What if we already have some policies in place?

We start with what you have. The gap analysis identifies exactly what's missing or outdated. No rework on things that already meet the standard. Existing ISO 27001, SOC 2, or prior audits typically reduce the DORA lift by 30–60%.

How long does DORA compliance take with CyAdviso?

Typical engagement is 90 days from gap analysis to audit-ready. Weeks 1–2 are full gap assessment, weeks 3–10 are build and implement, and weeks 10–12 are test and validate. Ongoing monitoring and support runs from month 4 on a retainer.

What does CyAdviso cost compared to a full-time CISO?

A full-time CISO in the EU costs €150,000–€260,000+ per year plus equity and benefits. CyAdviso retainer runs €36,000–€60,000 per year all-in — typically 60–75% less than an in-house hire, with DORA and MiCA expertise from day one.

Does CyAdviso also cover MiCA and NIS2, not just DORA?

Yes. CyAdviso covers DORA (operational resilience), MiCA (Markets in Crypto-Assets), and NIS2 management-body accountability — implemented through national law, with details that vary by jurisdiction. CASPs may need to align DORA operational resilience, MiCA authorisation and ICT expectations, and, where applicable, national NIS2-derived governance duties.

For EU-licensed fintechs · EMI · PI · CASP

DORA audit-ready in 90 days — no full-time CISO.

Q: Can a virtual CISO really satisfy our regulator under DORA?

DORA does not require the job title 'CISO'; it requires clear ICT-risk ownership, documented governance, management-body oversight and evidence that controls operate. CyAdviso delivers exactly that — and has done so for clients regulated by Bank of Lithuania, Bank of Latvia, the Central Bank of Cyprus and the UK FCA.

Q: How is a vCISO engagement different from a Big 4 audit?

Big 4 tells you what's wrong and hands you a report. CyAdviso fixes it: we build the framework, write the policies, train your team, and stay on retainer to keep it running. You get a CISO, not a PDF.

Q: What if our evidence is scattered and we keep rebuilding it before every review?

That's exactly the problem we solve most often. CyAdviso restructures evidence packs, establishes ownership, and builds control traceability — so you stop answering the same questions repeatedly under audit.

Delivered for EMIs, Payment Institutions, and CASPs — under supervision of Lietuvos Bankas, Latvijas Banka, Central Bank of Cyprus, and the UK FCA. Your team commits 2–4 hours a week. We handle the rest.

Take the 3-min Readiness Check Or book a 15-min call no email required for the score

Download board briefing → 2-page summary for your management body: what DORA requires, what the personal exposure is, what a solution costs.

8+ EU fintech engagements — EMIs, PIs, CASPs
Supervised by FCA · Bank of Lithuania · Bank of Latvia · Central Bank of Cyprus
Audit-ready in 90 days · 2–4 hrs/week your team

Sound Familiar?

If any of these is you — you’re not alone

You received an information request from your central bank about DORA. You need answers — credible ones — and you need them fast.

You sit on the management body. NIS2 and DORA put personal accountability for cybersecurity failures on you.

Your team is 30–200 people. You can't justify a full-time CISO, but the regulator doesn't care about your headcount.

Your compliance officer handles legal, but nobody owns cybersecurity. You're hoping nothing breaks before you figure it out.

You’ve done security work, but it isn’t documented — and the next audit will show every gap.

You’re still building out your ICT risk framework — and DORA has applied since 17 January 2025.

If even one of these is you — check your specific gap in 3 minutes →

What We Do

Compliance is not a checklist. It's an ongoing capability.

We don't just write policies. We build the systems your regulator expects to see working.

Most leads start here

DORA Gap Analysis & Roadmap

Full assessment against DORA's 5 pillars. You get a prioritized remediation plan your board can approve and your team can execute.

ICT Risk Management Framework

Policies, procedures, and controls — built for your size, your stack, your risk profile. Not a generic template dump.

Incident Response & Reporting

Playbooks, escalation paths, and regulator notification workflows. Ready before the incident — not scrambled during it.

Third-Party ICT Risk Management

Supplier register, contract DORA clauses, ongoing monitoring. Your cloud provider's outage shouldn't become your compliance failure.

MiCA / CASP Cybersecurity

For Crypto Asset Service Providers: align DORA operational resilience, MiCA authorisation and ICT expectations, and where applicable national NIS2-derived governance duties. We scope the overlap so you don't pay twice for the same work.

Ongoing vCISO Retainer

Continuous compliance monitoring, board reporting, and regulator liaison. Your CISO on call — without the €200K salary.

See pricing → or scope an engagement on a 15-min call →

Your CISO

I've been in your chair. I know what the regulator expects.

The issue is rarely “missing security work.” It’s weak ownership, fragmented evidence, and a control story that falls apart under review.

20+ years in cybersecurity
CISO since 2008
3 certifications
CISM · CDPSE · SABSA

Where I focus

Governance clarity
Defined ownership for ICT risk and resilience — from the management body down to the engineer holding the runbook.
Outsourcing oversight
Article 30 contractual provisions, third-party register of information, concentration-risk view across critical or important functions.
Evidence cleanup
Traceable controls, after-action reports, audit-ready packs — so the same control questions stop coming back at every review.
Board-ready reporting
Decision-ready security governance, not compliance optics. The management body sees what they need to act on, not a dump.

When I’m most useful

You’ve done the first wave of work but still rebuild evidence manually for every review.
Ownership is unclear across compliance, engineering and operations.
The same control questions from auditors and partner banks keep coming back.
The next review is under time pressure and the team is bracing for it.
Your board or management body needs to demonstrate cybersecurity oversight to a regulator, investor, or acquirer — and there is no named person they can point to.

See my readiness in 3 minutes Or book a 15-min call

Your work stays yours

What happens when the engagement ends?

One common concern with a vCISO. Here is the direct answer.

All artefacts are yours from day one — policies, risk registers, evidence packs, incident playbooks. Stored in your systems, not ours.
Ownership is named inside your organisation — we build it that way from the start. Every control has an internal owner; we are the function, not the owner.
Handover is built into every engagement — documentation index, decision log, and a continuity brief for the next person in the role.
SIA CyAdviso, not a freelancer — a registered Latvian company. Service continuity is contractual. Your engagement does not depend on one person’s availability.

How It Works

From gap to audit-ready in 90 days

5 phases2–4 hrs/week your teamfixed scope, fixed price

1

Day 1

Self-check or scoping call

Self-assessment or 15-min call. Free. No commitment. Clear read on where you stand.
2

Weeks 1–2

Deep gap analysis & roadmap

Full gap against DORA's 5 pillars. Prioritised remediation plan with timelines and costs. Board-ready summary.
3

Weeks 3–10

Build & implement

Policies, procedures, controls — tailored. Evidence packs structured for external review. Your team: 2–4 hrs/week.
4

Weeks 10–12

Test & validate

Resilience testing, tabletops, incident-response drills. You know your systems work before the regulator asks.
5

Month 4+

Ongoing retainer

Monthly compliance, board reporting, regulator liaison. Your CISO stays on the line.

“We had fragmented evidence and couldn’t explain our controls under review. Within 90 days, our framework was documented, defensible, and the regulator stopped repeating the same control questions.”

CEO · EMI licensed by Bank of Lithuania

What Changes

Walk into the board meeting and say: “It’s handled.”

Regulator asks about DORA You forward the report. Not scramble to create one.
Board wants a security update You present in 10 minutes. Not prepare for a week.
Incident at 2 AM Your CISO picks up. Not your compliance officer.

Best case

Your regulator’s next review closes with zero repeat questions on ICT governance. Investor diligence runs without a remediation flag. The M&A due diligence report shows no cyber red items — and the deal timeline holds.

At minimum

You have a named ICT-risk owner, a board-approved framework, and documented evidence that controls operate. The answer to the regulator stops being “we’re working on it.” That alone removes the management-body accountability exposure.

The stakes — under DORA & NIS2

In 2026, this is no longer an IT problem — it’s a management-body problem.

DORA
Regulation (EU) 2022/2554, Articles 50–52
- Fine: up to 1% of average daily worldwide turnover — applied per day, for up to 6 months
- Management body: national regulators may impose personal measures on individual decision-makers, including temporary bans from management functions
- 2026 is the active supervisory phase — regulators are asking for operating evidence, not policy existence
NIS2
Directive (EU) 2022/2555, Articles 32–33
- Essential entities: up to €10M or 2% of global annual turnover
- Important entities: up to €7M or 1.4% of global annual turnover
- Management-body accountability for cybersecurity governance is explicit in national transpositions across LT, LV, CY and the equivalent UK regime

The practical question in 2026: Who owns ICT risk in your organisation — and where is the documented evidence it was managed? “We were working on it” is not a regulator answer.

Pricing

Transparent pricing. Pick the shape that fits.

All engagements include monthly board-report packs and evidence your regulator can accept. Minimum commitment 3 months. 30-day exit clause after month 3.

DORA 90-Day Programme

Fixed-scope sprint: from gap analysis to audit-ready.

€15,000 – €40,000

one-time, scope-dependent

Full gap analysis against DORA 5 pillars
Remediation roadmap with timelines & costs
ICT risk framework build-out
Incident response & third-party risk playbooks
Resilience-test plan + tabletop exercise
Board-ready evidence pack

Scope this engagement →

vCISO Retainer

Ongoing CISO capability, monthly.

€3,000 – €5,000

/ month · fixed, no surprise add-ons

Continuous compliance monitoring
Monthly board & audit-committee reports
Regulator liaison & RFI response
Quarterly tabletop / IR drill
Vendor & third-party risk reviews
On-call for material incidents
30-day exit clause after month 3

Book a call →

Single-Engagement

Targeted help on one artefact.

€6,000 – €12,000

fixed fee per engagement

Choose one scope:

DORA gap analysis
Policy set refresh
Incident-response plan review
MiCA / CASP readiness review
Regulator-response RFI support

Discuss scope →

The cost of doing nothing — illustrative on €10M annual revenue

DORA daily fine (1% of daily turnover)	~€274 / day
6 months of daily fines — max under Art. 50	~€50,000
Management-body personal measures	unquantifiable
Quarter without named ICT-risk ownership	90 days of exposure
CyAdviso 12-month retainer	€36–60K

The retainer cost and the theoretical fine exposure overlap. One closes the gap. The other leaves it open.

A full-time CISO in the EU runs €150–260K/year before equity — plus a 3–6 month hiring window during which the exposure continues.

Compare Options

Your alternatives — honestly compared

Including doing nothing and the most common false-confidence state (compliance officer covers cyber).

Comparison of CyAdviso vCISO, full-time CISO, Big 4 / law firm advisory, GRC SaaS platform, internal compliance officer covering cyber, and doing nothing — across six criteria.
Criteria	CyAdviso vCISO	Full-time CISO	Big 4 / Law Firm	GRC Platform	Compliance officer	Do Nothing
Annual cost	€36–60K	€150–260K+	€80–200K	€5–15K	€0 incremental	€0 ^*
DORA expertise	Deep	Depends	Legal yes	SOC2/ISO27001 ^*** · DORA gaps	Wrong domain	None
Technical implementation	Full	Full	Advisory only	Self-service	Out of scope	None
Board reporting	Included	Included	Extra cost	No	Legal flavour	No
Time to compliance	90 days	3–6 mo^**	3–12 mo	Depends	Indefinite	Never
Ongoing support	Retained	Permanent	Project	Platform	Wrong domain	None
Risk exposure	Managed	Managed	Partial	Partial	False confidence	You ARE the risk

^* Until the regulator calls.
^** After a 3–6 month hiring window, plus ramp-up.
^*** GRC platforms (Drata, Vanta, Secureframe) automate evidence collection for SOC 2 and ISO 27001 — frameworks they were built around. DORA adds requirements these platforms do not cover: the Register of Information (your full ICT third-party supplier map in the NCA-specified format), Article 19 major incident notification to your national competent authority, and DORA-specific resilience testing oversight. A GRC platform gives you a compliance dashboard. It does not give you a named ICT-risk owner, board reporting, or the ability to respond to a regulator’s RFI.
Compliance officer covers it — the most common false-confidence state in 30–200 fintechs. Compliance training is legal/AML, not cyber. The regulator wants a named CISO function distinct from the compliance officer.

More client experience

Same pattern, different licence types

A named CISO who actually understands fintech. Within 90 days we went from zero ICT governance documentation to a board-approved framework and a regulator-ready evidence pack — zero repeat questions at the review that followed.

Managing Director Payment Institution · Lithuania
Needed DORA and MiCA simultaneously — on a hard regulatory deadline for our CASP licence. Andrey handled the cybersecurity side; our law firm handled legal. We hit the deadline. No gaps in the handover.

COO Crypto Asset Service Provider · Cyprus

Names and company logos withheld by engagement NDA. On a discovery call we can share direct references with mutual consent.

Still weighing it?

Read the FAQ — or get a direct read.

The questions below split into common worries and how it actually works. Or skip both and get a direct read on your situation in 15 minutes.

Take the 3-min Readiness Check Or book a 15-min Call

Common Questions

Your DORA, MiCA & NIS2 questions, answered

Common worries (the fears)

Can a virtual CISO really satisfy our regulator under DORA?

DORA does not require the job title “CISO” — it requires clear ownership of ICT risk, documented governance, management-body oversight, and evidence that controls operate. We deliver exactly that, and we’ve done it for clients regulated by Bank of Lithuania, Bank of Latvia, the Central Bank of Cyprus and the UK FCA.

Our compliance officer already covers it. Isn’t that enough?

It’s the most common false-confidence state in 30–200 fintechs. Compliance officers are trained in legal / AML — cybersecurity is not their core domain. Under DORA, supervisors expect clear ICT-risk ownership distinct from the legal / AML compliance function, with documented governance and operating evidence. When the RFI lists ICT artefacts, those need an owner who can produce them. The fix isn’t a new headcount — it’s named ICT-risk ownership.

We’re a small team. Can we actually implement all of DORA?

DORA is proportional — smaller firms have lighter requirements. We scope everything to your size. Most of the heavy lifting (policy writing, risk assessment, supplier mapping) is done by us. Your team reviews and approves — typically 2–4 hours per week.

We already have ISO 27001 / SOC 2. Is DORA overkill?

No — but those certifications reduce the lift. Existing ISO 27001, SOC 2, or prior audits typically reduce the DORA programme by 30–60%. We start with what you have and identify only the DORA-specific deltas.

Does NIS2 management-body accountability really apply to me as a CEO?

NIS2 management-body accountability is implemented through national law, and details vary by jurisdiction (penalties, scope, reporting routes are jurisdiction-specific). The UK has a separate cyber-security regime, not NIS2 transposition. Where you operate, the core obligation — that board members hold accountability for cybersecurity governance — typically applies under the local transposition. The practical fix is named ownership of ICT risk and documented oversight, both of which we deliver.

Can you present to our board or management body directly?

Yes. Board and management-body reporting is included in the retainer. Delivery options: written report (board-approved template), slide deck, or a 30-minute working session. Most management-body members want three things: a named owner, a current status, and a clear next action. That is what the reporting delivers.

How it actually works (the constraints)

What’s the minimum engagement?

3 months on the retainer model. The 90-day fixed-scope programme is exactly that. Single-engagement scopes start at 4–8 weeks.

Is there an exit clause?

Yes — 30 days’ notice after month 3 on the retainer. No long lock-ins.

How much of our team’s time does this take?

2–4 hours per week for reviews and approvals. We do the heavy lifting; your team owns the decisions.

Which jurisdictions do you cover?

Primary: EU + UK fintech jurisdictions — engagements have been performed under supervision of Lietuvos Bankas, Latvijas Banka, Central Bank of Cyprus and the UK FCA. Other EU Member States on request.

How is a vCISO engagement different from a Big 4 audit?

Big 4 tells you what’s wrong and hands you a report. We fix it. We build the framework, write the policies, train your team, and stay on retainer to keep it running. You get a CISO, not a PDF.

What if our evidence is scattered and we keep rebuilding it before every review?

That’s exactly the problem we solve most often. We restructure evidence packs, establish ownership, and build control traceability — so you stop answering the same questions repeatedly under audit.

What happens to our ICT risk programme when the engagement ends?

Nothing disappears. All policies, procedures, risk registers, and evidence packs are stored in your environment from day one — not ours. At the close of any engagement you receive a structured handover: documentation index, ownership map, and a continuity brief for whoever takes over the ICT risk function next. You own the work permanently.

You’re one person. What if you’re unavailable when we have an incident?

CyAdviso is a registered company (SIA CyAdviso, Latvia), not a freelancer. For retainer clients, incident response access is defined in the service agreement with stated response times. On-call protocols for out-of-hours material incidents are part of the retainer scope. All client environments use shared, structured documentation — there is no tribal knowledge dependency on a single person’s memory.

Can’t find your question? Ask on a 15-minute call — or email info@cyadviso.com.

Next step

Your name in the regulator’s notice — or your name on a defensible framework.

Either way, you’re the one accountable. Make it the second one. 15 minutes — walk away with a clear picture of your DORA gaps, the personal-liability exposure, and a cost we can actually scope.

Book a 15-min call → Or take the 3-min Readiness Check first

Or call directly: +371 2716 6168 · Email info@cyadviso.com · No commitment. No sales pressure.