NIS2 in force, DORA applicable to the financial sector, customers demanding ISO 27001: cybersecurity governance, risk and compliance have become boardroom subjects. I run them, as dedicated engagements or built into your transformation programs.
A well-built governance foundation answers several frameworks at once. The point is not to stack compliances, but to build a system that withstands the audit and actually serves the business.
Scoping analysis, risk governance, security measures, incident notification, executive accountability. Compliance is run as a program, with milestones and board-level reporting.
ICT risk management, resilience testing, oversight of critical providers, major incident notification. Applicable to financial entities and their ICT service providers.
Gap analysis, management system build, control deployment, preparation and follow-up of certification and surveillance audits, corrective action plans on non-conformities.
Business continuity plans, cyber crisis exercises, operational resilience. Because the question is not whether an incident will occur, but whether you will come through it in good order.
Confirmed NIS2 scope, an ISO 27001 requirement in a tender, a DORA questionnaire from a principal: compliance has become a condition of market access, with a date attached.
The acquired or divested entity falls under NIS2 or DORA: compliance applies on Day 1, not six months later. The GRC workstream must be in the separation or integration plan from the scoping phase.
The report landed, the non-conformities are listed, and no one is driving remediation. A milestone-driven, tracked and documented corrective action plan is precisely an exercise in program direction.
In every case, the answer is the same: an honest diagnosis, a prioritized plan, managed execution.
Maturity assessment against the target framework, including targeted technical audits such as Microsoft 365 environments. Deliverable: a costed, prioritized view of the gaps.
Every action gets an owner, a deadline and an evidence criterion. The plan separates what actually protects from what merely ticks boxes.
Regular governance, action tracking, audit readiness for the teams, crisis exercises. Governance takes root in the organization, not in a binder.
Preparation and support through certification and surveillance audits, treatment of non-conformities, corrective action plans tracked to closure.
NIS2 covers essential and important entities across 18 sectors, based on size and revenue thresholds, plus certain designated entities regardless of size. The first step is a scoping analysis: determining whether you are covered, at what level, and what it concretely implies.
From 6 to 18 months depending on the starting maturity and the certified scope: gap analysis, ISMS build, control deployment, mock audit, then certification audit. A realistic, milestone-driven plan avoids the two classic pitfalls: the project that stalls and the paper certification.
NIS2 is a European directive imposing cybersecurity requirements on essential and important entities. DORA is a European regulation dedicated to the digital operational resilience of the financial sector. ISO 27001 is a certifiable international standard for information security management. They overlap substantially: a well-built common foundation answers all three without tripling the effort.
Because an M&A deal is the moment of maximum exposure: identities in motion, reorganized teams, interconnected systems. And if the acquired or divested entity is in NIS2 or DORA scope, compliance applies from Day 1. That is why GRC is a workstream built into my carve-out and integration programs.
One 30-minute call and you know where you stand, what comes first and under what conditions to move forward.
→Book a qualification callFirst call free, no commitment.