Compliance
I conduct assessments for the main European certifications and directives using a proprietary questionnaire on an open-source platform. Responses stay anchored to regulation, tracked by author and timestamp, reusable across successive audits.
The questionnaire guides.The platform tracks.Analysis correlates.Evidence remains.
What it means
Evidence collection via email, spreadsheets and attachments works for small organizations or a single audit. When the perimeter is wide or audits repeat, every new cycle reconstructs the same data from scratch. The platform eliminates that reconstruction.
How we work
The value isn't in any single one. It's in how they combine.
A questionnaire built on the applicable regulation, organized into process areas. Sections activate based on the organization's profile (sector, size, role). For NIS2 it's approximately 250 controls across 20 areas; for other certifications the structure is analogous, calibrated to the specific regulation.
Responses from different sections are cross-referenced. Visible contradictions — for example between governance statements and described operational procedures — surface before the manual analysis phase. Correlation is AI-assisted, but the consultant decides what each inconsistency means in context.
Structured outputs that serve decision-makers: assessment report, prioritized gap analysis, draft operational policies, remediation roadmap. Not consulting slides — documents you take to the board, send to the auditor, use to align internal functions.
Documents we deliver
For the board. Posture of the organization with respect to the regulation, maturity level per area, prioritized recommendations. Management language, with pointed references to technical areas for those who want to dig deeper.
For the remediation team. Distance from target for each control, classified by criticality and estimated effort. Starting point for sizing cost and time of remediation.
For internal functions (IT, security, legal, HR where applicable). Drafts of policies, procedures, and operating instructions — to be validated and formally adopted by the client through their own approval processes.
For multi-year planning. Phased plan with milestones, owners and monitorable progress indicators. Designed to be updated, not static.
The tool
The platform is not a SaaS product I sell. It is LimeSurvey, open-source software I run on my own infrastructure, configured with questionnaires I built. Your responses do not leave my perimeter during the engagement; at closure the exported dataset stays with you.
Maturity model
Internal scale inspired by process maturity models (CMMI, COBIT). It is not a certified appraisal and does not equate to a formal certification level — it is a coherent reading tool for the current state and for defining the remediation target.
No defined process for the control.
Ad hoc actions, undocumented, person-dependent.
Process present in limited areas, not systematic.
Formalized process, deployed across the organization.
Process measured and governed with indicators.
Continuously improved with structured feedback.
Phases
Indicative durations for an average perimeter, to be confirmed during scoping based on number of companies/sites, critical services, assets, suppliers, and availability of evidence.
1–2 weeks. Perimeter definition, type of entity, responsible people involved.
1 week. Platform setup, organization profiling, regulatory alignment.
3–4 weeks. Guided compilation, evidence collection, targeted follow-up on uncertain controls.
1–2 weeks. Correlations, gap analysis, report and manual drafting.
1 week. Board presentation, remediation roadmap, material handover.
Covered certifications
The platform and the maturity model are transversal. What changes is the questionnaire, calibrated to the specific regulation and the process areas it requires.
Directive (EU) 2022/2555 · Italian D.Lgs. 138/2024. Essential and important entities. Approximately 250 controls across 20 areas.
See applied method →Technical and organizational requirements for cloud services targeted at the Italian public administration. On request.
Learn more →Regulation (EU) 2022/2554. Digital operational resilience for the financial sector. On request.
Learn more →Regulation (EU) 2024/1689. Obligations for high-risk systems and GPAI models. On request.
Learn more →Information security management system. Annex A controls. On request.
Learn more →Artificial intelligence management system. Recent standard, still uncommon. On request.
Learn more →Regulation (EU) 2016/679. Technical and organizational measures, accountability, registers. On request.
Learn more →Spanish Esquema Nacional de Seguridad. Security framework for Spanish public administration. On request.
Learn more →Other certifications or sectoral regulations can be covered on request, keeping the same method.
What I do NOT do
I do not issue certifications and I do not replace accredited bodies, third-party auditors, DPOs, legal counsel, or regulatory consultants. I provide technical-operational assessment, evidence structuring, gap analysis, and remediation documentation. The deliverables are usable as input for formal audits conducted by accredited parties — they do not replace them.
We start with a 1–2 week scoping: perimeter, type of entity, responsible people, availability of existing evidence. From there we size the rest.
