Compliance & Audit

Regulatory landscape 2025¶

Regulation is tightening. Organizations that ignore it risk fines and loss of customers:

• GDPR — Personal data, data subject rights, breach notification. Fines up to 4% of turnover.
• NIS2 — Cybersecurity for essential and important entities. In force since October 2024.
• DORA — Digital operational resilience for the financial sector. In force since January 2025.
• ISO 27001 — International standard for ISMS. De facto requirement for B2B.
• EU AI Act — Regulation of AI systems. Graduated rollout 2024–2027.

NIS2 — Network and Information Security Directive¶

Who is affected¶

NIS2 significantly expands scope compared to NIS1:

Essential entities: Energy, transport, banking, healthcare, digital infrastructure, ICT service management, public administration, space.

Important entities: Postal services, waste management, chemicals, food, manufacturing, digital services, research.

Threshold: Medium-sized and large enterprises (50+ employees or 10M+ EUR turnover).

Key requirements¶

1. Risk management — Identification, analysis and mitigation of cyber risks
2. Incident handling — Detection, response, reporting (24h early warning, 72h full notification)
3. Business continuity — Backup management, disaster recovery, crisis management
4. Supply chain security — Supplier risk assessment, contractual requirements
5. Vulnerability management — Patch management, responsible disclosure
6. Cryptography — Encryption of data in transit and at rest
7. Human resources — Security awareness, training, background checks
8. Access control — Authentication, authorization, MFA

Our NIS2 services¶

• Gap analysis — Where you are today vs. where you need to be. Prioritized roadmap.
• Implementation — Policies, procedures, technical measures. Hands-on.
• Supply chain assessment — Supplier evaluation, contractual framework.
• Incident reporting — Processes for 24/72h reporting obligations.
• Board training — Leadership is responsible for compliance. They must understand the basics.

ISO 27001¶

What is an ISMS¶

Information Security Management System — a systematic approach to managing information security. Not a one-off project, but a living system with continuous improvement (PDCA cycle).

Implementation roadmap¶

Phase 1: Scoping & Gap Analysis (Month 1–2) - ISMS scope definition - Gap analysis against ISO 27001:2022 - Risk assessment methodology - Management buy-in and resource allocation

Phase 2: Risk Assessment & Treatment (Month 2–4) - Asset inventory - Threat & vulnerability assessment - Risk evaluation and treatment plan - Statement of Applicability (SoA)

Phase 3: Policies & Procedures (Month 3–6) - Information Security Policy - Access Control Policy - Incident Management Procedure - Business Continuity Plan - + 15–20 additional documents (tailored to the organization)

Phase 4: Implementation & Awareness (Month 4–8) - Technical controls (encryption, logging, access management) - Security awareness training for all employees - Supplier security assessment

Phase 5: Internal Audit & Certification (Month 8–12) - Internal ISMS audit - Management review - Corrective actions - Stage 1 audit (documentation) - Stage 2 audit (implementation) - Certification

Pragmatic approach¶

We don’t write documents just to have them. Every policy must be: - Understandable — read by a person, not an auditor - Practical — describes what people actually do - Maintainable — updating it is not a month-long project - Measurable — KPIs for each policy

DORA — Digital Operational Resilience Act¶

Who it applies to¶

Financial institutions: banks, insurance companies, investment firms, payment institutions, crypto-asset service providers. And their critical ICT providers.

Key pillars¶

1. ICT Risk Management — Framework for identification, protection, detection, response and recovery
2. ICT Incident Reporting — Classification and reporting of incidents to regulators
3. Digital Operational Resilience Testing — TLPT (Threat-Led Penetration Testing) for systemically important entities
4. ICT Third-Party Risk — Management of ICT supplier risks, exit strategies
5. Information Sharing — Sharing threat intelligence between financial institutions

Our DORA services¶

• Gap analysis against DORA requirements
• ICT Risk Management framework implementation
• TLPT (Threat-Led Penetration Testing) — red team exercises
• Third-party risk assessment and vendor management
• Incident classification and reporting processes

GDPR — Operational Implementation¶

Data Mapping¶

Where personal data originates, how it flows, where it is stored, who has access, how long it is retained, how it is deleted. Automated data discovery for large organizations.

DPIA (Data Protection Impact Assessment)¶

Required for high-risk processing (profiling, large-scale monitoring, sensitive data). Risk identification, necessity & proportionality assessment, mitigating measures.

Technical measures¶

• Pseudonymization — Separation of identifiers from data
• Encryption — At rest (AES-256) and in transit (TLS 1.3)
• Access control — RBAC, audit logging, need-to-know principle
• Data retention — Automatic expiration policies
• Right to erasure — Technical capability to delete all data subject data across systems

Breach Notification¶

Process for GDPR Article 33/34: - Breach detection → assessment (72h limit for notifying the supervisory authority) - Severity assessment — is the breach a risk for data subjects? - Regulator notification — what happened, scope, measures taken - Subject notification — if high risk

Technology and tools¶

OneTrust, Vanta, Drata (compliance automation), Jira/Confluence (policy management), Azure Compliance Manager, AWS Audit Manager, custom GRC dashboards, training platforms (KnowBe4).