Skip to main content

Service · Governance, Risk & Compliance

From regulatory pressure to operating control.

NIS2, DORA and the EU AI Act don’t need another slide deck. They need ownership, controls and evidence that is available when management, auditors or regulators ask for it. That’s the work we do.

Compliance has stopped being a project. It’s now a way of operating.

We help you move from policy-on-paper to controls-in-motion, with ownership the board understands and evidence the auditor accepts.

  • NIS2 is in force, and your management body is now personally accountable.
  • DORA reporting expects evidence on a clock, not a quarterly cycle.
  • EU AI Act risk classifications are landing on systems no one inventoried.
  • Policies exist on SharePoint; controls don’t exist in the operating model.
  • Auditors keep asking the same questions, every year, from scratch.

Regulations don’t deliver outcomes. Operating models do.

NIS2

Cybersecurity governance, made accountable.

  • Scoping, supply-chain risk, incident reporting workflow
  • Management body briefing & accountability mapping
  • Control mapping to ISO 27001 / CIS to avoid double work
DORA

ICT risk for financial entities, operationalized.

  • ICT risk framework, third-party register & exit strategies
  • Incident classification & reporting on regulator-grade timelines
  • Resilience testing aligned with business services
EU AI Act

Risk-classify your AI before someone else does.

  • Inventory of AI systems (incl. shadow AI & embedded vendor AI)
  • Risk classification, transparency & human-oversight controls
  • Bridge to AI strategy & model lifecycle governance
ISO 27001 / NIST CSF

One control set. Many regulations.

  • A single control library mapped to NIS2, DORA, AI Act & sector rules
  • Evidence captured once, reused everywhere
  • Control ownership wired into ITSM & change processes

Four moves. From regulation to evidence-on-demand.

01 · Diagnose

Where you really stand.

  • Gap assessment against NIS2, DORA and/or EU AI Act
  • Control inventory, what exists, what works, what’s evidence-only
  • Risk register sanity-check against the actual threat landscape
02 · Design

One operating model, many regulations.

  • Unified control framework mapped across regulations
  • Roles, RACI & accountability up to the management body
  • Policy architecture pruned to what people will use
03 · Operationalize

Controls that live in the process.

  • Embed controls in ITSM, change, vendor & access workflows
  • Incident & reporting processes wired for regulator timelines
  • Continuous evidence capture, not a yearly fire drill
04 · Run & assure

Evidence on demand.

  • GRC tooling tuned (or rationalized) around your operating model
  • Audit-readiness reviews & management body reporting
  • Continuous improvement on real signals, not survey scores

Compliance that holds up, in the boardroom and the audit room.

Audit-ready

Evidence captured continuously, not reconstructed yearly

Accountable

Ownership mapped from control owner to management body

Unified

One control set across NIS2, DORA, AI Act & ISO 27001

Operational

Controls embedded in ITSM, change & vendor workflows

GRC sits across security, risk, vendors and change, we connect them.

Real engagements where governance, risk and compliance were turned into accountable operating models.

AMMA Verzekeringen logoDORA compliance program

AMMA Verzekeringen

A delivery rhythm for a regulated compliance program.

AMMA had to reach DORA compliance against a hard regulatory deadline, without an internal program structure to carry the work. We set up the delivery machinery so the gap-analysis findings actually turned into shipped change.

What we didStood up the project structure around the DORA roadmap, ran the assessment, gap-analysis and remediation plan, and coached the AMMA team through delivery and steerco governance.
OutcomeAMMA met its DORA obligations on time with governance the board owns and evidence the auditor accepts.

A practical conversation about where you stand on NIS2, DORA or the AI Act.

We sit with you and your team, review where you are against the regulation that matters most, and leave you with one clear next step.

Talk to a GRC lead