What if we already have some policies in place?

We start with what you have. The gap analysis identifies exactly what's missing or outdated. No rework on things that already meet the standard. Existing ISO 27001, SOC 2, or prior audits typically reduce the DORA lift by 30–60%.

How long does DORA compliance take with CyAdviso?

Typical engagement is 90 days from gap analysis to audit-ready. Weeks 1–2 are full gap assessment, weeks 3–10 are build and implement, and weeks 10–12 are test and validate. Ongoing monitoring and support runs from month 4 on a retainer.

What does CyAdviso cost compared to a full-time CISO?

A full-time CISO in the EU costs €150,000–€260,000+ per year plus equity and benefits. CyAdviso retainer runs €36,000–€60,000 per year all-in — typically 60–75% less than an in-house hire, with DORA and MiCA expertise from day one.

Does CyAdviso also cover MiCA and NIS2, not just DORA?

Yes. CyAdviso covers DORA (operational resilience), MiCA (Markets in Crypto-Assets), and NIS2 management-body accountability — implemented through national law, with details that vary by jurisdiction. CASPs may need to align DORA operational resilience, MiCA authorisation and ICT expectations, and, where applicable, national NIS2-derived governance duties.

For EMIs · PIs · CASPs supervised in the EU & UK

From the regulator’s letter to
audit-ready in 90 days.

Q: Can a virtual CISO really satisfy our regulator under DORA?

DORA does not require the job title 'CISO'; it requires clear ICT-risk ownership, documented governance, management-body oversight and evidence that controls operate. CyAdviso delivers exactly that — and has done so for clients regulated by Bank of Lithuania, Bank of Latvia, the Central Bank of Cyprus and the UK FCA.

Q: How is a vCISO engagement different from a Big 4 audit?

Big 4 tells you what's wrong and hands you a report. CyAdviso fixes it: we build the framework, write the policies, train your team, and stay on retainer to keep it running. You get a CISO, not a PDF.

Q: What if our evidence is scattered and we keep rebuilding it before every review?

That's exactly the problem we solve most often. CyAdviso restructures evidence packs, establishes ownership, and builds control traceability — so you stop answering the same questions repeatedly under audit.

A named CISO function for EU-licensed fintechs. Without a €200K full-time hire. Without a Big 4 PDF that sits on your desk.

Take the 3-min Readiness Check → Book a 15-min call

No email for the score
2–4 hrs/week your team
Fixed scope · fixed price

Engagements supervised by

UK Financial Conduct Authority FCA

LT Lietuvos Bankas Bank of Lithuania

LV Latvijas Banka Bank of Latvia

CY Central Bank of Cyprus CBC

Download board briefing → 2-page summary for your management body: what DORA requires, what the personal exposure is, what a solution costs.

8+ EU fintech engagements — EMIs, PIs, CASPs

90 days Audit-ready · gap to handover

What we own end-to-end DORAICT RiskOutsourcing OversightEvidenceBoard Reporting

Sound Familiar?

If any of these is you — you’re not alone

You received an information request from your central bank about DORA. You need answers — credible ones — and you need them fast.

You sit on the management body. NIS2 and DORA put personal accountability for cybersecurity failures on you — including possible individual financial penalties up to €5M in some Member States and temporary bans from management functions.

Your team is 30–200 people. You can't justify a full-time CISO, but the regulator doesn't care about your headcount.

Your compliance officer handles legal, but nobody owns cybersecurity. You're hoping nothing breaks before you figure it out.

You’ve done security work, but it isn’t documented — and the next audit will show every gap.

You’re still building out your ICT risk framework — and DORA has applied since 17 January 2025.

If even one of these is you — check your specific gap in 3 minutes →

Read this first

Why the compliance-officer model breaks under DORA

DORA is not asking whether a legal owner exists. It is asking whether ICT risk is owned, operated and evidenced.

Common assumption	What changes under DORA
“Our compliance officer covers cyber.”	Compliance officers usually own legal, AML and licensing work. DORA expects ICT-risk ownership with technical governance, incident decisioning, supplier oversight, resilience testing and board evidence.
“We have policies, so we are ready.”	In 2026, supervisors and partners ask for operating evidence: risk registers, incident timelines, Register of Information entries, test results, remediation owners and management-body decisions.
“A GRC tool will solve it.”	A platform can store evidence. It does not decide supplier criticality, classify a major ICT incident, brief the board or become the named ICT-risk function.
“We need a full-time CISO or nothing.”	DORA needs clear ownership and evidence that controls operate. A fractional CISO function can work when the scope, cadence, artefacts and internal owners are contractually defined.
“ISO 27001 or SOC 2 covers DORA.”	Those frameworks can reduce the lift, but they do not replace DORA-specific work: Article 19 incident reporting, Article 28 Register of Information, Article 30 supplier clauses and management-body ICT-risk oversight.

If one of these assumptions is still how the organisation works, the first job is not buying another policy. It is naming the ICT-risk function and building the evidence trail around it.

What We Do

Compliance is not a checklist. It's an ongoing capability.

We don't just write policies. We build the systems your regulator expects to see working.

Most leads start here

DORA Gap Analysis & Roadmap

Full assessment against DORA's 5 pillars. You get a prioritized remediation plan your board can approve and your team can execute.

ICT Risk Management Framework

Policies, procedures, and controls — built for your size, your stack, your risk profile. Not a generic template dump.

Incident Response & Reporting

Playbooks, escalation paths, and regulator notification workflows. Ready before the incident — not scrambled during it.

Third-Party ICT Risk Management

Supplier register, contract DORA clauses, ongoing monitoring. Your cloud provider's outage shouldn't become your compliance failure.

MiCA / CASP Cybersecurity

For Crypto Asset Service Providers: align DORA operational resilience, MiCA authorisation and ICT expectations, and where applicable national NIS2-derived governance duties. We scope the overlap so you don't pay twice for the same work.

Ongoing vCISO Retainer

Continuous compliance monitoring, board reporting, and regulator liaison. Your CISO on call — without the €200K salary.

See pricing → or scope an engagement on a 15-min call →

Your CISO

I've been in your chair. I know what the regulator expects.

The issue is rarely “missing security work.” It’s weak ownership, fragmented evidence, and a control story that falls apart under review.

20+ years in cybersecurity
CISO since 2008
3 certifications
CISM · CDPSE · SABSA

Where I focus

Governance clarity
Defined ownership for ICT risk and resilience — from the management body down to the engineer holding the runbook.
Outsourcing oversight
Article 30 contractual provisions, third-party register of information, concentration-risk view across critical or important functions.
Evidence cleanup
Traceable controls, after-action reports, audit-ready packs — so the same control questions stop coming back at every review.
Board-ready reporting
Decision-ready security governance, not compliance optics. The management body sees what they need to act on, not a dump.

When I’m most useful

You’ve done the first wave of work but still rebuild evidence manually for every review.
Ownership is unclear across compliance, engineering and operations.
The same control questions from auditors and partner banks keep coming back.
The next review is under time pressure and the team is bracing for it.
Your board or management body needs to demonstrate cybersecurity oversight to a regulator, investor, or acquirer — and there is no named person they can point to.

See my readiness in 3 minutes Or book a 15-min call

Your work stays yours

What happens when the engagement ends?

One common concern with a vCISO. Here is the direct answer.

All artefacts are yours from day one — policies, risk registers, evidence packs, incident playbooks. Stored in your systems, not ours.
Ownership is named inside your organisation — we build it that way from the start. Every control has an internal owner; we are the function, not the owner.
Handover is built into every engagement — documentation index, decision log, and a continuity brief for the next person in the role.
SIA CyAdviso, not a freelancer — a registered Latvian company. Service continuity is contractual. Your engagement does not depend on one person’s availability.

How It Works

From gap to audit-ready in 90 days

5 phases2–4 hrs/week your teamfixed scope, fixed price

1

Day 1

Self-check or scoping call

Self-assessment or 15-min call. Free. No commitment. Clear read on where you stand.
2

Weeks 1–2

Deep gap analysis & roadmap

Full gap against DORA's 5 pillars. Prioritised remediation plan with timelines and costs. Board-ready summary.
3

Weeks 3–10

Build & implement

Policies, procedures, controls — tailored. Evidence packs structured for external review. Your team: 2–4 hrs/week.
4

Weeks 10–12

Test & validate

Resilience testing, tabletops, incident-response drills. You know your systems work before the regulator asks.
5

Month 4+

Ongoing retainer

Monthly compliance, board reporting, regulator liaison. Your CISO stays on the line.

“We had fragmented evidence and couldn’t explain our controls under review. Within 90 days, our framework was documented, defensible, and the regulator stopped repeating the same control questions.”

CEO · EMI licensed by Bank of Lithuania

What Changes

Walk into the board meeting and say: “It’s handled.”

Regulator asks about DORA You forward the report. Not scramble to create one.
Board wants a security update You present in 10 minutes. Not prepare for a week.
Incident at 2 AM Your CISO picks up. Not your compliance officer.

Best case

Your regulator’s next review closes with zero repeat questions on ICT governance. Investor diligence runs without a remediation flag. The M&A due diligence report shows no cyber red items — and the deal timeline holds.

At minimum

You have a named ICT-risk owner, a board-approved framework, and documented evidence that controls operate. The answer to the regulator stops being “we’re working on it.” That alone removes the management-body accountability exposure.

The stakes — under DORA & NIS2

In 2026, this is no longer an IT problem — it’s a management-body problem.

DORA
Regulation (EU) 2022/2554, Articles 50–52
- Financial-entity penalties: DORA Article 50 does not set one EU-wide fine formula. Member States set effective, proportionate and dissuasive penalties; selected national regimes include turnover-based ceilings from 5% to 10% and absolute legal-entity ceilings from approx. €2M to €20M
- Personal management-body exposure: national DORA penalty regimes can impose individual penalties on management-body members and other responsible individuals — up to €5M in some jurisdictions
- Management body: national regulators may impose personal measures on individual decision-makers, including temporary bans from management functions
- 2026 is the active supervisory phase — regulators are asking for operating evidence, not policy existence
NIS2
Directive (EU) 2022/2555, Articles 32–33
- Essential entities: up to €10M or 2% of global annual turnover
- Important entities: up to €7M or 1.4% of global annual turnover
- Management-body accountability for cybersecurity governance is explicit in national transpositions across LT, LV, CY and the equivalent UK regime

The practical question in 2026: Who owns ICT risk in your organisation — and where is the documented evidence it was managed? “We were working on it” is not a regulator answer.

Result proof

Same pattern, different licence types

Names and company logos are withheld by NDA. The operating pattern is the part that matters: trigger, work built, evidence available at the next review.

EMI

Fragmented ICT evidence before a supervisory review

Situation: Security work existed, but ownership, board reporting and control evidence were scattered across teams and tools.
What we built: ICT risk framework, evidence index, board pack, supplier view and remediation tracker tied to named internal owners.
At the next review: The entity could explain the control story and point to current artefacts instead of rebuilding evidence manually.

“Within 90 days, our framework was documented, defensible, and the regulator stopped repeating the same control questions.”

CEO · EMI licensed by Bank of Lithuania

Incident reporting and supplier evidence cleanup

Situation: A payment institution needed one view across incident classification, ICT providers, contract gaps and review evidence.
What we built: DORA incident workflow, Register of Information cleanup, supplier criticality rationale and board-ready remediation view.
At the next review: The team could show how incidents, suppliers and remediation connected to licensed payment services.

“Zero ICT governance documentation to a board-approved framework and a regulator-ready evidence pack.”

Managing Director · Payment Institution · Lithuania

CASP

MiCA authorisation work running beside DORA readiness

Situation: A CASP needed cybersecurity and operational-resilience evidence without mixing legal authorisation work and ICT-risk delivery.
What we built: Shared evidence model for governance, ICT risk, incidents, outsourcing, resilience and board reporting.
At the next review: The handover separated MiCA legal work from DORA operating evidence, with no dependency on one undocumented owner.

“Andrey handled the cybersecurity side; our law firm handled legal. We hit the deadline. No gaps in the handover.”

COO · Crypto Asset Service Provider

Direct references can be shared on a discovery call with mutual consent. Case details are anonymised to avoid naming clients, regulated entities or confidential supervisory context.

Pricing

Transparent pricing. Pick the shape that fits.

All engagements include monthly board-report packs and evidence your regulator can accept. Minimum commitment 3 months. 30-day exit clause after month 3.

DORA 90-Day Programme

Fixed-scope sprint: from gap analysis to audit-ready.

€15,000 – €40,000

one-time, scope-dependent

Full gap analysis against DORA 5 pillars
Remediation roadmap with timelines & costs
ICT risk framework build-out
Incident response & third-party risk playbooks
Resilience-test plan + tabletop exercise
Board-ready evidence pack

Scope this engagement →

vCISO Retainer

Ongoing CISO capability, monthly.

€3,000 – €5,000

/ month · fixed, no surprise add-ons

Continuous compliance monitoring
Monthly board & audit-committee reports
Regulator liaison & RFI response
Quarterly tabletop / IR drill
Vendor & third-party risk reviews
On-call for material incidents
30-day exit clause after month 3

Book a call →

Single-Engagement

Targeted help on one artefact.

€6,000 – €12,000

fixed fee per engagement

Choose one scope:

DORA gap analysis
Policy set refresh
Incident-response plan review
MiCA / CASP readiness review
Regulator-response RFI support

Discuss scope →

The cost of doing nothing — illustrative on €10M annual revenue

DORA financial-entity penalties — selected national turnover-based ceilings of 5–10% on €10M revenue	~€500,000–€1,000,000
Individual management-body penalties — selected national DORA regimes	can reach up to €5,000,000
Management-body personal measures	unquantifiable
Quarter without named ICT-risk ownership	90 days of exposure
CyAdviso 12-month retainer	€36–60K

The retainer is not the fine. It is the cost of having named ICT-risk ownership, operating evidence and regulator-ready accountability in place before the supervisory question arrives.

A full-time CISO in the EU runs €150–260K/year before equity — plus a 3–6 month hiring window during which the exposure continues.

Compare Options

Your alternatives — honestly compared

Including doing nothing and the most common false-confidence state (compliance officer covers cyber).

Comparison of CyAdviso vCISO, full-time CISO, Big 4 / law firm advisory, GRC SaaS platform, internal compliance officer covering cyber, and doing nothing — across six criteria.
Criteria	CyAdviso vCISO	Full-time CISO	Big 4 / Law Firm	GRC Platform	Compliance officer	Do Nothing
Annual cost	€36–60K	€150–260K+	€80–200K	€5–15K	€0 incremental	€0 ^*
DORA expertise	Deep	Depends	Legal yes	SOC2/ISO27001 ^*** · DORA gaps	Wrong domain	None
Technical implementation	Full	Full	Advisory only	Self-service	Out of scope	None
Board reporting	Included	Included	Extra cost	No	Legal flavour	No
Time to compliance	90 days	3–6 mo^**	3–12 mo	Depends	Indefinite	Never
Ongoing support	Retained	Permanent	Project	Platform	Wrong domain	None
Risk exposure	Managed	Managed	Partial	Partial	False confidence	You ARE the risk

^* Until the regulator calls.
^** After a 3–6 month hiring window, plus ramp-up.
^*** GRC platforms (Drata, Vanta, Secureframe) automate evidence collection for SOC 2 and ISO 27001 — frameworks they were built around. DORA adds requirements these platforms do not cover: the Register of Information (your full ICT third-party supplier map in the NCA-specified format), Article 19 major incident notification to your national competent authority, and DORA-specific resilience testing oversight. A GRC platform gives you a compliance dashboard. It does not give you a named ICT-risk owner, board reporting, or the ability to respond to a regulator’s RFI.
Compliance officer covers it — the most common false-confidence state in 30–200 fintechs. Compliance training is legal/AML, not cyber. The regulator wants a named CISO function distinct from the compliance officer.

Still weighing it?

Read the FAQ — or get a direct read.

The questions below split into common worries and how it actually works. Or skip both and get a direct read on your situation in 15 minutes.

Take the 3-min Readiness Check Or book a 15-min Call

Common Questions

Your DORA, MiCA & NIS2 questions, answered

Common worries (the fears)

Can a virtual CISO really satisfy our regulator under DORA?

DORA does not require the job title “CISO” — it requires clear ownership of ICT risk, documented governance, management-body oversight, and evidence that controls operate. We deliver exactly that, and we’ve done it for clients regulated by Bank of Lithuania, Bank of Latvia, the Central Bank of Cyprus and the UK FCA.

Our compliance officer already covers it. Isn’t that enough?

It’s the most common false-confidence state in 30–200 fintechs. Compliance officers are trained in legal / AML — cybersecurity is not their core domain. Under DORA, supervisors expect clear ICT-risk ownership distinct from the legal / AML compliance function, with documented governance and operating evidence. When the RFI lists ICT artefacts, those need an owner who can produce them. The fix isn’t a new headcount — it’s named ICT-risk ownership.

We’re a small team. Can we actually implement all of DORA?

DORA is proportional — smaller firms have lighter requirements. We scope everything to your size. Most of the heavy lifting (policy writing, risk assessment, supplier mapping) is done by us. Your team reviews and approves — typically 2–4 hours per week.

What if our internal team does not cooperate?

We build ownership inside the organisation from day one: each artefact has a named internal owner, decision owner and review cadence. The 2–4 hours per week usually means short evidence reviews, owner interviews and approvals, not a second full-time project. If a team member is unresponsive, we surface the dependency in the remediation tracker so management can decide whether to escalate, accept the risk or change ownership.

What if the audit still finds gaps after the engagement?

No serious CISO should promise that no reviewer will ever find another issue. The 90-day programme creates the defensible floor: named ICT-risk ownership, board-approved framework, current evidence index, incident workflow, supplier view and remediation tracker. If a review finds additional items, you can show what was known, who owned it, what was being remediated and how management was overseeing the risk.

We already have ISO 27001 / SOC 2. Is DORA overkill?

No — but those certifications reduce the lift. Existing ISO 27001, SOC 2, or prior audits typically reduce the DORA programme by 30–60%. We start with what you have and identify only the DORA-specific deltas.

Does NIS2 management-body accountability really apply to me as a CEO?

NIS2 management-body accountability is implemented through national law, and details vary by jurisdiction (penalties, scope, reporting routes are jurisdiction-specific). The UK has a separate cyber-security regime, not NIS2 transposition. Where you operate, the core obligation — that board members hold accountability for cybersecurity governance — typically applies under the local transposition. The practical fix is named ownership of ICT risk and documented oversight, both of which we deliver.

Can you present to our board or management body directly?

Yes. Board and management-body reporting is included in the retainer. Delivery options: written report (board-approved template), slide deck, or a 30-minute working session. Most management-body members want three things: a named owner, a current status, and a clear next action. That is what the reporting delivers.

How it actually works (the constraints)

What’s the minimum engagement?

3 months on the retainer model. The 90-day fixed-scope programme is exactly that. Single-engagement scopes start at 4–8 weeks.

Is there an exit clause?

Yes — 30 days’ notice after month 3 on the retainer. No long lock-ins.

How much of our team’s time does this take?

2–4 hours per week for reviews and approvals. We do the heavy lifting; your team owns the decisions.

Which jurisdictions do you cover?

Primary: EU + UK fintech jurisdictions — engagements have been performed under supervision of Lietuvos Bankas, Latvijas Banka, Central Bank of Cyprus and the UK FCA. Other EU Member States on request.

How is a vCISO engagement different from a Big 4 audit?

Big 4 tells you what’s wrong and hands you a report. We fix it. We build the framework, write the policies, train your team, and stay on retainer to keep it running. You get a CISO, not a PDF.

What if our evidence is scattered and we keep rebuilding it before every review?

That’s exactly the problem we solve most often. We restructure evidence packs, establish ownership, and build control traceability — so you stop answering the same questions repeatedly under audit.

What happens to our ICT risk programme when the engagement ends?

Nothing disappears. All policies, procedures, risk registers, and evidence packs are stored in your environment from day one — not ours. At the close of any engagement you receive a structured handover: documentation index, ownership map, and a continuity brief for whoever takes over the ICT risk function next. You own the work permanently.

You’re one person. What if you’re unavailable when we have an incident?

CyAdviso is a registered company (SIA CyAdviso, Latvia), not a freelancer. For retainer clients, incident response access is defined in the service agreement with stated response times. On-call protocols for out-of-hours material incidents are part of the retainer scope. All client environments use shared, structured documentation — there is no tribal knowledge dependency on a single person’s memory.

Can’t find your question? Ask on a 15-minute call — or email info@cyadviso.com.

Next step

Your name in the regulator’s notice — or your name on a defensible framework.

Either way, you’re the one accountable. Make it the second one. 15 minutes — walk away with a clear picture of your DORA gaps, the personal-liability exposure, and a cost we can actually scope.

Book a 15-min call → Or take the 3-min Readiness Check first

Or email info@cyadviso.com · No commitment. No sales pressure.