One assessment. Two regulations. Your AI agents covered.
NIS2 is law in Germany since December 2025. Austria follows on 1 October 2026 with NISG 2026. The AI Act's transparency duties start in August 2026, high-risk obligations in December 2027. I assess your agent architecture once and map every finding to both regulations: threat model, compliance mapping, remediation roadmap. Independent. No tool to sell.
Book a free 30-min Idea Call →The EU gave you runway on high-risk AI. NIS2 did not.
The Digital Omnibus moved the AI Act's high-risk obligations to 2 December 2027. That is not a reprieve. Transparency duties under Article 50 apply from 2 August 2026, and GPAI enforcement starts the same month. Meanwhile NIS2 already applies in Germany, with registration deadlines passed, and Austria's NISG 2026 takes effect on 1 October 2026: registration by 31 December 2026, audits from April 2027.
Your AI agents sit in the middle of both. They hold credentials, call tools and touch the systems NIS2 calls critical. Both regulations demand risk management, incident reporting and documentation for exactly this kind of system. An assessment that covers only one of them means paying twice.
What you walk away with.
Not a slide deck full of paragraphs from the regulation. Five artefacts your auditors, your engineers and your board can act on.
EU AI Act and NIS2 Compliance Mapping
Every finding mapped to the concrete articles that apply to you: risk management, reporting duties, documentation, under the AI Act and NIS2 (NISG 2026 in Austria, BSIG in Germany).
Threat Model of Your Agent Architecture
Scenario-driven attack trees across agents, tools, memory and orchestration, built with the OWASP Top 10 for Agentic Applications, MITRE ATLAS and CSA MAESTRO.
Report with Remediation Roadmap
Prioritized fixes scored by effort and impact, sequenced against your regulatory deadlines: what must be done before October 2026 and what can wait until 2027.
Audit Evidence Pack and Executive Read-out
A live walkthrough for your leadership plus documentation you can hand to an auditor or a customer security questionnaire as proof of due diligence.
Optional Continuous Retainer
Re-assessment as you ship new agents, compliance monitoring as the rules evolve, and an updated threat model on record. EUR 1,500 to 3,000 per month.
Agentic AI Security Assessment
Priced by the complexity of your agent architecture. Includes discovery, threat modeling, EU AI Act and NIS2 mapping, the written report with remediation roadmap, and the executive read-out. Optional continuous retainer from €1,500 to €3,000 per month.
Book a free Idea Call to scope itFrom architecture to audit-ready in three stages.
A focused engagement, typically 2 to 4 weeks from kick-off to executive read-out.
Discovery and Classification
We map your agents, tools, data flows and orchestration, and classify each system under the AI Act risk tiers and your NIS2 entity status.
Threat Modeling
Scenario-driven attack trees surface the real attack paths and map them to OWASP Agentic, MITRE ATLAS and MAESTRO.
Mapping and Roadmap
Every finding mapped to the AI Act and NIS2, then turned into a remediation roadmap sequenced against your deadlines.
I build multi-agent systems. And I take them apart.
The assessment comes from the builder's side, not from an audit checklist. This is work I show on stage and run in production.
Your Agent Is Your New Layer 8
Why autonomous agents behave like a new human layer in your organisation: with all the security consequences that brings.
Securing Agent Identity
How agents get their own identities, scoped permissions and auditable access instead of shared API keys.
A multi-agent crew, built on stage
A multi-agent film crew shown live: specialised agents planning, producing and reviewing against real constraints.
Multi-agent deep dives
Technical deep dives on hybrid multi-agent architecture and platform engineering for enterprise teams, plus hands-on Amazon Bedrock AgentCore workshops.
Up to 100% AWS funded.
As an AWS Community Hero, I navigate the funding process with you, from application to approval. Eligibility is assessed in the first 30 minutes, not added as an afterthought at the end.
PoC Funding
Covers prototype development. Deliverables engineered to meet funding requirements.
Migration Funding
For larger cloud transformation projects. Multi-phase plan structuring and end-to-end application support.
Answers, in writing.
Has the EU AI Act's August 2026 high-risk deadline been delayed?
Yes. The Digital Omnibus moved Annex III high-risk obligations to 2 December 2027 and product-embedded AI to August 2028. Transparency duties under Article 50 still apply from 2 August 2026, and enforcement of the GPAI obligations starts the same month.
Does NIS2 apply to our AI agents?
If your organisation is an essential or important entity under NIS2, your AI agents are part of the ICT risk you are obliged to manage. In Germany the law is in force since December 2025. In Austria NISG 2026 takes effect on 1 October 2026, with registration due by 31 December 2026.
Is my AI agent a high-risk system under the AI Act?
It depends on what the agent does, not on the model behind it. Agents involved in hiring, credit, essential services or safety components typically land in Annex III. The assessment includes this classification, documented and defensible.
What does an AI agent security assessment cost?
EUR 12,000 to 18,000 fixed, depending on the complexity of the architecture. The continuous retainer runs EUR 1,500 to 3,000 per month. Both prices are on this page on purpose: comparable engagements are quoted at USD 35,000 and up.
We already did a penetration test. Why a threat model?
A pentest finds implementation bugs in what you built. A threat model finds design flaws in what you are about to build, including attack paths a pentest never executes: goal hijacking, memory poisoning, tool misuse across agents.

Linda Mohamed
An independent practice for organisations that want their AI agents assessed by the person who builds them. AWS Community Hero, speaker at AWS Community Days in Istanbul and Athens 2026, and builder of production multi-agent systems on Amazon Bedrock, CrewAI and LangGraph. Based in Vienna, Austria. Remote or on-site, English or German.
Book a free 30-min Idea Call →Begin with a 30-minute Idea Call.
Before the assessment, we have a short conversation to confirm fit. No commitment. No slides. The same opening conversation that precedes every paid engagement.
- Confirm the scope of your agent architecture
- Check where the EU AI Act and NIS2 apply to you
- Decide whether the one-time assessment or the retainer fits best
- Get the intake brief and a calendar slot
Typically respond within one business day. Vienna, Austria · serving clients across the EU · [email protected]