The compliance studio for EU-regulated financial firms.
DORA. NIS2.
Tessera Cyber helps CIFs, EMIs, payment institutions, and CASPs in Cyprus, Malta, and Greece build regulator-ready ICT governance, Register of Information submissions, incident procedures, and third-party risk documentation — without a Big 4 engagement.
We sit between your IT provider and your regulator.
// THE STATE OF PLAY
What your firm is facing right now.
DORA enforcement is live.
The Digital Operational Resilience Act (EU 2022/2554) entered application on 17 January 2025. CySEC Circular C751 makes DORA reporting, Register of Information format, ICT risk governance, and portal obligations explicit supervisory priorities for regulated entities. Fines reach 2% of total annual worldwide turnover, and directors carry personal liability for failures in governance oversight.
NIS2 exposure is real.
NIS2 transposition is active across EU member states. Financial entities not fully covered by DORA remain within NIS2 scope. Non-compliance penalties reach €7,000,000 or 1.4% of global annual turnover for important entities — and management can be personally liable and publicly named.
Big 4 delivery is often uneconomic at this size.
Sub-€20,000 compliance mandates fall below the minimum ticket size that Big 4 delivery models are built around. That leaves small regulated entities — CIFs, EMIs, payment institutions, CASPs — without structured expert support, navigating DORA alone.
// WHAT WE BUILD
Our services.
DORA Register of Information & ICT Risk Framework
We build your Register of Information (RoI), ICT risk management framework, incident classification and reporting procedures, and third-party provider register — to the exact standard required by your competent authority (CySEC, MFSA, or HCMC).
Learn moreNIS2 Readiness & Evidence Workspace
For entities outside DORA's full scope, we implement the Article 21 security measures, governance documentation, and incident reporting procedures required under NIS2 — delivered as a structured, auditable evidence pack.
Learn moreDORA Governance Retainer
Ongoing monthly retained support for firms that need qualified DORA governance capacity without a full-time hire. We maintain your registers, monitor regulatory change, prepare management reporting, and support incident reporting and regulator correspondence.
See all services// WHY TESSERA
Why regulated firms choose Tessera Cyber.
Fixed scope, fixed price.
Every engagement starts with a Statement of Work. You know the deliverables and the cost before we begin. No scope creep. No hourly surprises.
Greek and English delivery.
All documentation, workshops, and regulatory correspondence are delivered in both languages. No translation risk, no language gap with your regulator.
Senior cybersecurity professionals — not generalist consultants.
Our team is drawn from a vetted pool of senior cybersecurity engineers and regulatory specialists. The person who designed your ICT framework has done it before, for firms like yours.
4–6 week delivery, not 4–6 months.
Our engagements are scoped for the actual size of a small regulated entity, not for a systemically important bank. You get a working, regulator-ready output — not a roadmap to a roadmap.
// WHY TRUST TESSERA
Proof points for regulator-facing work.
Regulator-facing engagements demand more than copy. Tessera operates under written controls designed for the regulated sector — and remains accountable for scope, confidentiality, and final delivery on every engagement.
Named accountable lead.
One senior specialist owns scope, quality control, and the regulator-facing deliverables. The person who signs the attestation is the person doing the work.
Vetted specialist bench.
Identity engineers, ISO 27001 Lead Auditors, GRC analysts, OSCP-certified testers, and DORA/NIS2 specialists. Engaged only where technical depth is required.
Written confidentiality controls.
All contributors operate under written confidentiality and project controls. Client data stays inside the engagement perimeter.
Regulated-sector experience.
Built ICT risk frameworks and Registers of Information for CIFs, EMIs, payment institutions, and CASPs. Familiar with CySEC, MFSA, and HCMC submission processes.
Sample deliverables on request.
Redacted excerpts from prior Register of Information builds and ICT risk frameworks are available under NDA before any engagement.
Published in the Cyprus Mail.
Tessera's identity governance framework (A.I.D.) has been published in the Cyprus Mail. We work in the open on what the industry should standardise on.
// COVERAGE
Jurisdictions we serve.
Cyprus
CySEC · Central Bank of Cyprus
Our primary jurisdiction. We work with CIFs, EMIs, and CASPs supervised by CySEC and the CBC, including direct DORA portal submission support.
Malta
MFSA
We assist MFSA-authorised entities with Register of Information submissions via the MFSA LH Portal and full DORA framework builds.
Greece
HCMC · Bank of Greece
Greek-regulated investment firms and financial entities — all documentation delivered in Greek as standard.
// HOW IT WORKS
The engagement process.
Discovery Call (20 minutes)
A structured conversation — not a sales call. We identify your regulatory perimeter, your current ICT posture, and whether you need a Quick-Start Assessment or a Full Build. No obligation.
Quick-Start Assessment (2 weeks)
A scoped gap analysis against the DORA pillars relevant to your entity type. Output: a written assessment report with a prioritised remediation list, regulatory filing obligations, and a fixed-price proposal for implementation.
Full Build (4–6 weeks)
Delivery of your complete compliance documentation set: ICT risk management framework, Register of Information, incident reporting procedures, third-party register, and evidence workspace. All documents are formatted for direct submission to your competent authority.
Maintenance Retainer (Ongoing)
Monthly retained support covering annual RoI updates, regulatory change monitoring, management reporting, and regulator liaison. Available as an add-on after any Full Build engagement.
// FAQ
Frequently asked questions.
Are we in scope for DORA?
DORA applies to 20 types of financial entity regulated under EU law. If you are a Cyprus Investment Firm (CIF), e-money institution, payment institution, alternative investment fund manager, or crypto-asset service provider (CASP) authorised under MiCA, you are almost certainly in scope. A 20-minute discovery call is the fastest way to confirm your position.
How is this different from a Big-4 engagement?
Large advisory firms price their DORA engagements for systemically important institutions — the scope, methodology, and cost are calibrated accordingly. Tessera Cyber delivers fixed-scope engagements designed specifically for small and mid-size regulated entities. You receive senior expertise, a defined output, and a predictable cost.
Do you work with firms outside Cyprus?
Yes. We serve regulated entities supervised by the MFSA in Malta and the HCMC and Bank of Greece in Greece. All documentation is available in English and Greek.
Who actually delivers the work?
A named senior cybersecurity professional is assigned to each engagement. We do not offshore or delegate to junior analysts. Our team blends cybersecurity engineers with regulatory specialists who hold direct experience in financial services compliance.
How quickly can we be compliant?
A Quick-Start Assessment takes two weeks. A Full Build takes four to six weeks from engagement start. The exact timeline depends on your entity size, number of ICT third-party providers, and the current state of your documentation. We will give you a written timeline in the Statement of Work before work begins.
What does it cost?
We do not publish pricing publicly because every engagement is scoped individually. What we can say: our engagements use fixed-scope, fixed-price Statements of Work. You will know the exact cost before you commit. There are no hourly billing overruns.
Ready to begin?
If your firm is subject to DORA or NIS2, the documentation and governance requirements are not optional. CySEC, MFSA, and HCMC are already conducting inspections and requesting Register of Information submissions.
A 20-minute discovery call with Tessera Cyber will confirm your scope, your filing obligations, and what a realistic compliance timeline looks like for your entity.
Book a DORA/NIS2 Readiness CallWe respond within one business day. No automated sequences.