EU launch in cohorts · Q3 2026Join EU waitlist
EU MSP Operations Layer · Cohort launch

NIS2 hits 100,000 entities.Most EU MSPs have nothing to deliver it with.

Stella turns Microsoft 365 into your EU compliance service line. Same operations layer that runs CMMC L2 in the US, with jurisdiction-aware modules for NIS2, DORA, EU GDPR, the Cyber Resilience Act, and ISO 27001 shipping in cohorts through 2026–27. Built for 5–30 tenant EU MSPs running multi-language client portfolios.

Join the EU waitlist Run a free M365 baseline nowEU module roadmap publishes monthly · M365 baseline ships today
100k+
NIS2-covered EU entities
24h
NIS2 incident reporting window
5
EU framework modules planned
Q3 '26
First EU cohort
!
Honest scope. Stella delivers M365 control coverage and ~110 auto-remediations today — that's a strong technical foundation but it's not a NIS2 / DORA / CRA compliance product yet. The EU-specific framework modules (NIS2 incident pipeline, DORA third-party risk, CRA product-lifecycle, EU GDPR evidence packs, multi-language reports) are building now and shipping in cohorts. Joining the waitlist gets your shop into the first EU cohort and lets you influence which module ships first.
The EU MSP reality

EU compliance has the highest stakes — and the worst tooling — of any region.

Multi-jurisdiction, multi-regulator, 24-hour reporting windows, fines up to 2% of global revenue. Built by an MSP operator. The four problems no scanner solved.

NIS2 24-hour reporting window is impossible without continuous evidence

Our covered-sector clients have to notify the national authority within 24 hours of a significant incident. We're still digging through admin centers when the deadline hits. Nobody's continuous-evidence pipeline is shippable yet.

DORA compliance scares away fintech prospects

Every banking and insurance MSA we win now has DORA clauses. Without a third-party risk evidence pipeline we can't even pass the procurement step. The bigger MSPs eat the lunch.

Multi-jurisdiction is brutal: same client, three regulators

One client, GDPR + national transposition + sectoral rule + maybe NIS2 if they're CRO-marked. Each wants its own evidence pack. Today we maintain three separate spreadsheets per client.

Compliance is unbillable until we productise it — and EU MSPs have nothing

US MSPs at least have CMMC-as-a-Service products to copy. We'd love a NIS2-as-a-Service model. There's nothing on the EU shelf that delivers it for 5–30 tenant shops.

Modular EU compliance · jurisdiction-aware

One operations layer. EU framework modules that snap in like Lego.

Each EU framework is a self-contained module. The console + agent + reports stay the same; you load the modules your client base needs. UK and US frameworks are separate modules from the same library.

NIS2Q3 2026
NIS2 Directive (EU 2022/2555)
The big one. Replaces NIS1 with vastly expanded scope — 18 sectors, ~100,000 covered entities, mandatory incident reporting in 24h. Required transposition Oct 2024; enforcement ramping through 2026–27. The CMMC-equivalent for the EU.
DORAQ4 2026
Digital Operational Resilience Act
EU financial services. Applies from January 17, 2025. Covers ICT risk management, incident reporting, third-party risk, resilience testing. MSPs serving fintech / banking / insurance need this.
EU GDPRQ3 2026
EU General Data Protection Regulation
Universal scope across the EU. Stella maps M365 retention, sharing, DLP, and breach-detection settings to GDPR Articles 5/24/32. Distinct from UK GDPR despite shared origin.
CRA2027
EU Cyber Resilience Act
Products with digital elements. Enforcement from end-2027. Mandatory CE marking for cybersecurity, lifecycle vulnerability handling. MSPs supporting product companies will get pulled in.
ISO 27001Live (pilot)
ISO/IEC 27001
International standard, near-mandatory in EU enterprise procurement. Stella surfaces controls already covered by M365 settings; the rest stays policy work for your team.
eIDAS 22027+
eIDAS 2 + EU Digital Identity Wallet
EU's revised electronic identification framework. MSPs serving public-sector clients will need to integrate with EUDI Wallet; Stella's identity-control coverage will map across.
Module priority is set by waitlist signal. We ship in the order EU MSPs ask for. NIS2 + EU GDPR are first because every EU MSP has clients who need them. DORA follows for fintech-heavy MSPs. CRA + eIDAS 2 in 2027.
Your week, productised

Triage → Remediate → Comply → Report → Sell.

Same workflow as US and UK. EU framework modules slot into step 3 as they ship.

1. Triage
See what changed
Daily delta across EU client tenants. Drift events tagged to the framework that broke. NIS2 reportable changes flagged distinctly.
2. Remediate
Fix it in one click
M365 controls auto-remediated via Graph API, Exchange Online, and Intune — same engine as US/UK. Multi-language remediation UI.
3. Comply
Map to EU frameworks
EU GDPR + NIS2 mapping live in pilot Q3 2026; DORA + CRA Q4. Until then, M365 + ISO 27001 ship today; EU-specific evidence packs are roadmap.
4. Report
Ship branded PDFs
White-label, your branding. Cover letter, exec summary, technical appendix. Multi-language report templates planned for cohort 2.
5. Sell
Turn audits into renewals
Same evidence pipeline that wins NIS2 / DORA assessments becomes the recurring deliverable that locks the client in.
If you run Microsoft 365 — read this

Default Microsoft 365 isn't secure. Every tenant should run at least Base Hardening.

Microsoft's shared-responsibility model puts the configuration on you. M365, Entra ID, Intune, and Azure all ship with permissive defaults across 1,800+ settings — and Microsoft Secure Score tells you about a small slice of them. Whether you're an MSP, a single-tenant business, a non-profit, or a 5-person law firm: if your data lives in Microsoft's cloud, this is the security floor.

Same M365 defaults apply globally — and NIS2 / DORA enforcement starts at the configuration layer.

99.9%
of compromised M365 accounts didn't have MFA enforced
Microsoft Identity Security Report
1,800+
M365 settings affect security posture; Secure Score covers ~5%
Stella scan baseline (every tenant)
0
controls Microsoft auto-fixes by default — every config is on you
M365 shared-responsibility model
$4.88M
average cost of a data breach (2024) — most start with M365 misconfig
IBM Cost of a Data Breach 2024
Self-check
If any of these is true for your tenant, Base Hardening is for you
MFA isn't enforced for every user (including service accounts and admins)
Legacy authentication protocols (POP3, IMAP, SMTP basic auth) are still allowed
External calendar / mailbox / SharePoint sharing defaults are still 'on'
Anonymous SharePoint or OneDrive sharing links can be created
You can't tell what changed in your tenant's configuration last week
Mailbox forwarding rules aren't monitored for exfiltration patterns
Your Conditional Access policies haven't been audited in 6+ months
Cyber insurance / vendor reviews ask M365 questions you can't answer fast
The cost math
A fraction of the $4.88M average breach cost

Base Hardening costs a fraction of the average breach — and the second tenant onward is cheaper still. Contact us for pricing. There is no realistic ROI calculation in which not running this loses.

What Base Hardening actually does
Continuous scan of 1,800+ M365 settings
Auto-remediates 40–60 core controls
Drift detection + auto-revert
Secure Score uplift dashboard
Monthly white-labeled report
Multi-tenant console
Get Your Free CMMC Audit See pricing tiers No credit card · Read-only Graph access · 30-min first scan
Plans

Land at Base Hardening. Upgrade when compliance bites.

Three tiers, one upgrade path. Run every tenant on Base Hardening — promote individual tenants to MSP or MSP Pro the day a regulated, defence, or government client signs. Contact us for pricing.

Base Hardening

Run on every M365 client tenant. Land here. Upgrade when compliance bites.

1,800+ M365 settings continuously visible
~40–60 core controls auto-remediated
Secure Score uplift dashboard
Drift detection + auto-revert
Multi-tenant MSP console
White-labeled monthly client report
Email + Slack support
Volume discounts available
Contact for Pricing
Most popular
MSP

Upgrade the day a defence, government, or regulated client signs.

Everything in Base Hardening
~110 controls auto-remediated (CMMC L2 / NIST 800-171 full)
All 17 CMMC L2 domains mapped + tracked
Assessor-ready evidence packages on demand
Immutable audit logs (hash-chained)
Quarterly compliance posture reports (white-labeled)
NIS2 + DORA + GDPR Art. 32 + ISO 27001 mappings
Priority support — 4 business hours
Contact for Pricing
MSP Pro · CMMC-as-a-Service

Flagship clients, audit-imminent tenants, concierge onboarding.

Everything in MSP
Concierge onboarding (4 hours included)
Advisory hours — 2 hours/month with the founder
Custom control mapping (sector-specific)
Pre-assessment dry-run with assessor-style scoring
Written assessor-ready explanations per control
Dedicated Slack · 1-business-hour SLA
White-label, custom domain, full API
Contact for Pricing

Start every client on Base Hardening, promote them to MSP or MSP Pro the day a defense / government / regulated client signs. Contact us for pricing details.

EU MSP cohort · pre-launch waitlist

Join to: (1) get the first EU module (NIS2) at launch pricing, (2) influence which framework ships next, (3) run a free M365 baseline today using the cross-jurisdictional control set.

Join EU waitlist Run free M365 baseline
Different region? US site · UK site