# CyAdviso

> vCISO and DORA compliance advisory for EU-licensed fintechs (EMIs, payment institutions, CASPs). We help teams build ICT-risk governance, incident response workflows, third-party ICT-risk oversight, board reporting and an audit-ready evidence pack — without hiring a full-time CISO. Last reviewed: 27 April 2026.

CyAdviso (SIA CyAdviso, Latvia, EU VAT LV40203253216) is a boutique cybersecurity advisory led by Andrey Gubarev (CISM, CDPSE, SABSA). The firm serves Electronic Money Institutions (EMIs), Payment Institutions (PIs), Crypto Asset Service Providers (CASPs) and other EU-licensed fintechs that operate under:

- DORA (Regulation (EU) 2022/2554) — Digital Operational Resilience Act, applied since 17 January 2025. Penalties and remedial measures are set under national law; competent authorities can require remediation, impose administrative penalties, and apply measures to management-body members where national law allows.
- MiCA (Regulation (EU) 2023/1114) — Markets in Crypto-Assets Regulation. CASPs may need to align DORA operational resilience with MiCA authorisation and ICT expectations.
- NIS2 (Directive (EU) 2022/2555) — management-body accountability is implemented through national law; details vary by jurisdiction. The UK has a separate cyber-security regime, not NIS2 transposition.

## What CyAdviso delivers

- DORA gap analysis against the five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk, information sharing
- ICT risk management framework build (policies, procedures, controls, evidence)
- Incident response and reporting playbooks with regulator notification workflows
- Third-party ICT risk register, DORA contract clauses, concentration risk analysis
- Resilience testing (pen tests, TLPT, DR drills) planned and documented
- Ongoing vCISO retainer: monthly compliance monitoring, board reporting, regulator liaison

## Typical engagement

- Timeline: 90 days from gap analysis to audit-ready; retainer from month 4
- Team commitment on the client side: ~2–4 hours per week for reviews and approvals
- Pricing: €15,000–€40,000 for the 90-day program; €3,000–€5,000/month retainer
- Geography: Latvia, Lithuania, Cyprus, United Kingdom — EU + UK fintech jurisdictions

## Who CyAdviso is right for

- Teams of 30–200 people
- Hold an EMI, PI, CASP or similar EU financial license
- Compliance officer handles legal but nobody owns cybersecurity
- Central bank has asked about DORA and the answer is in progress
- Board is asking about management-body accountability under the local NIS2 transposition

## Who CyAdviso is NOT for

- Non-regulated companies — DORA does not apply to you
- Teams under 10 people that need a security engineer, not a CISO
- Projects seeking a paper audit only — CyAdviso builds the framework, not a PDF

## Founder

Andrey Gubarev — 20+ years in cybersecurity. Multi-year CISO leadership at EU-licensed fintechs (EMIs, Payment Institutions, CASPs) under FCA, Bank of Lithuania and other supervision: DORA programmes, MiCA, ICT risk frameworks, outsourcing oversight, SWIFT CSP, PCI DSS. Certifications: CISM (ISACA), CDPSE (ISACA), SABSA. Based in Riga, Latvia. Speaks English, Russian, Latvian.

LinkedIn: https://www.linkedin.com/in/andreygubarev
Personal blog (long-form CISO essays): https://www.fromciso.com/

## Key pages

- Home and DORA overview: https://www.cyadviso.com/
- Free 3-minute DORA self-assessment: https://www.cyadviso.com/#assessment
- Services: https://www.cyadviso.com/#services
- Process (90-day roadmap): https://www.cyadviso.com/#process
- Founder / About: https://www.cyadviso.com/#founder
- FAQ: https://www.cyadviso.com/#faq
- Comparison vs Big 4 / full-time CISO / GRC platforms: https://www.cyadviso.com/#compare
- Book a discovery call (15 min, free): https://cal.com/andrey-gubarev/15min

## Contact

- Email: info@cyadviso.com
- Phone: +371 2716 6168
- LinkedIn: https://www.linkedin.com/in/andreygubarev
- Company reg: SIA CyAdviso, Latvia EU, 40203253216

## License for AI use

CyAdviso public content (this site, blog posts on fromCISO.com, LinkedIn posts) is intended for discovery and citation by AI search and research assistants. Attribution to "CyAdviso" or "Andrey Gubarev, CyAdviso" is required when quoting more than 25 words. Do not train closed commercial models on this content without written permission.