What if we already have some policies in place?

We start with what you have. The gap analysis identifies exactly what's missing or outdated. No rework on things that already meet the standard. Existing ISO 27001, SOC 2, or prior audits typically reduce the DORA lift by 30–60%.

How long does DORA compliance take with CyAdviso?

Typical engagement is 90 days from gap analysis to audit-ready. Weeks 1–2 are full gap assessment, weeks 3–10 are build and implement, and weeks 10–12 are test and validate. Ongoing monitoring and support runs from month 4 on a retainer.

What does CyAdviso cost compared to a full-time CISO?

A full-time CISO in the EU costs €150,000–€260,000+ per year plus equity and benefits. CyAdviso retainer runs €36,000–€60,000 per year all-in — typically 60–75% less than an in-house hire, with DORA and MiCA expertise from day one.

Does CyAdviso also cover MiCA and NIS2, not just DORA?

Yes. CyAdviso covers DORA (operational resilience), MiCA (Markets in Crypto-Assets), and NIS2 management-body accountability — implemented through national law, with details that vary by jurisdiction. CASPs may need to align DORA operational resilience, MiCA authorisation and ICT expectations, and, where applicable, national NIS2-derived governance duties.

For EU-licensed fintechs · EMI · PI · CASP

DORA audit-ready in 90 days — no full-time CISO.

Q: Can a virtual CISO really satisfy our regulator under DORA?

DORA does not require the job title 'CISO'; it requires clear ICT-risk ownership, documented governance, management-body oversight and evidence that controls operate. CyAdviso delivers exactly that — and has done so for clients regulated by Bank of Lithuania, Bank of Latvia, the Central Bank of Cyprus and the UK FCA.

Q: How is a vCISO engagement different from a Big 4 audit?

Big 4 tells you what's wrong and hands you a report. CyAdviso fixes it: we build the framework, write the policies, train your team, and stay on retainer to keep it running. You get a CISO, not a PDF.

Q: What if our evidence is scattered and we keep rebuilding it before every review?

That's exactly the problem we solve most often. CyAdviso restructures evidence packs, establishes ownership, and builds control traceability — so you stop answering the same questions repeatedly under audit.

Built across EU and UK fintech jurisdictions — under supervision of Lietuvos Bankas, Latvijas Banka, Central Bank of Cyprus, and the FCA. Your team reviews and approves — 2–4 hours per week.

Take the 3-min Readiness Check Or book a 15-min call no email required for the score

8+ EU fintech CISO engagements
4 jurisdictions LT·LV·CY·UK
90 days to audit-ready

Sound Familiar?

If this is you — we should talk

DORA does not require the job title “CISO” — it requires clear ownership of ICT risk, documented governance, management-body oversight, and evidence that controls operate. You don’t need a €200K executive. You need the capability.

You’re still building out your ICT risk framework — and DORA has applied since 17 January 2025.

Your team is 30–200 people. You can't justify a full-time CISO, but the regulator doesn't care about your headcount.

Your compliance officer handles legal, but nobody owns cybersecurity. You're hoping nothing breaks before you figure it out.

You received an information request from your central bank about DORA. You need answers — credible ones — and you need them fast.

If you sit on the board, NIS2 puts personal liability for cybersecurity failures on you.

You’ve done security work, but it isn’t documented — and the next audit will show every gap.

If even one of these is you — check your specific gap in 3 minutes →

What We Do

Compliance is not a checklist. It's an ongoing capability.

We don't just write policies. We build the systems your regulator expects to see working.

Most leads start here

DORA Gap Analysis & Roadmap

Full assessment against DORA's 5 pillars. You get a prioritized remediation plan your board can approve and your team can execute.

ICT Risk Management Framework

Policies, procedures, and controls — built for your size, your stack, your risk profile. Not a generic template dump.

Incident Response & Reporting

Playbooks, escalation paths, and regulator notification workflows. Ready before the incident — not scrambled during it.

Third-Party ICT Risk Management

Supplier register, contract DORA clauses, ongoing monitoring. Your cloud provider's outage shouldn't become your compliance failure.

MiCA / CASP Cybersecurity

For Crypto Asset Service Providers: align DORA operational resilience, MiCA authorisation and ICT expectations, and where applicable national NIS2-derived governance duties. We scope the overlap so you don't pay twice for the same work.

Ongoing vCISO Retainer

Continuous compliance monitoring, board reporting, and regulator liaison. Your CISO on call — without the €200K salary.

See pricing → or scope an engagement on a 15-min call →

Your CISO

I've been in your chair. I know what the regulator expects.

The issue is rarely “missing security work.” It’s weak ownership, fragmented evidence, and a control story that falls apart under review.

20+ years in cybersecurity
CISO since 2008
3 certifications
CISM · CDPSE · SABSA

Where I focus

Governance clarity
Defined ownership for ICT risk and resilience — from the management body down to the engineer holding the runbook.
Outsourcing oversight
Article 30 contractual provisions, third-party register of information, concentration-risk view across critical or important functions.
Evidence cleanup
Traceable controls, after-action reports, audit-ready packs — so the same control questions stop coming back at every review.
Board-ready reporting
Decision-ready security governance, not compliance optics. The management body sees what they need to act on, not a dump.

When I’m most useful

You’ve done the first wave of work but still rebuild evidence manually for every review.
Ownership is unclear across compliance, engineering and operations.
The same control questions from auditors and partner banks keep coming back.
The next review is under time pressure and the team is bracing for it.

See my readiness in 3 minutes Or book a 15-min call

How It Works

From gap to audit-ready in 90 days

5 phases2–4 hrs/week your teamfixed scope, fixed price

1

Day 1

Self-check or scoping call

Self-assessment or 15-min call. Free. No commitment. Clear read on where you stand.
2

Weeks 1–2

Deep gap analysis & roadmap

Full gap against DORA's 5 pillars. Prioritised remediation plan with timelines and costs. Board-ready summary.
3

Weeks 3–10

Build & implement

Policies, procedures, controls — tailored. Evidence packs structured for external review. Your team: 2–4 hrs/week.
4

Weeks 10–12

Test & validate

Resilience testing, tabletops, incident-response drills. You know your systems work before the regulator asks.
5

Month 4+

Ongoing retainer

Monthly compliance, board reporting, regulator liaison. Your CISO stays on the line.

“We had fragmented evidence and couldn’t explain our controls under review. Within 90 days, our framework was documented, defensible, and the regulator stopped repeating the same control questions.”

CEO · EMI licensed by Bank of Lithuania

What Changes

Walk into the board meeting and say: “It’s handled.”

Regulator asks about DORA You forward the report. Not scramble to create one.
Board wants a security update You present in 10 minutes. Not prepare for a week.
Incident at 2 AM Your CISO picks up. Not your compliance officer.

Best case

Your regulator’s next review closes with fewer repeated evidence requests. Investor diligence passes without major remediation flags. An M&A buyer accepts the cyber posture without delaying close.

Worst case

You have a defensible, named, board-approved framework — and the answer to the regulator is no longer “we’re working on it.”

The stakes — under DORA & NIS2

In 2026, this is no longer an IT problem — it’s a management-body problem.

DORA
Penalties and remedial measures under DORA are set under national law. Competent authorities can require remediation, impose administrative penalties, and apply measures to management-body members where national law allows. Regulation (EU) 2022/2554, Articles 50 and 52.
NIS2
NIS2 management-body accountability is implemented through national law, and details vary by jurisdiction. Board members hold accountability for cybersecurity governance under the national transposition that applies. EC NIS2 policy.
2026
DORA has applied since 17 January 2025. 2026 is the active supervisory phase — the regulator’s questions are about operating evidence, not about whether the policy exists.

Pricing

Transparent pricing. Pick the shape that fits.

All engagements include monthly board-report packs and evidence your regulator can accept. Minimum commitment 3 months. 30-day exit clause after month 3.

DORA 90-Day Programme

Fixed-scope sprint: from gap analysis to audit-ready.

€15,000 – €40,000

one-time, scope-dependent

Full gap analysis against DORA 5 pillars
Remediation roadmap with timelines & costs
ICT risk framework build-out
Incident response & third-party risk playbooks
Resilience-test plan + tabletop exercise
Board-ready evidence pack

Scope this engagement →

vCISO Retainer

Ongoing CISO capability, monthly.

€3,000 – €5,000

/ month · fixed, no surprise add-ons

Continuous compliance monitoring
Monthly board & audit-committee reports
Regulator liaison & RFI response
Quarterly tabletop / IR drill
Vendor & third-party risk reviews
On-call for material incidents
30-day exit clause after month 3

Book a call →

Single-Engagement

Targeted help on one artefact.

€6,000 – €12,000

fixed fee per engagement

Choose one scope:

DORA gap analysis
Policy set refresh
Incident-response plan review
MiCA / CASP readiness review
Regulator-response RFI support

Discuss scope →

A full-time CISO in the EU costs €150–260K+ per year before equity. A 12-month CyAdviso retainer costs €36–60K. You also skip the 4-month hiring window — and the management-body accountability exposure of going another quarter without named ICT-risk ownership.

Compare Options

Your alternatives — honestly compared

Including doing nothing and the most common false-confidence state (compliance officer covers cyber).

Comparison of CyAdviso vCISO, full-time CISO, Big 4 / law firm advisory, GRC SaaS platform, internal compliance officer covering cyber, and doing nothing — across six criteria.
Criteria	CyAdviso vCISO	Full-time CISO	Big 4 / Law Firm	GRC Platform	Compliance officer	Do Nothing
Annual cost	€36–60K	€150–260K+	€80–200K	€5–15K	€0 incremental	€0 ^*
DORA expertise	Deep	Depends	Legal yes	Generic	Wrong domain	None
Technical implementation	Full	Full	Advisory only	Self-service	Out of scope	None
Board reporting	Included	Included	Extra cost	No	Legal flavour	No
Time to compliance	90 days	3–6 mo^**	3–12 mo	Depends	Indefinite	Never
Ongoing support	Retained	Permanent	Project	Platform	Wrong domain	None
Risk exposure	Managed	Managed	Partial	Partial	False confidence	You ARE the risk

^* Until the regulator calls.
^** After a 3–6 month hiring window, plus ramp-up.
Compliance officer covers it — the most common false-confidence state in 30–200 fintechs. Compliance training is legal/AML, not cyber. The regulator wants a named CISO function distinct from the compliance officer.

More client experience

Same pattern, different licence types

A named CISO who actually understands fintech. We went from “we’re working on it” to “here’s the report, here’s the owner, here’s the plan.”

Managing Director Payment Institution · Lithuania
Needed DORA and MiCA simultaneously for a CASP licence. Andrey handled the cybersecurity side; our law firm handled legal. Clean separation, no gaps.

COO Crypto Asset Service Provider · Cyprus

Names and company logos withheld by engagement NDA. On a discovery call we can share direct references with mutual consent.

Still weighing it?

Read the FAQ — or get a direct read.

The questions below split into common worries and how it actually works. Or skip both and get a direct read on your situation in 15 minutes.

Take the 3-min Readiness Check Or book a 15-min Call

Common Questions

Your DORA, MiCA & NIS2 questions, answered

Common worries (the fears)

Can a virtual CISO really satisfy our regulator under DORA?

DORA does not require the job title “CISO” — it requires clear ownership of ICT risk, documented governance, management-body oversight, and evidence that controls operate. We deliver exactly that, and we’ve done it for clients regulated by Bank of Lithuania, Bank of Latvia, the Central Bank of Cyprus and the UK FCA.

Our compliance officer already covers it. Isn’t that enough?

It’s the most common false-confidence state in 30–200 fintechs. Compliance officers are trained in legal / AML — cybersecurity is not their core domain. Under DORA, supervisors expect clear ICT-risk ownership distinct from the legal / AML compliance function, with documented governance and operating evidence. When the RFI lists ICT artefacts, those need an owner who can produce them. The fix isn’t a new headcount — it’s named ICT-risk ownership.

We’re a small team. Can we actually implement all of DORA?

DORA is proportional — smaller firms have lighter requirements. We scope everything to your size. Most of the heavy lifting (policy writing, risk assessment, supplier mapping) is done by us. Your team reviews and approves — typically 2–4 hours per week.

We already have ISO 27001 / SOC 2. Is DORA overkill?

No — but those certifications reduce the lift. Existing ISO 27001, SOC 2, or prior audits typically reduce the DORA programme by 30–60%. We start with what you have and identify only the DORA-specific deltas.

Does NIS2 management-body accountability really apply to me as a CEO?

NIS2 management-body accountability is implemented through national law, and details vary by jurisdiction (penalties, scope, reporting routes are jurisdiction-specific). The UK has a separate cyber-security regime, not NIS2 transposition. Where you operate, the core obligation — that board members hold accountability for cybersecurity governance — typically applies under the local transposition. The practical fix is named ownership of ICT risk and documented oversight, both of which we deliver.

How it actually works (the constraints)

What’s the minimum engagement?

3 months on the retainer model. The 90-day fixed-scope programme is exactly that. Single-engagement scopes start at 4–8 weeks.

Is there an exit clause?

Yes — 30 days’ notice after month 3 on the retainer. No long lock-ins.

How much of our team’s time does this take?

2–4 hours per week for reviews and approvals. We do the heavy lifting; your team owns the decisions.

Which jurisdictions do you cover?

Primary: EU + UK fintech jurisdictions — engagements have been performed under supervision of Lietuvos Bankas, Latvijas Banka, Central Bank of Cyprus and the UK FCA. Other EU Member States on request.

How is a vCISO engagement different from a Big 4 audit?

Big 4 tells you what’s wrong and hands you a report. We fix it. We build the framework, write the policies, train your team, and stay on retainer to keep it running. You get a CISO, not a PDF.

What if our evidence is scattered and we keep rebuilding it before every review?

That’s exactly the problem we solve most often. We restructure evidence packs, establish ownership, and build control traceability — so you stop answering the same questions repeatedly under audit.

Can’t find your question? Ask on a 15-minute call — or email info@cyadviso.com.

Next step

Your name in the regulator’s notice — or your name on a defensible framework.

Either way, you’re the one accountable. Make it the second one. 15 minutes — walk away with a clear picture of your DORA gaps, the personal-liability exposure, and a cost we can actually scope.

Book a 15-min call → Or take the 3-min Readiness Check first

Or call directly: +371 2716 6168 · Email info@cyadviso.com · No commitment. No sales pressure.