Manage compliance

The NIS2 Directive expands EU cybersecurity requirements to essential and important entities across 18 sectors including energy, transport, health, digital infrastructure, and ICT service providers. It mandates risk management measures, incident reporting, supply chain security, and management accountability.

We can help with scoping and applicability assessment (helping you determine if and how NIS2 applies to your organization), gap analysis against requirements, risk management framework implementation, policy development, supply chain security processes, and management briefings on accountability obligations. ISO 27001 provides a strong foundation — we can help you build on it.

We don’t provide formal legal opinions, entity classification determinations, or legal representation with regulatory authorities. With support from trusted partners, we can help you navigate jurisdictional requirements where legal clarity is needed.

The General Data Protection Regulation governs how organizations process personal data of individuals in the EU. It applies regardless of where your organization is based if you offer goods or services to people in the EU or monitor their behavior.

We can help with security-related requirements covered in Article 32 (security of processing) and Article 25 (data protection by design and default). This includes implementing technical and organizational measures, building secure processes that respect data minimization and retention principles, and ensuring your ISMS addresses data protection risks. We can also support breach response procedures and gap assessments where security and privacy requirements overlap.

We don’t offer DPO services, data subject rights processes (access requests, erasure, portability), data protection impact assessments, legal interpretation of processing lawfulness, or representation with supervisory authorities. These require privacy expertise positioned as independent function.

The Cyber Resilience Act sets cybersecurity requirements for products with digital elements placed on the EU market — including software applications, mobile apps, and connected devices. It requires secure development practices, vulnerability handling processes, and security support throughout the product lifecycle.

If you develop software for the EU market, we can help you assess development practices against CRA requirements and build compliant processes: secure SDLC implementation, vulnerability management workflows, incident reporting procedures, and documentation practices. Our background in software development and security engineering makes this a natural fit.

We don’t handle CE marking, conformity assessments for critical products, or act as your authorized representative.

The Digital Operational Resilience Act applies to financial entities in the EU — banks, insurers, investment firms, payment providers — and their critical ICT service providers. It mandates ICT risk management frameworks, incident reporting, resilience testing, and third-party risk oversight.

We can help with ICT risk management framework development, gap assessments against DORA requirements, policy development, and third-party risk processes. If you already have ISO 27001, we can help map your existing controls to DORA requirements and close gaps. With support from trusted partners, we can also help you assess whether DORA applies to your organization and in what capacity.

Penetration testing, audits, and ongoing legal consulting or regulatory filings are outside our scope. Independent verification should be sourced separately from implementation support.

The international standard for Information Security Management Systems (ISMS). Certification demonstrates that your organization manages information security through a structured, risk-based approach. Widely recognized, often required by enterprise customers, and serves as a foundation for meeting multiple regulatory requirements.

We offer full implementation support — from initial gap analysis through certification. We help you build an ISMS that works for your organization: scope definition, risk assessment, control selection, policy development, internal audits, and management reviews. Our goal is a system your team can operate independently.

Certification audits are performed by independent and accredited certification bodies.

The Payment Card Industry Data Security Standard applies to organizations handling payment card data. The 3-D Secure Standard covers authentication components. The Software Security Framework (SSF) — comprising the Secure Software Standard and Secure Software Lifecycle Standard — applies to payment software vendors. Required by card brands and enforced through acquiring banks and brand programs. SSF is increasingly relevant for software companies whose products touch payment data.

We offer implementation and management support across all three — gap analysis, policy development, control design, as well as implementation and audit support. Our software engineering background makes SSF work a natural fit.

Formal assessments require a Qualified Security Assessor (QSA), PCI 3DS Assessor, or SSF Assessor depending on the standard.

System and Organization Control reports demonstrate that a service organization has controls in place to protect customer data. Based on the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy). Increasingly requested by US enterprise customers and investors evaluating SaaS providers.

If you are a European organization targeting the US market, we can help with readiness assessments, control design and implementation, policy development, and evidence preparation. If you already have ISO 27001, we can help you leverage existing controls and fill gaps specific to SOC 2 criteria.

The SOC 2 examination itself must be performed by a licensed CPA firm.

The Cloud Security Alliance STAR (Security, Trust, Assurance, and Risk) program provides assurance for cloud service providers. It ranges from self-assessment to third-party certification, built on the Cloud Controls Matrix (CCM). Increasingly requested by enterprise customers evaluating cloud and SaaS vendors, particularly those with mature security requirements.

We can help with gap assessments against CCM controls and preparation for STAR self-assessment or certification. If you already have ISO 27001, we can help you leverage existing controls and fill gaps specific to CCM.

STAR certification audits are performed by CSA-authorized certification bodies, and technical cloud implementation work is outside our scope.