Implementing GDPR is more than just meeting legal obligations — it’s an opportunity to organize the way your organization processes personal data across all areas: clients, employees, and business partners alike. Our approach is based on practical, applicable solutions that integrate seamlessly into daily operations, regardless of industry or company size.

We begin with a preliminary audit designed to identify areas of non-compliance or inefficiency. This includes an analysis of your documentation, IT systems, data flows, technical safeguards, and how your organization fulfills its information obligations. The result is a detailed audit report with clear, actionable recommendations — forming the foundation for the next steps.

Based on the audit findings, we develop a customized set of documents tailored to your structure and operational specifics. We address both formal legal requirements and practical organizational needs — such as responsibility distribution, internal data handling, or communication with clients. Each document is designed to be understood, implemented, and followed by your team.

As part of the GDPR implementation service, we prepare (among others):

• Personal data protection policy

• Record of processing activities (RoPA)

• Record of categories of processing activities (for processors)

• Procedure for handling data subject rights

• Personal data breach notification and handling procedure

• Risk assessment and Data Protection Impact Assessment (DPIA) procedure

• Data processing authorizations and authorization records

• Privacy notices for customers, employees, job candidates, contractors, and other data subjects

• Data processing agreement (DPA) templates

The next step is employee training, which we deliver either in-person or online — depending on your organization’s needs. The training is practical and role-specific, focusing on how to apply the new procedures and use documentation in everyday work. Our goal is to help teams see data protection not as a legal formality, but as a core part of secure and responsible business operations.

Implementing the NIS 2 Directive (Network and Information Security) is not just about meeting EU legal obligations — it’s a strategic opportunity to strengthen your organization’s resilience against cyber threats. The updated regulations broaden the scope of covered entities and introduce strict requirements for risk management, incident reporting, and oversight of IT system security. Our goal is to help organizations understand and apply NIS 2 requirements effectively and sustainably.

We begin with a compliance audit to assess your current readiness and identify regulatory gaps, risk areas, and opportunities for improvement. This includes an analysis of both organizational elements (such as policies, procedures, governance structures) and technical controls (systems, safeguards, event logging). The result is a detailed audit report with recommendations and a customized implementation roadmap aligned with your resources and operational context.

The next phase involves developing and implementing system documentation and procedures necessary to achieve NIS 2 compliance. We tailor the scope to your industry, business type, and the criticality of services provided. Our emphasis is always on practicality — documentation should support real operations, not just sit on a shelf.

As part of the NIS 2 implementation, we prepare (among others):

• Information security management policy

• Business continuity policy and contingency plan (BCP)

• Incident response procedure and reporting process to CSIRTs

• IT and digital services risk assessment

• Vulnerability and security testing management plan

• Access control and privilege management documentation

• Supplier oversight and supply chain security procedures

• Major incident reporting protocol (within the mandatory 24-hour window)

• Organizational responsibility matrices and role assignments

• Cybersecurity awareness and training plans

We conclude the implementation with tailored training sessions for both leadership and operational teams. These sessions cover how to respond to incidents, apply new procedures, and recognize common threats. For many organizations, this step also marks the beginning of building a robust internal culture of cybersecurity.

DORA (Digital Operational Resilience Act) is an EU regulation that introduces uniform requirements for digital resilience across the financial sector and its supporting ICT third-party providers. Its purpose is to ensure that financial institutions — regardless of size or business model — can effectively prevent digital disruptions, respond to incidents, and maintain operational continuity in a digital environment.

Our approach to DORA implementation is structured, practical, and focused on clarity — especially given that many of its requirements are entirely new even to experienced compliance and IT teams.

We begin with a compliance gap analysis, assessing both your organizational processes and technical infrastructure. This includes verifying whether your organization has ICT risk identification mechanisms, monitoring systems, effective incident response procedures, business continuity plans, and digital resilience testing strategies. The audit provides a clear picture of your current readiness and highlights areas that need improvement.

Based on this, we develop a full set of DORA-compliant documentation and procedures, tailored to your operational scale, service profile, and risk exposure. We also consider your regulatory status — whether you are directly supervised by national authorities (such as KNF or UKE) or act as an ICT service provider for regulated financial entities.

As part of the DORA implementation, we prepare (among others):

• ICT risk management policy

• ICT incident register and incident reporting procedures

• Third-party risk management strategy for ICT providers

• ICT service monitoring, testing, and audit procedures

• Business continuity and disaster recovery plans (BCP & DRP)

• Digital operational resilience testing schedules

• Internal incident notification procedures aligned with DORA timelines (4h, 24h, 72h)

• Change management, operational incident, and cyberattack handling procedures

• Risk assessment and classification model

• Definition of ICT and compliance roles and responsibilities within the organizational structure

The implementation is completed with practical team training — not only for IT and cybersecurity staff, but also for key compliance and operational functions. We explain how to apply the new procedures, interpret DORA requirements, and prepare the organization for potential regulatory audits.

DORA is a regulation that demands action — general policies or “paper-based” continuity plans are no longer enough. That’s why our focus is on real implementation, fully embedded into day-to-day operations. When needed, we also support communication with supervisory authorities, assist in incident analysis, and help update documentation in response to regulatory changes or new guidance.

ISO/IEC 27001 is the leading international standard for information security management systems (ISMS). Its implementation helps organizations structure and strengthen the way they protect data and IT systems, reduce the risk of information loss, and increase trust among clients, partners, and regulators. Certification to ISO 27001 is increasingly becoming a requirement in public tenders, contracts with large business partners, and projects in the public sector.

Implementing an ISMS goes far beyond documentation — it requires a clear definition of roles, processes, and responsibilities across the organization.

We begin with a preliminary analysis to assess your current level of information security, existing safeguards, risk exposure, and any gaps in compliance with ISO requirements. The audit covers both organizational areas (such as personnel, access, and supplier management) and technical controls (such as backups, access control, network security, and testing). Based on the findings, we develop a structured implementation roadmap with clear timelines and assigned responsibilities.

The next step is the development of ISMS documentation — a set of principles, procedures, and records that form the operational backbone of your information security system. Our goal is to create solutions tailored to the scale and nature of your business — ensuring both regulatory compliance and practical usability. Documentation shouldn’t exist just “for certification”; it should support risk management, regulatory alignment, and operational continuity.

As part of the ISO/IEC 27001 implementation, we prepare:

• Information security policy

• Security objectives and performance evaluation methods

• Risk management plan and risk register (with applied methodology)

• Asset inventory and information classification register

• Access and permissions management principles

• Information security incident management procedure

• Backup policy, business continuity plan (BCP), and disaster recovery plan (DRP)

• Acceptable use policy (including BYOD and remote work guidelines)

• Competence register and security training plan

• Supplier evaluation and audit procedure

• Patch management, testing, and system monitoring policies

• Management review reports and internal ISMS audit templates

Once the documentation and procedures are in place, we conduct team training — covering ISMS implementation for information security staff, managers, and operational employees. The training prepares your organization for both daily use of the system and a potential certification audit. We also provide ready-to-use templates, reporting tools, and checklists to help maintain the ISMS after deployment.

ISO 22301 defines the requirements for a Business Continuity Management System (BCMS). Implementing this standard enables organizations to prepare for disruptions — such as system failures, security incidents, natural disasters, or third-party service interruptions. ISO 22301 ensures that organizations not only identify their critical processes but also protect and restore them in the shortest possible time, regardless of circumstances. For many entities — particularly in finance, IT, and public services — an effective business continuity plan is now both a regulatory obligation and a competitive advantage.

We begin the process with a Business Impact Analysis (BIA) and a business continuity risk assessment. This includes identifying critical processes, key resources, and interdependencies, as well as defining Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). These findings are used to design a BCMS structure aligned with ISO 22301 requirements.

Next, we develop a full set of policies, procedures, and plans that serve as the operational foundation of the continuity system. All documentation is tailored to the organization’s size, industry, and operating environment — with an emphasis on creating a cohesive and actionable system, not just formal compliance with the standard.

As part of the ISO 22301 implementation, we deliver:

• Business continuity policy

• Business Impact Analysis (BIA)

• Business continuity risk assessment

• Incident response and crisis communication plans

• Business Continuity Plans (BCP) for key systems and operations

• Disaster Recovery Plans (DRP) and restoration strategies

• Responsibility matrix and emergency management structure

• Testing, review, and update procedures for continuity plans

• Continuous improvement register and test reports

• Certification readiness package (where applicable)

Once documentation is complete, we provide team training sessions focused on system principles, roles and responsibilities, and appropriate responses in case of disruptions. These sessions are tailored to the participants’ roles — with distinct formats for executives and operational teams. Upon request, we can also run BCP/DRP plan testing (e.g. simulations, tabletop exercises) and provide a full post-test report.

We also support clients after implementation — with annual reviews, internal audits, and adjustments in response to organizational changes that may impact continuity. ISO 22301 can be implemented as a standalone framework or integrated with other systems such as ISO 27001, NIS2, or DORA.