Domain controls you can prove — for every client you manage
If you manage domains for clients — or your organisation has NIS2-related assurance obligations — the question has changed. It is no longer only "is the configuration right?" but "can we show it was right, continuously, when someone asks?"
Merula watches the public domain layer — DNS, certificates, email authentication, transport security and web-facing configuration — keeps the history, and turns it into evidence: referenced against recognised frameworks, exportable, and readable by people who weren't in the room when the records were set.
Merula is in development and launches after summer 2026.
The regulatory picture, without the alarm
NIS2 — Directive (EU) 2022/2555 — is the EU's common framework for the cybersecurity of essential and important entities. It applies across the Union, transposed into each member state's own law, with national competent authorities and national registration and incident-reporting processes. Whether you fall in scope, who you answer to and how you register are national questions — your member state's competent authority publishes the criteria.
What is consistent everywhere is the shape of the obligation. It is not a one-off project with an end date: covered organisations operate continuous risk-management measures, report significant incidents, and must be able to demonstrate both. Several of those measures can be supported by evidence from the public domain layer — supply-chain security, network and information-system security, and the assessment of how effective the measures actually are: the DNS, email-authentication and transport-security configuration the outside world can see.
- One framework, Union-wide
- Directive (EU) 2022/2555 sets common security and reporting requirements for essential and important entities in every member state. The categories and the duties are shared; the implementing detail is national.
- Transposed into national law
- Each member state names its own competent authority and sets its registration process and reporting timelines in the law that transposes the directive. The EU-wide transposition deadline was 17 October 2024; how far your country has gone, and exactly what it asks of you, is the first thing worth settling — your national competent authority publishes the criteria.
- Continuous duties
- Risk-management measures, incident reporting, and the ability to demonstrate both — consistent across the Union. This is where monitoring with history earns its keep.
Merula is technical monitoring, not legal advice — it supports the demonstration of domain-layer controls; it does not determine your scope or make you compliant. Your legal counsel and national supervisory authority own those questions.
Evidence on demand
Every check Merula runs is referenced against the frameworks assessors actually cite, and the current posture can leave the product in a form an audit binder accepts:
A CSV of every verified domain's current posture, referenced per framework — ISO/IEC 27001 Annex A, CIS Controls v8, NIST CSF 2.0, NIST SP 800-53 and SP 800-177, ENISA guidance — with timestamps, on every paid plan. These are technical relevance references, not certifications.
Recurring email reports of posture and changes, addressed to the people who need the record — including the client's own stakeholders.
Every change is logged with the previous value, the new value and when it moved. Accepted baselines document the expected configuration — the difference between "it's configured" and "we decided it should be configured this way".
How each check relates to NIS2 Article 21 is published on the trust pages — the same mapping the product shows, so what you cite is what anyone can verify.
Merula's findings are technical supporting evidence — aligned with and referenced against recognised frameworks, structured for auditors, procurement teams and internal reviews.
Supply-chain security, one layer made visible
NIS2's risk-management measures include the security of supply chains — and for a managed service provider, you are the supply chain. The domain configuration you operate for clients is part of their security posture, and increasingly part of what they must account for.
Merula makes that accountable without ceremony: each client's domains are continuously checked, every drift is recorded with its before-and-after, and the "Managed by" attribution in the client's own dashboard keeps the relationship transparent rather than implicit.
And where a client's posture can be stronger, Merula shows the way without guesswork: email authentication and transport security harden in stages — DMARC from monitoring to reject, MTA-STS from reporting to enforce — and each client's own aggregate reports confirm a step is safe before the next one, so you can raise a whole portfolio deliberately rather than all at once.
Responsibility for a domain's public configuration is increasingly split across suppliers — a registrar here, a DNS host there, a mail provider somewhere else. Merula keeps these externally observable signals visible across every customer domain without needing access to anyone's internal systems, so a change in one supplier's corner doesn't pass unnoticed.
The staged approach is backed by recognised national guidance: the UK's National Cyber Security Centre recommends moving a domain towards an enforced DMARC policy in steps, confirming each one with the reports before taking the next. That is the deliberate, portfolio-wide hardening Merula is built to support — raising a whole estate carefully rather than all at once.
Further reading: NCSC: Email security and anti-spoofing ↗
Built for managing many
The partner layer is deliberately light — the parts an MSP actually uses, without a portal to administer:
- One partner account managing separate client accounts, each with its own domains, members and history.
- Consolidated billing — one subscription, per-domain metering, no per-client invoices to chase.
- Client-visible transparency: managed accounts show who manages them, and clients can be given their own sign-in to the same calm view.
- Alerts routed where each team already works — email, Slack, Microsoft Teams or signed webhooks into your own systems, scoped per client so the right signal reaches the right account.
- Partner pricing for agencies, MSPs and service providers managing domains on behalf of clients — through the partner programme.