vCISO — fractional Chief Information Security Officer

Fractional CISO for regulated SMBs and civil-protection NGOs. Formal CISO function on a contract model — Standard or Premium tier.

What vCISO is

A Chief Information Security Officer is formally required for essential entities under NIS2 and for many organisations in the financial sector under DORA. A full-time hire is often overkill — for SMBs and NGOs, the cost of a senior-level CISO significantly exceeds the actual scope of work. vCISO is the same formal function on a contract model: our consultant acts as your CISO before the regulator, auditor, and board, but you pay for the actual hours engaged.

Two tiers

A starting point — scope aligned with organisational maturity and regulator requirements.

vCISO Standard

CISO function for regulated SMBs and civil-protection NGOs. Cybersecurity strategy, risk management framework, compliance oversight, monthly executive briefing. Typical engagement: 20–40 hours per month.

STANDARD

vCISO Premium

Extended scope for larger organisations or complex compliance landscapes. Standard scope + executive engagement at board level, regular board reporting, M&A due diligence support, cross-functional risk leadership. Typical engagement: 60–100 hours per month.

PREMIUM

What a vCISO delivers

Cybersecurity strategyRoadmap from a business perspective, investment prioritisation, alignment with business risk.
Risk management and compliance oversightFormal risk register, oversight of NIS2 / DORA / ISO 27001 alignment, regulator communication.
Policy framework and proceduresInformation Security Policy, incident response procedures, supply chain security procedures.
Vendor and third-party risk managementICT supplier risk assessment, due diligence on critical vendors, third-party register monitoring under DORA.
Incident response leadershipRepresenting the organisation before regulators (CSIRT NASK, KNF, ENISA), crisis management, post-incident debrief.

When vCISO makes sense

Preparation for ISO 27001 certification — a formal function responsible for the ISMS is required. Full scope: ISO 27001 Pre-Audit.
NIS2 / DORA compliance — a formal CISO function is required for essential entities. Full scope: NIS2 / DORA / KSC compliance.
Post-incident — need for senior leadership — after a significant incident, the organisation needs senior security ownership to stabilise recovery and build a long-term security structure.
Pre-IPO / pre-acquisition due diligence — a formal CISO function as a maturity signal for investors and acquirers.

Who it's for

SMBs in regulated sectors — finance, critical and digital infrastructure, healthcare.
Civil-protection NGOs and pro-defence organisations — with a formal CISO requirement or the need for senior security ownership.
Organisations with a maturing ISMS — preparing for recertification, surveillance audits, scaling up the management cycle.

Frequently asked questions

How is vCISO different from a cybersecurity consultant?

vCISO is a formal function — your CISO before the regulator, auditor, and board. A cybersecurity consultant delivers a point project; a vCISO takes long-term ownership of the security function.

How many hours does a vCISO actually spend with the client?

Standard typically 20–40 hours per month, Premium 60–100. Actual scope is adjusted to organisational maturity and the regulatory cycle (more hours before an audit, fewer in stable periods).

Is vCISO Premium required for NIS2?

No. NIS2 does not define an hourly scope for the CISO function — it requires its formal existence and competence. Standard is sufficient for most essential entities. Premium makes sense for entities classified as key under NIS2 or organisations with a multi-sector compliance scope (NIS2 + DORA + ISO 27001).

Do we sign an NDA?

As standard, before the first executive briefing. All our vCISO engagements operate under an NDA with the client.

Schedule a vCISO consultation

Free initial conversation — we'll set the scope and tier aligned with your organisation.

Schedule a consultation