First Monday of July. Half-year. The customer-portfolio H1 2025 has been operationally demanding through Q2 (the UK-retail-sector wave, the continuing post-DORA operational regime, the ongoing post-Treasury-BeyondTrust state-actor activity context) but has remained steady on the customer-organisation operational picture. No customer-organisation incidents requiring ICO or comparable supervisory authority notification through H1.
The portfolio. Six vCISO clients carrying through. Eighteen SOC customers, no churn through H1. Twenty-six EmilyAI commercial customers (added two through H1, no churn). The team is at forty-two at mid-year (one hire in Q1, no other changes). H1 revenue is at approximately 104% of plan. The financial position is healthy.
The post-NIS2 first-year operational picture. The transposition has, across EU member states, produced variable enforcement-development pace. The supervisory-authority engagement has been substantive in the jurisdictions where the customer-portfolio organisations operate. The customer-organisation programme work has been operationally absorbed without acute pressure. The first formal NIS2-derived enforcement decisions are expected through H2 and into 2026; the customer-portfolio organisations are in attestable position against any such decisions.
The post-DORA first-half operational picture. The financial-services customer-organisation has been operationally settled into the DORA-required operational regime. The TLPT cycle and the various operational-resilience-testing requirements have been incorporated into the customer-organisation programme work. The supervisory-authority engagement under DORA has been substantive but operationally manageable.
The strategic conversations. The institutional-capital decision settled in 2024 has held — no further conversations have been pursued through H1 2025, the bootstrapped position continues to be operationally appropriate, the company's strategic-decision-making freedom remains intact. The product-roadmap continues to execute on the EmilyAI v3.4 release in Q2 (which shipped on time with substantive language-model-capability extensions and the multi-cloud detection-content support that customer organisations have been requesting); v3.5 is on track for Q4.
The book project. The regulatory-environment book is in active drafting through H1. The structure is settled; the post-NIS2-and-post-DORA material from this year provides current case-study material; the publication target remains 2026. The H2 drafting work will continue as the operational tempo allows.
The personal note. Twenty-three posts on the blog at mid-year, on track for a 45+ year-total. The blog discipline continues. The conferences this year have been Black Hat USA in August (planned), Infosec Europe in June (completed, with the post-M&S customer-engagement conversations being substantively elevated), BSides Manchester planned for October.
Onward to H2. The continuing UK-retail-sector aftermath. The continuing post-NIS2 enforcement-environment development. The continuing post-DORA operational regime. The continuing language-model-environment progression. The continuing supply-chain-and-state-actor activity. The work continues.