vCISO Pricing in 2026: Retainers, 90-Day Programmes and Scope
vCISO pricing in 2026 for EU fintechs and SaaS scaleups: retainers, 90-day programmes, scope drivers, proposal comparison and budget-friendly guardrails today.
In this article ↓
- Common pricing models
- Pricing by outcome, not job title
- What drives vCISO cost
- Typical engagement bands
- What should be included in each level
- How to compare proposals
- Scope examples for EU fintechs
- Retainer vs 90-day programme
- Hidden costs to clarify before signing
- What not to buy
- Procurement checklist
- Budgeting for EU fintechs
- FAQ
- Why do vCISO prices vary so much?
- Is a cheap vCISO retainer a bad idea?
- Should DORA work be priced separately?
- What is the best pricing model for an early fintech?
- Related guides
- Primary sources
- Bottom line
Last reviewed: 30 April 2026
vCISO pricing is hard to compare because providers often sell different things under the same label. One proposal may include board reporting, DORA evidence, incident support and vendor risk. Another may be a few advisory calls per month.
For an EU fintech, the useful pricing question is:
What security leadership outcome are we buying, and what evidence will exist after the engagement?
That matters because the same "vCISO retainer" label can mean very different things: a monthly advisory call, a board-reporting function, DORA evidence ownership, incident-readiness support, supplier-risk governance or a temporary CISO role. Pricing only becomes comparable after scope is explicit.
Common pricing models
| Model | How it works | Best for | Main risk |
|---|---|---|---|
| Monthly retainer | Fixed monthly fee for defined CISO ownership and cadence | Ongoing security leadership | Too vague if deliverables are not named |
| Fixed 90-day programme | One defined price for a gap analysis, roadmap and evidence build | DORA/audit-readiness reset | Scope creep if internal owners are unavailable |
| Project fee | Fixed price for a narrow deliverable | Tabletop, vendor review, policy refresh, audit support | Does not solve ongoing ownership |
| Hourly advisory | Pay for time used | Small ad hoc questions | Easy to spend money without building a system |
| Interim CISO | Temporary leadership role | Hiring gap or urgent regulatory pressure | Can become expensive if the mandate is unclear |
Pricing by outcome, not job title
The title "vCISO" is not the product. The product is the operating capability the company needs.
| Buying intent | Better pricing shape | Why |
|---|---|---|
| Need a board-ready security baseline | Fixed assessment or 90-day programme | Clear deliverables and deadline |
| Need recurring ICT risk ownership | Monthly retainer | Keeps risk register, reporting and evidence current |
| Need urgent audit or partner-bank response | Fixed project or short surge retainer | Limits scope to the immediate assurance need |
| Need incident leadership availability | Retainer with explicit incident terms | Routine advisory pricing should not imply on-call response |
| Need temporary executive cover | Interim CISO mandate | Requires more access, time and accountability |
If the provider cannot connect price to a defined operating outcome, the buyer cannot know whether the proposal is cheap or expensive.
What drives vCISO cost
| Cost driver | Lower effort | Higher effort |
|---|---|---|
| Regulatory scope | One assurance framework or customer questionnaire | DORA plus MiCA, PSD2/PSD3, PCI DSS, ISO 27001 or SOC 2 |
| Entity complexity | One product, one market, simple vendor base | Multiple licences, markets, products, entities or outsourced functions |
| Incident expectations | Planned tabletop and workflow design | Urgent support, executive escalation or on-call expectations |
| Board reporting | Quarterly risk summary | Monthly board pack, risk acceptance, remediation decisions |
| Third-party risk | Small supplier list | Critical ICT providers, cloud concentration, outsourcing and exit planning |
| Internal maturity | Existing policies, risk register and evidence | Scattered evidence, unclear owners, no current risk baseline |
| Deliverable depth | Workshop and recommendations | Implemented evidence pack, templates, trackers and operating cadence |
| Stakeholder load | CTO plus founder | CTO, board, compliance, legal, vendors, auditors and partner banks |
Typical engagement bands
These are practical planning bands, not a universal market promise. The right budget depends on scope, urgency and how much internal execution capacity exists.
| Engagement | Typical monthly or project shape | What should be included |
|---|---|---|
| Light advisory retainer | Low monthly retainer | Monthly risk review, leadership calls, limited document review |
| Operating vCISO retainer | Mid monthly retainer | Risk backlog, management reporting, incident governance, vendor reviews, policy ownership |
| Regulated fintech retainer | Higher monthly retainer | DORA evidence, board packs, supplier oversight, audit support, incident readiness |
| 90-day DORA readiness programme | Fixed project fee | Gap analysis, roadmap, evidence index, board report, priority remediation |
| Incident or audit surge | Fixed project or short retainer | Focused support around incident, audit, regulator request or customer assurance |
What should be included in each level
| Level | Minimum useful scope | Should not be assumed unless written |
|---|---|---|
| Light advisory | Monthly risk call, limited document review, decision notes | Board pack, DORA evidence ownership, incident support |
| Operating vCISO | Risk register, governance cadence, board input, roadmap, policy/evidence review | 24/7 response, legal advice, engineering implementation |
| Regulated fintech vCISO | DORA evidence, ICT third-party risk, incident workflow, board reporting, audit support | Full compliance ownership or regulator representation |
| 90-day programme | Baseline, gap analysis, evidence index, roadmap, priority artefacts | Ongoing ownership after the programme ends |
| Interim CISO | Temporary leadership, executive cadence, risk decisions, team coordination | Permanent capacity or deep engineering delivery |
This table is where many procurement conversations should start. If a provider prices an "operating vCISO" but excludes board reporting, supplier review and incident workflow, the engagement may be advisory rather than operational.
How to compare proposals
Do not compare only the headline fee. Compare the operating model.
| Proposal question | Weak answer | Strong answer |
|---|---|---|
| What deliverables exist after month one? | "Initial review" | Baseline, risk register draft, decision log, priority roadmap |
| Who owns the risk register? | "Client team" | Named internal owner plus vCISO review cadence |
| Is board reporting included? | "As needed" | Monthly or quarterly pack with decisions and remediation |
| Is incident support included? | "We can advise" | Clear routine vs urgent support terms |
| Are vendor reviews included? | "Some third-party review" | Critical supplier map, contract gaps and escalation path |
| What is explicitly excluded? | Not stated | Legal advice, SOC monitoring, engineering implementation, DPO work |
| How is progress measured? | Hours consumed | Evidence completed, risks closed, decisions made |
Scope examples for EU fintechs
| Company situation | Sensible first scope |
|---|---|
| EMI preparing partner-bank review | 30-day evidence baseline plus partner-bank assurance pack |
| Payment institution with weak DORA operating evidence | 90-day DORA readiness programme |
| CASP nearing MiCA authorisation pressure | vCISO retainer with DORA/MiCA evidence coordination |
| SaaS vendor selling to regulated fintechs | Customer-assurance control map plus security roadmap |
| Licensed fintech with overloaded CTO | Operating vCISO retainer with board reporting and ICT risk cadence |
| Audit due in 8 weeks | Fixed audit-readiness project with evidence index and remediation tracker |
Retainer vs 90-day programme
| Question | Retainer | 90-day programme |
|---|---|---|
| Purpose | Ongoing CISO ownership | Rapid baseline and remediation roadmap |
| Best when | The company needs recurring risk governance | The company needs to become audit-ready or regulator-ready |
| Output | Monthly operating rhythm and current evidence | Gap analysis, roadmap and board-ready package |
| Weakness | Can drift without a backlog | Ends unless converted into ownership |
Many fintechs need both: a 90-day reset first, then a lighter ongoing retainer to keep evidence current.
Hidden costs to clarify before signing
| Item | Why it matters |
|---|---|
| Incident support | Routine retainers often exclude urgent response or on-call leadership |
| Board meetings | Preparation and attendance can be separate from document drafting |
| Vendor reviews | Supplier scope can grow quickly if all tools are included |
| Policy rewriting | Reviewing a policy is different from rewriting the full control set |
| Evidence collection | The provider may need internal staff to gather artefacts |
| Audit meetings | Attendance, response drafting and follow-up may need a separate work order |
| Tooling | GRC, ticketing, scanning or monitoring tools are usually separate costs |
| Travel or workshops | Onsite tabletop or board sessions may not be included |
The goal is not to negotiate every line down. It is to avoid buying a low retainer and then discovering that all useful work is out of scope.
What not to buy
Avoid a vCISO proposal that only promises "strategic guidance" without a list of operating outputs.
Weak proposals usually have these signs:
- no defined first-month deliverables;
- no board reporting format;
- no incident classification or escalation work;
- no supplier-risk scope;
- no evidence index;
- no statement of exclusions;
- no cadence for risk review.
Procurement checklist
Before approving a vCISO budget, confirm:
- The business problem is named: DORA, audit, partner bank, board reporting, incident readiness, supplier risk or security ownership.
- Deliverables are written down for the first 30 days.
- The recurring cadence is clear.
- Internal owners are named.
- Exclusions are explicit.
- Incident support expectations are written.
- Board reporting is either included or explicitly excluded.
- Supplier-risk scope is bounded.
- Evidence ownership is clear.
- Success criteria are measurable.
Budgeting for EU fintechs
For an EU fintech, the budget should follow the pressure point:
| Pressure point | Better buying motion |
|---|---|
| Licence application or regulator query | Fixed readiness programme |
| DORA evidence is weak | 90-day DORA gap and roadmap |
| CTO is overloaded with security ownership | Monthly vCISO retainer |
| Partner bank asks for assurance | Short project plus evidence pack |
| Audit is approaching | Audit-readiness project |
| Security is mature but lacks board reporting | Light retainer focused on governance |
FAQ
Why do vCISO prices vary so much?
Because providers package different levels of accountability under the same label. A monthly advisory call, a 90-day evidence programme and an interim CISO mandate are not comparable products.
Is a cheap vCISO retainer a bad idea?
Not always. It can work for a narrow advisory need. It is risky when the company expects board reporting, DORA evidence, incident readiness and supplier-risk ownership from a very light retainer.
Should DORA work be priced separately?
It depends on maturity. If the company already has current evidence, DORA can be part of the retainer. If evidence is scattered, a fixed 90-day DORA readiness programme is usually cleaner before moving into ongoing cadence.
What is the best pricing model for an early fintech?
Usually a fixed baseline or 90-day programme first, followed by a retainer only if the company has enough recurring work and internal capacity to act on recommendations.
Related guides
- vCISO for EU fintechs
- Hiring a vCISO
- Benefits of a vCISO
- DORA Compliance Guide for European Fintech SMBs
- DORA vs MiCA: 2026 Compliance Guide for EU Fintechs and CASPs
- DORA vs PSD2/PSD3: 2026 Guide for EU Payment Institutions and EMIs
Primary sources
- NIST Cybersecurity Framework 2.0
- Regulation (EU) 2022/2554 — DORA, EUR-Lex
- European Banking Authority — Digital Operational Resilience Act
Bottom line
vCISO pricing only makes sense when scope is clear. A cheap retainer with no evidence can be expensive. A focused programme that creates a board-ready risk model can be cheaper than months of unfocused advisory.
For fintechs, buy the outcome: ICT risk ownership, incident readiness, supplier oversight, audit evidence and management reporting.