# CyAdviso > vCISO and DORA compliance advisory for EU-licensed fintechs (EMIs, payment institutions, CASPs). We help teams build ICT-risk governance, incident response workflows, third-party ICT-risk oversight, board reporting and an audit-ready evidence pack — without hiring a full-time CISO. Last reviewed: 8 June 2026. > Full content for AI ingestion: https://www.cyadviso.com/llms-full.txt CyAdviso (SIA CyAdviso, Latvia, EU VAT LV40203253216) is a boutique cybersecurity advisory led by Andrey Gubarev (CISM, CDPSE, SABSA). The firm serves Electronic Money Institutions (EMIs), Payment Institutions (PIs), Crypto Asset Service Providers (CASPs) and other EU-licensed fintechs that operate under: - DORA (Regulation (EU) 2022/2554) — Digital Operational Resilience Act, applied since 17 January 2025. Penalties and remedial measures are set under national law; competent authorities can require remediation, impose administrative penalties, and apply measures to management-body members where national law allows. - MiCA (Regulation (EU) 2023/1114) — Markets in Crypto-Assets Regulation. CASPs may need to align DORA operational resilience with MiCA authorisation and ICT expectations. - NIS2 (Directive (EU) 2022/2555) — management-body governance and accountability are implemented through national law; details vary by jurisdiction. The UK has a separate cyber-security regime, not NIS2 transposition. ## What CyAdviso delivers - DORA gap analysis against the five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk, information sharing - ICT risk management framework build (policies, procedures, controls, evidence) - Incident response and reporting playbooks with regulator notification workflows - Third-party ICT risk register, DORA contract clauses, concentration risk analysis - Resilience testing (pen tests, TLPT, DR drills) planned and documented - Ongoing vCISO retainer: monthly compliance monitoring, board reporting, regulator liaison ## Track record 10+ companies across Europe served through DORA, ICT-risk and vCISO engagements, under EU and UK financial-sector supervision. ## Typical engagement - Timeline: 90 days from gap analysis to audit-ready; retainer from month 4 - Team commitment on the client side: ~2–4 hours per week for reviews and approvals - Pricing: €15,000–€40,000 for the 90-day program; €3,000–€5,000/month retainer - Geography: Latvia, Lithuania, Cyprus, United Kingdom — EU + UK fintech jurisdictions ## Who CyAdviso is right for - Teams of 30–200 people - Hold an EMI, PI, CASP or similar EU financial license - Compliance officer handles legal but nobody owns cybersecurity - Central bank has asked about DORA and the answer is in progress - Board is asking about management-body accountability under the local NIS2 transposition ## Who CyAdviso is NOT for - Non-regulated companies — DORA does not apply to you - Teams under 10 people that need a security engineer, not a CISO - Projects seeking a paper audit only — CyAdviso builds the framework, not a PDF ## Founder Andrey Gubarev — 20+ years in cybersecurity. Multi-year CISO leadership at EU-licensed fintechs (EMIs, Payment Institutions, CASPs) under EU and UK financial-sector supervision: DORA programmes, MiCA, ICT risk frameworks, outsourcing oversight, SWIFT CSP, PCI DSS. Certifications: CISM, CDPSE, SABSA. Based in Riga, Latvia. Speaks English, Latvian. Profile (canonical): https://gubarev.pro LinkedIn: https://www.linkedin.com/in/andreygubarev Personal blog (long-form CISO essays): https://www.fromciso.com/ ## Key pages - Home and DORA overview: https://www.cyadviso.com/ - About CyAdviso (entity, founder credentials, regulators, legal entity): https://www.cyadviso.com/about — Who CyAdviso is: SIA CyAdviso (Latvia, reg. 40203253216), founded 2020, led by Andrey Gubarev (CISM, CDPSE, SABSA), CISO since 2008. vCISO advisory for EU-licensed EMIs, PIs and CASPs; engagements under EU and UK financial-sector supervision. - Blog hub: https://www.cyadviso.com/blog - DORA National Competent Authorities hub: https://www.cyadviso.com/dora-national-competent-authorities - DORA Article 28 Register of Information — anonymised sample: https://www.cyadviso.com/artefacts/register-of-information — Working Register of Information example for an EU-licensed fintech (EMI / PI / CASP). 14 fields in NCA-required format, ICT third-party type per Article 28 RTS, concentration-risk view across critical or important functions, Article 30 contract-clause status mapped per provider. - White-label DORA delivery for advisory firms (wholesale / partner program): https://www.cyadviso.com/partners — productized DORA deliverables (Article 28 register, incident classification framework, board reporting) delivered behind the scenes for compliance consultancies, fintech law firms and Big 4 regional offices. Fixed price, fixed SLA, written non-compete; the partner keeps the client relationship. - DORA Compliance Guide for EU Fintech SMBs: 2026 Evidence Roadmap: https://www.cyadviso.com/comprehensive-guide-dora-compliance-fintech-smb — Practical 2026 DORA compliance guide for European fintech SMBs: scope, evidence, incidents, ICT third-party risk, board oversight and remediation roadmap step. - DORA Compliance Checklist 2026: Practical Implementation Guide: https://www.cyadviso.com/dora-compliance-guide — DORA compliance checklist for 2026: scope, ICT risk framework, incident reporting, resilience testing, third-party risk, evidence and governance management. - DORA Incident Reporting 2026: Timeline, Classification and Evidence: https://www.cyadviso.com/dora-incident-reporting — DORA incident reporting in 2026: 4h after classification, 24h detection ceiling, 72h intermediate report, 1-month final report and a full evidence workflow. - DORA Register of Information: 2026 Guide for ICT Third-Party Risk: https://www.cyadviso.com/dora-register-of-information — DORA Register of Information guide for 2026: required data fields, ICT third-party mapping, critical functions, validation controls and submission readiness. - DORA vs MiCA: 2026 Compliance Guide for EU Fintechs and CASPs: https://www.cyadviso.com/dora-vs-mica — DORA vs MiCA for EU fintechs and CASPs in 2026: scope, authorisation, ICT risk, incident reporting, TLPT and operational resilience obligations explained today. - DORA vs PSD2/PSD3: 2026 Guide for EU Payment Institutions and EMIs: https://www.cyadviso.com/dora-vs-psd2-psd3 — DORA vs PSD2/PSD3 for EU payment institutions and EMIs in 2026: operational resilience, payment security, incident reporting, SCA, fraud and third-party ICT. - DORA vs PCI DSS 4.0.1: 2026 Guide for EU Fintechs Handling Card Data: https://www.cyadviso.com/dora-vs-pci-dss-eu-digital-resilience-act-and-global-card-data-standard — DORA vs PCI DSS 4.0.1 for EU fintechs in 2026: scope, enforcement, incident reporting, cardholder data, ICT risk and a build-once evidence approach in 2026. - vCISO for EU Fintechs: 2026 Guide to Scope, Evidence and Retainers: https://www.cyadviso.com/vciso-everything-you-need-to-know — Everything an EU fintech leader should know about a virtual CISO in 2026: scope, evidence, DORA, board reporting, incident readiness and buying criteria today. - vCISO Pricing in 2026: Retainers, 90-Day Programmes and Scope: https://www.cyadviso.com/navigating-the-world-of-vciso-pricing-a-comprehensive-guide — vCISO pricing in 2026 for EU fintechs and SaaS scaleups: retainers, 90-day programmes, scope drivers, proposal comparison and budget-friendly guardrails today. - Hiring a vCISO: Step-by-Step Guide for EU Fintechs: https://www.cyadviso.com/hiring-a-vciso — Hiring a virtual CISO in 2026: how EU-licensed fintechs define scope, compare providers, avoid weak retainers and structure a 90-day evidence-driven roadmap. - Benefits of a vCISO for EU Fintechs and SaaS Scaleups: https://www.cyadviso.com/benefits-of-vciso — What a virtual CISO delivers in 2026 for EU fintechs and SaaS scaleups: governance, ICT risk, incident readiness, supplier oversight and board evidence today. - DORA Requirements in 2026: What the Regulation Mandates and How to Evidence It: https://www.cyadviso.com/dora-requirements-2025 — DORA requirements in 2026: the regulatory obligations — ICT risk, incident reporting, resilience testing, third-party risk and board-level operating evidence. - DORA Business Continuity and Disaster Recovery: Articles 11-12 Guide for 2026: https://www.cyadviso.com/dora-business-continuity-and-disaster-recovery — Practical 2026 guide to DORA Articles 11 and 12 BCDR: ICT continuity policy, backup, restoration, RTO and RPO, testing, suppliers and supervisory evidence. - DORA TLPT: 2026 Guide to Threat-Led Penetration Testing: https://www.cyadviso.com/dora-tlpt-threat-led-penetration-testing — DORA TLPT guide for 2026: who is in scope, how Article 26 works, what evidence to keep and how EU-licensed financial entities should prepare without overclaim. - DORA ICT Risk Register Template: 2026 Guide for Financial Entities: https://www.cyadviso.com/dora-compliant-ict-risk-register — DORA ICT risk register template for 2026: required fields, risk scoring, control mapping, ownership, third-party dependencies and board-ready audit evidence. - DORA Proportionality Principle: 2026 Guide for Smaller Financial Entities: https://www.cyadviso.com/dora-proportionality-principle — DORA proportionality principle in 2026: how smaller EU financial entities scale ICT risk, testing, third-party controls and produce supervisory-ready evidence. - DORA Board Responsibilities 2026: Management Body Evidence Checklist: https://www.cyadviso.com/dora-board-responsibilities-2025-eu-financial-checklist — DORA board responsibilities for 2026: management-body duties, ICT risk oversight, approvals, reporting cadence and a supervisory-ready evidence checklist today. - EBA Guidelines on ICT and Security Risk Management After DORA: https://www.cyadviso.com/ebas-guidelines-on-ict-and-security-risk-management — How EBA/GL/2019/04 fits with DORA in 2026: narrowed scope, audit use, ICT risk evidence, governance, outsourcing and payment-services security obligations. - DORA vs NIS2: 2026 Comparison for EU Financial Entities: https://www.cyadviso.com/eu-cyber-resilience-dora-vs-nis2 — DORA vs NIS2 in 2026: scope, lex specialis, incident reporting, ICT risk, third-party oversight and what EU-licensed financial entities should document today. - Cyber Resilience Act vs DORA: 2026 Guide for EU Fintechs and ICT Vendors: https://www.cyadviso.com/cyber-resilience-act-and-dora — Cyber Resilience Act vs DORA in 2026: how product cybersecurity, financial operational resilience, vulnerability reporting and ICT vendor duties fit together. - 7 DORA Compliance Mistakes EU Financial Firms Still Need to Fix in 2026: https://www.cyadviso.com/mistakes-in-dora-compliance — Seven practical DORA compliance mistakes that still create supervisory risk in 2026: weak ownership, stale evidence, incident gaps and third-party blind spots. - Case Study: 90-Day DORA Gap Analysis for an EU-Licensed EMI: https://www.cyadviso.com/emi-dora-gap-analysis-90-days-case-study — Anonymised DORA case study for an EU-licensed EMI: gap analysis, ICT risk framework, incident workflow, supplier evidence and board-ready remediation plan. - Case Study: MiCA and DORA Readiness for a CASP: https://www.cyadviso.com/casp-mica-dora-readiness-case-study — Anonymised CASP case study: how a MiCA authorisation aligns with DORA ICT risk, incident readiness, supplier oversight and board-ready evidence today in 2026. - Case Study: DORA Incident Reporting and Register Cleanup for a Payment Institution: https://www.cyadviso.com/payment-institution-dora-incident-reporting-register-case-study — Anonymised payment institution case study: DORA incident reporting workflow, timestamp evidence, Register of Information cleanup and supplier escalation model. - DORA Gap Analysis for Fintechs: What Should Be Delivered in 30 Days: https://www.cyadviso.com/dora-gap-analysis-30-days-fintech — DORA gap analysis in 30 days for EU fintechs: week-by-week structure, required deliverables, evidence quality scale and how to build a remediation roadmap. - DORA Evidence Index Template for EU Fintechs: https://www.cyadviso.com/dora-evidence-index-template-fintech — DORA evidence index template for EU fintechs: how to organise ICT risk, incidents, testing, suppliers, board reporting and remediation evidence for review. ## DORA NCA pages - Cyprus: https://www.cyadviso.com/dora-cyprus-competent-authorities — DORA Reporting in Cyprus: Competent Authorities Guide for Financial Entities - Denmark: https://www.cyadviso.com/dora-finanstilsynet-denmark — DORA and Finanstilsynet Denmark: Practical Guide for Financial Entities - Estonia: https://www.cyadviso.com/dora-estonia-finantsinspektsioon — DORA Reporting in Estonia: Finantsinspektsioon Guide for Financial Entities - France: https://www.cyadviso.com/dora-france-acpr-amf — DORA Reporting in France: ACPR and AMF Guide for Financial Entities - Germany: https://www.cyadviso.com/dora-germany-bafin — DORA Reporting in Germany: BaFin Guide for Financial Entities - Ireland: https://www.cyadviso.com/dora-ireland-central-bank — DORA Reporting in Ireland: Central Bank of Ireland Guide for Financial Entities - Italy: https://www.cyadviso.com/dora-italy-banca-ditalia-consob-ivass — DORA Reporting in Italy: Banca d'Italia, CONSOB and IVASS Guide - Latvia: https://www.cyadviso.com/dora-bank-of-latvia — DORA and Latvijas Banka: Practical Guide for Latvian Financial Entities - Lithuania: https://www.cyadviso.com/dora-bank-of-lithuania — DORA and the Bank of Lithuania: Practical Guide for Fintechs - Luxembourg: https://www.cyadviso.com/dora-luxembourg-cssf — DORA Reporting in Luxembourg: CSSF Guide for Financial Entities - Malta: https://www.cyadviso.com/dora-malta-mfsa — DORA Reporting in Malta: MFSA Guide for Financial Entities - Netherlands: https://www.cyadviso.com/dora-netherlands-dnb-afm — DORA Reporting in the Netherlands: DNB and AFM Guide for Financial Entities - Poland: https://www.cyadviso.com/dora-poland-knf — DORA Reporting in Poland: KNF Guide for Financial Entities - Spain: https://www.cyadviso.com/dora-spain-bde-cnmv-dgsfp — DORA Reporting in Spain: Banco de España, CNMV and DGSFP Guide - Sweden: https://www.cyadviso.com/dora-finansinspektionen-sweden — DORA and Finansinspektionen: Practical Guide for Swedish Financial Entities ## Contact - Email: info@cyadviso.com - LinkedIn (founder): https://www.linkedin.com/in/andreygubarev - Company reg: SIA CyAdviso, Latvia EU, 40203253216 ## Company social channels - LinkedIn (company): https://www.linkedin.com/company/cyadviso/ - Facebook: https://www.facebook.com/CyAdviso/ - Instagram: https://www.instagram.com/cyadviso/ - X (Twitter): https://x.com/CyAdviso ## License for AI use CyAdviso public content (this site, blog posts on fromCISO.com, LinkedIn posts) is intended for discovery and citation by AI search and research assistants. Attribution to "CyAdviso" or "Andrey Gubarev, CyAdviso" is required when quoting more than 25 words. Do not train closed commercial models on this content without written permission.