NIS2 brings a much larger group of European SMEs and mid-market organisations into mandatory cyber incident management, reporting and evidence obligations. These organisations need 24/7 security monitoring, but current SIEM/SOAR and MDR offerings are priced and staffed for large enterprises, with a high share of cost driven by human L1/L2 analysts.

Existing European sovereign SecOps platforms mainly provide tools for analysts, while emerging AI-SOC solutions rely heavily on US cloud services and do not provide auditable guarantees on missed incidents. For NIS2-regulated SMEs, uncontrolled AI triage, manual tenant-by-tenant rule tuning and consultant-led compliance reporting are not sufficient.

The market need is a lower-cost, EU-sovereign SOC service that can safely serve many SME tenants with the same analyst team, reduce alert fatigue, share validated detection knowledge across tenants without exposing raw data, and generate NIS2 evidence directly from operational telemetry.

SOC-EU proposes a multi-tenant SOC service in which an open-weight, security-specialised LLM performs L1/L2 alert triage under a selective-autonomy model: only cases with sufficient calibrated confidence are closed automatically, while uncertain or high-risk cases are escalated to human analysts. The target is to automate a large share of routine triage while maintaining a statistically bounded false-negative escape rate that can be audited.

The service will automatically tune detections per tenant and continuously measure rule performance, reducing false positives without degrading coverage for other tenants. When an incident is confirmed for one tenant, the system will convert it into a validated detection artefact, such as a Sigma rule, test it for regressions and deploy it to other tenants without exporting raw logs or sensitive customer data.

NIS2 compliance will be embedded in the operational workflow. Incident timelines, triage decisions, evidence and response actions will be derived from the same runtime telemetry and linked into structured reports for early warning, notification and later audit preparation. The inference layer will run on EU infrastructure using a small, adapted security LLM suitable for SME economics and multilingual European environments.

The consortium will design and implement the SOC-EU multi-tenant SOC-as-a-service architecture on EU-sovereign infrastructure, including secure tenant isolation, telemetry pipelines, analyst workflows and integration with existing SOC tooling.

It will develop and validate the calibrated LLM triage layer, including uncertainty estimation, selective autonomy, fail-safe escalation to human analysts, audit trails and red-team validation of the false-negative escape rate across pilot tenants.

The project will build automated cross-tenant detection engineering capabilities: tenant-specific rule calibration, continuous rule efficacy measurement, regression testing and deployment of validated detection artefacts across tenants without sharing raw logs.

It will implement NIS2 evidence-by-design functions, linking runtime telemetry, triage decisions and incident handling actions into structured early-warning, notification and audit evidence workflows, with support for national transposition requirements where relevant.

The partners will adapt and evaluate an open-weight, security-specialised LLM for EU-sovereign inference on 1–2 GPUs, including multilingual SME-relevant data such as local-language phishing and operational logs. Pilots will measure alert automation, false-positive reduction, onboarding time, time to collective protection, reporting effort and inference cost.

• ACTUAL I.T. d.d. — SOC operator