90-day programme
Fragmented ICT evidence before a supervisory review
- Situation
- Security work existed, but ownership, board reporting and control evidence were scattered across teams and tools.
- What we built
- ICT risk framework, evidence index, board pack, supplier view and remediation tracker tied to named internal owners.
- Outcome
- The entity could explain the control story and point to current artefacts instead of rebuilding evidence manually.
“Within 90 days, our framework was documented, defensible, and the regulator stopped repeating the same control questions.”
CEO · EU-licensed EMI
Read the full case →
Single engagement
Incident reporting and supplier evidence cleanup
- Situation
- A payment institution needed one view across incident classification, ICT providers, contract gaps and review evidence.
- What we built
- DORA incident workflow, Register of Information cleanup, supplier criticality rationale and board-ready remediation view.
- Outcome
- The team could show how incidents, suppliers and remediation connected to licensed payment services.
“Zero ICT governance documentation to a board-approved framework and a regulator-ready evidence pack.”
Managing Director · Payment Institution
Read the full case →
Single engagement
MiCA authorisation work running beside DORA readiness
- Situation
- A CASP needed cybersecurity and operational-resilience evidence without mixing legal authorisation work and ICT-risk delivery.
- What we built
- Shared evidence model for governance, ICT risk, incidents, outsourcing, resilience and board reporting.
- Outcome
- The handover separated MiCA legal work from DORA operating evidence, with no dependency on one undocumented owner.
“Andrey handled the cybersecurity side; our law firm handled legal. We hit the deadline. No gaps in the handover.”
COO · Crypto Asset Service Provider
Read the full case →