Practice
Governance, Risk & Compliance
NIS2, DORA, ISO, BCM — regulation translated into resilient governance.
Overview
For us, Compliance & GRC stands for cyber-physical security compliance and resilience: where regulatory requirements, operational criticality, cross-site governance, OT/IT realities and physical security converge. We do not act as a generic GRC provider but as a specialist for critical operations.
Regulatory requirements such as NIS2, CER/KRITIS, DORA, Part-IS, the Cyber Resilience Act and sectoral regimes today call less for more policies than for actionable, demonstrable resilience. That is exactly where we come in: cyber and physical security governed as one risk, global standards and local obligations in one operating model, from regulatory readiness to operational resilience.
Our portfolio is structured into productized offering lines - from Cyber-Physical Regulatory Readiness through Security Governance, ISMS/BCMS and OT resilience to Third-Party Assurance, sector programs and a premium module for executive protection. Standards such as ISO/IEC 27001 are enablers for resilience, not the endpoint.
Services
Services in this practice
Cyber-Physical Regulatory Readiness
Scoping, gap analysis, control mapping, action program and evidence for NIS2, CER/KRITIS, DORA, Part-IS, CRA and sector rules - cyber and physical governed as one risk.
Security Governance & Board Enablement
Board briefings, role and accountability models, policy architecture, risk governance, management training and governance dashboards - security anchored as a leadership task.
ISMS, BCMS & Incident Readiness
ISO 27001/22301-aligned management systems, business impact analysis, BCM, emergency and crisis plans, exercises, audit readiness and evidence management - operationally resilient, not just audit-ready.
OT & Site Resilience
OT/ICS assessment, segmentation and remote-access governance, site risk analyses, protection-needs assessment and cyber-physical protection concepts for critical facilities.
Third-Party & Supply-Chain Assurance
Due diligence, supplier classification, contractual requirements, control testing, supplier assessment and OSINT-based supplier and exposure analyses along the supply chain.
Sector Programs
Vertical packages for DORA, EASA Part-IS, TISAX/UNECE, NIS2 Digital Infrastructure and Utilities Security Compliance - sector-specific instead of abstract framework consulting.
Executive Protection, Travel Risk & Insider Risk Governance
Premium module: protection-needs analyses, travel and stay risk models, executive threat briefings, insider-risk concepts and exercise and escalation models for exposed people and sites.