ClaimSeal captures, classifies, and cryptographically seals compliance evidence across NIS2, DORA, and the Cyber Resilience Act. Built for European essential entities.
Explore ClaimSealNIS2 mandates comprehensive cybersecurity measures for essential entities across energy, water, transport, health, and manufacturing. Legacy compliance tools - built for US frameworks and manual data entry - cannot address the cross-infrastructure dependencies and supply-chain security that European regulators now demand.
One operational event mapped to NIS2, DORA, and CRA in a single pass. No more triple-logging.
Hash-chain verification seals every piece of evidence at capture. Mathematical proof for ACN auditors.
Maps compliance dependencies across your supply chain. Addresses the NIS2 Article 21 mandate.
CI/CD pipelines, SCADA/OT systems, ERP platforms, AI tools - via the ADTR open interchange standard.
European critical infrastructure - hydroelectric cascades, cross-border electrical grids, manufacturing corridors - is physically interconnected but monitored as separate domains. Our research maps three compounding structural vulnerabilities that NIS2 compliance approaches must address.
Automated multi-regulatory compliance evidence that integrates directly into your operational workflows. No manual spreadsheets. No screenshots. Cryptographic proof.
US-centric design. Most compliance platforms were built around SOC2 and US regulatory frameworks. They lack native support for the dual-taxonomy complexity of NIS2, DORA, and CRA operating across European essential entities.
Manual data entry. Compliance evidence is captured through screenshots, self-reported questionnaires, and periodic assessments rather than continuous automated collection from operational systems.
No infrastructure awareness. Legacy platforms assess organisations in isolation. They cannot map cross-infrastructure dependencies or visualise how a supplier's security posture affects your downstream compliance.
No cryptographic proof. When ACN auditors request historical compliance evidence, organisations produce screenshots and spreadsheets. There is no mathematical proof that evidence existed, was untampered, and was correctly classified at the time of capture. ClaimSeal changes this.
A single operational event - patching a firewall, deploying a code update, rotating credentials - has compliance implications under NIS2, DORA, and the CRA. Most tools require you to log it separately for each framework. ClaimSeal analyses the evidence and classifies it against all applicable frameworks in one pass, identifying where they align and flagging where they conflict.
Every piece of compliance evidence is sealed at the exact moment of capture using hash-chain verification. This creates a mathematical proof that the evidence existed, remained untampered, and was correctly classified under the regulation as it stood at that point in time. When ACN auditors come calling months later, you present cryptographic proofs - not self-reported spreadsheets.
NIS2 Article 21(2)(d) mandates supply-chain security. ClaimSeal maps how your compliance posture is linked to your suppliers, operational partners, and shared infrastructure in real time. A manufacturing plant in Lombardy can see exactly how its NIS2 compliance depends on its cloud provider and its local energy utility's cybersecurity practices.
Modern operational environments generate data from human operators, AI-assisted tools, automated pipelines, and autonomous OT systems. ClaimSeal collects from all sources through the ADTR (Auditable Data Transport Record) - an open-source JSON schema for compliance data interchange, designed for universal adoption across the European ecosystem.
The European compliance market is split between two categories. Traditional compliance platforms manage policies and checklists but lack infrastructure awareness and produce no cryptographic proof. Industrial OT monitoring tools detect threats in operational networks but produce no regulatory-grade compliance evidence.
Neither category produces the cryptographically sealed, regulation-mapped, historically verifiable evidence that NIS2 auditors will demand starting October 2026. That gap - between detection and compliance - is where ClaimSeal operates.
Three compounding layers of risk that compliance approaches must address: cascade topology, monitoring blind spots, and software template monoculture.
The conventional framing of critical infrastructure security asks whether an adversary can breach the perimeter of a defended system. This analysis asks a different question: what if the topology of the infrastructure itself - the physical dependencies between systems, the gaps in how those systems are monitored, and the shared architectural patterns through which those systems were built - constitutes the vulnerability?
Having spent three and a half years at Amazon Web Services working with regulated infrastructure operators across the EU, I have seen these patterns firsthand. The same cascade physics, monitoring gaps, and template reuse that affect infrastructure globally affect European infrastructure with equal severity. The implications for NIS2 compliance are direct.
European infrastructure is physically interconnected. Alpine hydroelectric cascades feed the ENTSO-E synchronous grid. The Po River basin connects agricultural water supply, industrial cooling, municipal treatment, and power generation in a single hydrological system. Nuclear plants depend on river water for cooling.
Physical consequences propagate at the speed of hydraulics and electrical frequency deviation. Defensive responses propagate at the speed of inter-agency coordination. On January 8, 2021, a cascade of automatic disconnections split the ENTSO-E Continental Europe Synchronous Area in seconds, triggering emergency load-shedding across multiple countries before any human operator could intervene.
For NIS2 compliance: An essential entity that is compliant within its own perimeter may be critically exposed through cascade dependencies it cannot see or control. Article 21's supply-chain security mandate exists precisely because of this topology - but most compliance tools cannot map it.
Authoritative registries of European infrastructure exist - dam registries, ENTSO-E's grid model, national asset inventories. None contain cybersecurity fields. They catalog physical attributes but carry no information about the vulnerability status, patch levels, or incident history of the control systems operating these assets.
The NIS2 registration process captures IP ranges and Points of Contact - a significant step forward. But it captures a snapshot, not a continuous feed. An entity compliant at registration may drift into non-compliance within weeks. The portal cannot detect this drift.
The silence gap: When a monitoring system reports no incidents, institutions read this as safety. But when the system lacks instrumentation to detect certain incident categories, the absence of reports means blindness - not security. Under NIS2, an entity that cannot distinguish between a secure supplier and an unmonitored supplier is not in compliance, regardless of what its questionnaires indicate.
European critical infrastructure is not built from scratch. It is delivered using reused templates and reference architectures from external vendors, adapted across multiple clients and sectors. This is rational engineering: templates reduce cost and accelerate delivery. But a vulnerability in one deployment's template is likely present across every deployment derived from the same architecture.
The current compliance framework has no mechanism to detect this correlation across entities. When a vulnerability is discovered at one facility, the question is not whether other deployments using the same reference architecture are affected - the question is how many share the same configuration. No one is mapping this.
AI amplification: AI-assisted code generation and configuration tools naturally converge on common patterns, reinforcing template uniformity rather than introducing architectural diversity. The monoculture is accelerating.
Layer One defines which assets are connected such that compromise of one propagates to others. Layer Two defines which assets lack the instrumentation to detect compromise. Layer Three defines which assets share architectural patterns such that a single exploit methodology can be reused across multiple targets.
The compound scenario: an adversary identifies a template vulnerability in a reference architecture (Layer Three), targets a cascade-connected asset that lacks cybersecurity monitoring (Layer Two), and achieves effects that propagate through the physical topology (Layer One). At no point does the adversary need unusual sophistication. The infrastructure provides the attack path.
Confirmed threat activity: The ENISA Threat Landscape 2024 documented persistent state-sponsored operations targeting European critical infrastructure. The joint advisory published by Five Eyes agencies in February 2024 confirmed pre-positioning in water and energy operational technology networks - actors maintaining access for months before detection. This is not theoretical. The detection gap is documented, and it is the reason NIS2 exists.
Current compliance tools cannot address the structural dimension of European infrastructure risk. They assess entities in isolation, capture snapshots instead of continuous state, produce evidence that cannot be cryptographically verified, and cannot distinguish silence from security.
This analysis is not a theoretical exercise. It is the problem statement that drives the architecture of ClaimSeal. Not theoretical. Documented in public EU agency reports, confirmed by ENISA, visible in every cross-border energy interconnection map. Northern Italy's dense industrial corridor - with its concentration of NIS2 essential entities, its cascade-connected infrastructure, and its exposure to shared reference architectures across the sector - is both the proving ground and the first commercial market.
A Startup Innovativa in Milan, building automated compliance evidence for European essential entities.
Paarker SRL is registered in the special section of the Italian Business Register as a Startup Innovativa, under the provisions of Decree-Law 179/2012 and subsequent amendments by Law 193/2024. We are the sole owner and author of ClaimSeal v0.1, registered with SIAE via the Mod350 procedure.
We are pre-revenue, fully capitalized through the founder, and actively engaged with the European institutional grant ecosystem - including the European Cybersecurity Competence Centre (ECCC) cascade funding mechanisms and regional Lombardy innovation programmes.
| Legal Form | SRL (Startup Innovativa) |
| REA | MI-2783145 |
| VAT | IT14435230967 |
| ATECO | 629009 |
| Registered Office | Via Bruno Buozzi 3, Paderno Dugnano, Milan |
Sole Director (Amministratore Unico) and CEO. Two decades of enterprise technology leadership across startups, acquisitions, and hyperscalers. Based in Milan.
Education: Thunderbird School of Global Management (International Business).
Military service: US Army, Airborne Cavalry Scout (1st Battalion, 509th Infantry Airborne), 1990-1993.
We target mid-to-large essential entities in the Northern Italian industrial corridor - Lombardy, Veneto, Emilia-Romagna - where NIS2 compliance pressure is highest and existing tools are weakest. Because NIS2 is a harmonised EU directive, product-market fit in Italy serves as the springboard for expansion into Germany, France, and the Benelux region.
We are building ClaimSeal for the NIS2 compliance challenge. If you are an essential entity preparing for October 2026, we would like to hear from you.
paarker@sicurezzapostale.it
Via Bruno Buozzi 3
Paderno Dugnano, 20037
Milan, Italy
VAT IT14435230967
REA MI-2783145
Startup Innovativa