyday operations.
NIS2 applies to essential and important entities across 18 defined sectors (including energy, transport, banking, health, digital infrastructure, manufacturing of critical goods, research, postal services, waste, chemicals, food). Base threshold: 50+ employees or €10M annual revenue. Austrian transposition comes into force in 2026. A concrete readiness check clarifies applicability and identifies areas for action.
Fines are substantial: up to €10M or 2% of global annual revenue (essential entities) and €7M or 1.4% of revenue (important entities). Additionally: personal liability of executive management for demonstrable failure of due care. NIS2 explicitly requires management to oversee implementation of risk-management measures.
A SOC is an operational 24/7 service continuously monitoring alerts, handling incidents, performing incident response. Strategic security consulting operates upstream: what actually needs protection? Which risks are acceptable? Which architecture fits the organisation? Which tools are truly needed? MH-Services covers the strategy and architecture layer — for SOC operations, MH-Services refers to specialised partners in its network.
Real and escalating. Concrete current threats: phishing linguistically indistinguishable from legitimate communication thanks to LLMs; deepfake-based CEO fraud (multiple documented cases in the DACH region with seven-figure losses); prompt injection in LLM integrations causing data exfiltration or flawed decisions; voice cloning bypassing phone-based verification. These vectors have outpaced traditional awareness programmes.
Three practical dimensions: legal framework (data subject to EU law, not US law such as the CLOUD Act), infrastructure location (processing in EU data centres, not just "data residency"), vendor control (provider under EU jurisdiction, no obligation to disclose data to US authorities). Implementable options: EU cloud providers (Mistral, Scaleway, OVHcloud, StackIT), on-premise, or German/Austrian hosters.
Shadow IT with LLMs is the rule, not the exception. A pragmatic three-step approach: 1. Transparency (inventory instead of ban — who uses what, for what), 2. Guardrails (clear guidelines: which data into which tools, company accounts with enterprise SLAs instead of personal subscriptions), 3. Alternatives (where it makes sense: internal LLM access with audit trails and data-protection safeguards). This turns shadow IT into governance-compliant use.
Full readiness for a mid-sized organisation: 4–6 months, broken into assessment (week 1–3), action plan and prioritisation (week 3–5), quick wins (week 5–10 — often 60% of risk reduction in 20% of effort), strategic measures (month 3+, ongoing). The timeline depends on the starting position; a first solid assessment is available within a few days via a NIS2 readiness check.
