Information security
Security policy, access management, system monitoring, data classification, backup strategy, incident response plan. Security in the broad sense, applicable to any organisation, of any size.
Mandate · Information security
An external CISO that actually runs your security.
You appoint us as your Chief Information Security Officer. We take operational ownership: policy, governance, risk management, audits, incident handling, awareness. Whether or not you fall under NIS 2 or DORA, your data, infrastructure and customers still need protecting, and that is exactly what we do.
Three roles, under one mandate.
Your Luxgap CISO covers security broadly, not only regulatory compliance.
Regulatory compliance
NIS 2 for essential or important entities (energy, health, transport, IT, critical suppliers). DORA for the financial sector. ISO 27001 if you want a defensible certification. If none of that applies, we build your internal framework without overhead.
Incident detection and handling
We don't just wait for your phone call: our deployed tools (SOC, Dark Web monitoring, log analysis, AI agents) detect incidents continuously. Knowing you've been breached is a legal obligation (GDPR 72h, NIS 2 24h, DORA 4h). Once the incident is identified: qualification, containment, internal and external communication, authority notification, post-mortem.
Our three-layer approach
We cover all three layers: interior, surface, outside.
A successful attack rarely comes through a single door. To actually protect an organisation, we monitor three layers at once: interior (your systems and configuration), surface (what's exposed on the Internet) and outside (what's being prepared against you on the Dark Web). Full mandate, or in support of an existing CISO: we cover all three layers or just the gaps.
01
Interior, your systems and configuration
Audit of M365 or Google Workspace configuration, access management, MFA, data classification, backups, hardening of endpoints and servers, incident response plan. Security starts with what you already control but often have miscofigured.
02
Surface, what is exposed on the Internet
Inventory of exposed assets (sites, subdomains, services, certificates), penetration tests on the most critical applications, ongoing security patch verification. We see your organisation the way an attacker sees it, and close the doors one by one.
03
Outside, what is being prepared against you
24/7 Dark Web monitoring: leaked credentials of your employees, mentions of your brand on fraud forums, and especially registration of domains similar to yours set up for phishing or impersonation. We warn you before the attack is launched.
Tailored to your actual risk. Full mandate or only the layers you're missing, in support of an internal CISO for example.
Operational missions
What your Luxgap CISO does, concretely.
Six ongoing tracks, sized to your organisation and exposure.
1. Policy and governance
Drafting and upkeep of your security policy, IT charter, AI usage charter. Regular security committee with leadership, written minutes, decision tracking.
2. Risk management
Mapping of your critical data and systems, threat identification, protection assessment, prioritised action plan based on actual risk, not an abstract checklist.
3. Audits and penetration tests
Annual review of protections. Targeted penetration tests on your most exposed applications (website, customer portal, mobile apps). Costed action plan and re-check after fixes.
4. Vendor management
Inventory of your critical vendors (cloud, payroll, hosting, IT support). Contractual review of security clauses, exit plan if things go wrong, yearly tracking of commitments.
5. Business continuity
Identification of activities that cannot stop, documented recovery plan, scripted annual exercise (cyberattack, vendor loss, prolonged outage).
6. Team awareness
Short sessions for leadership (personal liability), practical training for teams (phishing, passwords, sensitive data), access to our e-learning platform if you wish.
Use cases
Sound familiar?
You fall under NIS 2 or DORA
You need an identified security officer, documented governance and on-time incident reporting. We take ownership of the mandate, you stay compliant.
You're neither NIS 2 nor DORA
Your clients, your bank or your insurers still ask for a credible security framework. Or you simply want to sleep easy. We build what's useful, without piling on useless paperwork.
You want ISO 27001 certification
Increasingly required in tenders. Our CISO drives compliance, prepares the audit, supports you during the visit and runs the yearly upkeep.
You're handling an incident right now
Without a prior mandate. We can step in on a one-off basis to qualify, contain, notify authorities if needed and prepare the post-mortem, with no obligation to keep us afterwards.
Sanctions for non-compliance
NIS 2: up to €10M or 2% of global turnover for essential entities. Personal liability for executives in case of demonstrable failure.
DORA: up to 1% of average daily turnover per day of non-compliance (up to 6 months). Stackable with CSSF sanctions.
For organisations outside NIS 2 and DORA, the cost of an unprepared incident (ransomware, data leak, prolonged outage) often far exceeds the annual cost of a CISO mandate.
How our mandate works
A mandate, not day-rate consulting.
You have a legal obligation: we take ownership of it. No staff augmentation, no man-days package, no minimum. We commit to the outcome, and behind your single contact, there is a full team.
Outcome-based commitment
You're not paying for days worked. We sign to keep your obligation met, records, DPIAs, NIS 2 governance, regulator reporting. If that means three exchanges in a week, we do them.
A team, not one person
You have a single point of contact. Behind it: lawyers (GDPR, AI Act, NIS 2, DORA), cyber engineers (audits, technical DPIAs, BCP, incidents) and developers (in-house register/DPIA tools, AI automation agents). The right profile steps in at the right time.
Available all year
Even a mandate sized for one day per month yields multiple short interventions: a 30-minute call, a written reply, an ad-hoc DPIA, a steering committee. We answer, we step in, we don't vanish between invoices.
Tracked to the minute
Every action is logged. One hour on Teams = one hour billed, nothing more. No half-day minimum, no hidden bundle. You pay what we use, and only that.
Client + regulator transparency
You access a detailed log: who did what, when, on which topic, for how long. In case of a CNPD, ILR or CSSF inspection, that journal is proof of an actively operated mandate, not just a contract on paper.
From SMB to public sector
Our mandates range from 12-person SMBs to 800+ industrial groups, including public bodies, municipalities and institutions. Our method scales to your size, not the other way round.
Ready to formalise your CISO mandate?
Configure your quote, you receive a tailored proposal within one business day.
Build my quote →