Luxembourg, Luxembourg, Luxembourg
Compliance that looks good on paper and compliance that works at 3am are two different things. I focus on the second one. I work at the intersection of information security, regulatory compliance and operational implementation — with a focus on the Luxembourg financial sector and DACH. Day-to-day that means translating DORA, the EU AI Act and CSSF requirements into security programmes that organisations can actually run. Not just document. What I've learned doing this work: compliance only holds when it's centralised around shared controls — not when each framework lives in its own silo. The operational gap between regulatory intent and daily practice is where most programmes fail. Background in ICT Risk Management, Identity & Access Management, Incident Response and Cloud Security (Azure). I write about this gap — from the perspective of someone living it, not advising on it. Based in Trier, working in Luxembourg. German and English.
- Building and steering ICT risk management and implementing DORA requirements including serving as the notifier for major ICT-related incidents and submitting the Register of Information (RoI) to the CSSF - Managing ICT third-party risk across the full contract lifecycle - Regulatory reporting to the CSSF Ownership of business continuity and disaster recovery (BCP/DRP) - Coordinating penetration testing and vulnerability management - Quarterly reporting to Executive Management and the Board - Managing ICT third-party risk from criticality and risk assessment of ICT service providers through the full contract lifecycle - Conducting risk assessments for IT projects and changes, embedding security early in the project lifecycle - Identity & access governance, including periodic access recertification (user access reviews) to enforce least-privilege