Security &
Compliance
CaaS Consultancy provides hands-on information security and compliance advisory to organisations in finance, energy, and technology. We help you navigate DORA, NIS2/Cbw, and ISO 27001 without creating dependency. Whether you need a vCISO, a structured compliance trajectory, or a third-party risk management programme. We work alongside your team to build solutions that hold up in practice.
Virtual CISO (vCISO)
Most organisations need senior security leadership, but few can justify a full-time CISO. A virtual CISO fills that gap, providing the strategic security ownership your organisation needs at a fraction of the cost.
What CaaS vCISO engagements include: setting and maintaining your information security strategy, building or maturing your ISMS, overseeing risk management and security reviews, acting as the accountable contact for regulators and auditors, and guiding your team through compliance trajectories and incidents.
Unlike advisory-only vCISO models, CaaS is hands-on by default. We don't produce a strategy document and leave. We work with your team to implement it.
Who this is for: Financial entities in scope of DORA without a dedicated CISO. Energy and critical infrastructure operators. SaaS companies and digital platforms scaling their security programme. Organisations preparing for ISO 27001 certification.
DORA Compliance
The Digital Operational Resilience Act (DORA) applies to financial entities across the EU, including banks, insurance companies, investment firms, crypto-asset service providers, and payment institutions, as well as their critical ICT third-party providers.
What DORA requires: ICT risk management framework, incident classification and reporting, digital operational resilience testing, ICT third-party risk management (TPRM), and information-sharing arrangements.
CaaS approaches DORA practically: we start with a gap assessment against the regulatory technical standards, prioritise the gaps that create the most risk, and build a programme that fits your organisation's size and complexity. We don't sell DORA compliance as a one-size-fits-all package.
Who this is for: Financial entities in scope of DORA operating in the Netherlands or EU. ICT providers to financial entities. PE portfolio companies with financial services exposure.
NIS2 / Cyberbeveiligingswet (Cbw) Compliance
The NIS2 Directive has been transposed into Dutch law via the Cyberbeveiligingswet (Cbw). It applies to essential and important entities across critical sectors, including energy, transport, water, digital infrastructure, ICT service management, and more.
What NIS2/Cbw requires: governance accountability at board level, risk management measures, incident notification obligations, supply chain security, and regular cybersecurity reviews.
CaaS helps you determine whether and how NIS2 applies to your organisation, assess your current posture against the requirements, and build a practical compliance programme. We pay particular attention to OT security governance for energy sector clients.
Who this is for: Grid operators, energy producers, wind and solar operators. Water management organisations. Digital infrastructure and ICT service providers. Any organisation that suspects they may be in scope but isn't certain.
ISO 27001 / ISMS
ISO 27001 certification signals to clients, partners, and regulators that your organisation takes information security seriously. But the path to certification is often longer and harder than expected, especially if your ISMS exists only on paper.
CaaS approaches ISO 27001 practically: we help you build an ISMS that works in your day-to-day operations, not just one that passes an audit. That means policy and procedure development grounded in your actual risk profile, risk treatment plans that are realistic, and staff engagement that doesn't produce eye-rolls.
What we deliver: gap assessment, risk register, ISMS documentation, control implementation support, internal audit preparation, and support through certification. We also support organisations maintaining existing certifications through ongoing vCISO or advisory retainers.
Third-Party Risk Management (TPRM)
Your suppliers and partners are part of your risk surface. Regulators, through DORA, NIS2, and DNB guidelines, increasingly require formal third-party risk management. But most TPRM programmes are either too lightweight to satisfy auditors or too burdensome to maintain in practice.
CaaS builds TPRM programmes that are right-sized for your organisation and regulatory context. We leverage Riskly, our purpose-built TPRM platform, to make the process efficient and auditable without turning your procurement team into compliance officers.
What we deliver: supplier inventory and classification, risk assessment framework, due diligence questionnaire design, ongoing monitoring setup, contract clause review, and regulatory reporting support.
Security Awareness
Most security incidents involve human behaviour. Security awareness programmes that consist of annual e-learning and a phishing simulation rarely change that. We design awareness programmes that actually shift behaviour, grounded in what your teams do every day and where the real risks are.
What we deliver: risk-based awareness programme design, targeted training for high-risk roles, phishing simulation and analysis, communication materials, and integration with your ISMS and incident response process.
Common questions
How long does DORA compliance take?
For most financial entities in scope, achieving a solid DORA compliance baseline takes 3–6 months. The timeline depends heavily on your starting point, the complexity of your ICT supply chain, and how mature your existing information security practices are. CaaS typically starts with a gap assessment to establish a realistic roadmap, then works with your team to close the critical gaps first.
Do microenterprises need full DORA compliance?
Microenterprises (fewer than 10 employees and annual turnover or balance sheet below €2 million) are subject to a simplified DORA regime. They are exempt from some requirements, including independent ICT risk assessments and certain incident reporting obligations, but still need to meet the core principles of ICT risk management and business continuity. We help you understand exactly what applies to your organisation.
What does a vCISO actually do?
A virtual CISO (vCISO) provides the strategic security leadership that most organisations need but cannot justify hiring full-time. In practice, this means: setting and owning your information security strategy, building and maintaining your ISMS, acting as the accountable security contact for regulators and auditors, overseeing risk management, and guiding your team through incidents and compliance trajectories. CaaS vCISO engagements are always hands-on. We don't hand over a framework and leave.
How is CaaS different from a big four firm?
The big four bring scale and brand recognition. They also bring high daily rates, large teams of junior consultants, and deliverables that often sit in a drawer. CaaS brings senior expertise directly to your project, with no junior buffers and no inflated teams. We work alongside your people, build solutions that fit your actual context, and leave you more capable than when we arrived. No dependency is a feature, not a bug.
Which sectors do you work in for security and compliance?
Our primary focus areas are finance (private equity, asset managers, banks, payment institutions subject to DORA), energy transition (grid operators, energy producers, wind and solar operators subject to NIS2/Cbw), and online technology (SaaS companies, digital platforms, scale-ups pursuing ISO 27001 or SOC 2). We also work with other sectors where relevant regulatory or risk-driven demand exists.
Let's talk about your compliance situation
Whether you have a specific requirement or a vague concern, the best first step is a direct conversation. No commitment, no sales pitch.