Service · Governance, Risk & Compliance
From regulation to evidence — without the compliance theatre.
NIS2, DORA and the AI EU Act don’t need another slide deck. They need ownership, controls and the kind of evidence that survives an audit on a Tuesday morning. That’s the work we do.
Why now
Compliance has stopped being a project. It’s now a way of operating.
We help you move from policy-on-paper to controls-in-motion — with ownership the board understands and evidence the auditor accepts.
- NIS2 is in force — and your management body is now personally accountable.
- DORA reporting expects evidence on a clock, not a quarterly cycle.
- AI EU Act risk classifications are landing on systems no one inventoried.
- Policies exist on SharePoint; controls don’t exist in the operating model.
- Auditors keep asking the same questions — every year, from scratch.
Frameworks we operationalise
Regulations don’t deliver outcomes. Operating models do.
Cybersecurity governance, made accountable.
- Scoping, supply-chain risk, incident reporting workflow
- Management body briefing & accountability mapping
- Control mapping to ISO 27001 / CIS to avoid double work
ICT risk for financial entities — operationalised.
- ICT risk framework, third-party register & exit strategies
- Incident classification & reporting on regulator-grade timelines
- Resilience testing aligned with business services
Risk-classify your AI before someone else does.
- Inventory of AI systems (incl. shadow AI & embedded vendor AI)
- Risk classification, transparency & human-oversight controls
- Bridge to AI strategy & model lifecycle governance
One control set. Many regulations.
- A single control library mapped to NIS2, DORA, AI Act & sector rules
- Evidence captured once, reused everywhere
- Control ownership wired into ITSM & change processes
Our approach
Four moves. From regulation to evidence-on-demand.
Where you really stand.
- Gap assessment against NIS2, DORA and/or AI EU Act
- Control inventory — what exists, what works, what’s evidence-only
- Risk register sanity-check against the actual threat landscape
One operating model, many regulations.
- Unified control framework mapped across regulations
- Roles, RACI & accountability up to the management body
- Policy architecture pruned to what people will actually use
Controls that live in the process.
- Embed controls in ITSM, change, vendor & access workflows
- Incident & reporting processes wired for regulator timelines
- Continuous evidence capture — not a yearly fire drill
Evidence on demand.
- GRC tooling tuned (or rationalised) around your operating model
- Audit-readiness reviews & management body reporting
- Continuous improvement on real signals, not survey scores
What you get
Compliance that holds up — in the boardroom and the audit room.
Audit-ready
Evidence captured continuously, not reconstructed yearly
Accountable
Ownership mapped from control owner to management body
Unified
One control set across NIS2, DORA, AI Act & ISO 27001
Operational
Controls embedded in ITSM, change & vendor workflows
Client story
Two decades of governance, in one engagement.
We’ve led NIS2, DORA and ISO programs inside Belgian financial, public and utility organisations — as interim CISO, program lead and management consultant. Reference cases on request, under NDA.
See our cases“Independent, senior, and unwilling to confuse a policy with a control.” That’s the bar we hold ourselves to on every GRC mandate.
Related capabilities
GRC sits across security, risk, vendors and change — we connect them.
A 60-minute NIS2 / DORA / AI Act readiness check. No theatre.
We sit with you and your team, pressure-test where you are against the regulation that matters most, and leave you with one honest next step.
Book the readiness check