Cyber & AI Governance Advisory

From governance gap
to a system that holds.

Assessment, roadmap, implementation — for boards, CISOs, and risk managers who need governance that works under regulatory scrutiny, not just on paper.

20+ Years of Practice
CEE Region Coverage
NIS2 DORA · AI Act
End-to-End Advisory Model
Frameworks
NIS2 / NIS2UmsuCG DORA NIST CSF NIST AI RMF GDPR AI Act ISO 27001 TPRM
How the Work Looks

Not a document handover.
An end-to-end engagement.

Every engagement follows the same sequence — because governance built on assumptions collapses. Governance built on assessed reality holds.

01

Gap Assessment

Understand where you actually are — not where you assume you are. Against a specific framework or regulatory requirement.

  • Current state documentation
  • Mapped gaps per requirement
  • Evidence and audit trail review
  • Risk exposure baseline
02

Prioritised Roadmap

What needs to be done, in what order, with what resources. Regulatory exposure + business impact = remediation sequence.

  • Gap scoring by risk and impact
  • Phased remediation timeline
  • Effort and resource estimation
  • Documented residual risk decisions
03

Implementation

Policies, procedures and controls that reflect how your organisation actually operates — not how a template assumes it does.

  • Policy and procedure development
  • Control design and implementation
  • Risk management framework and process
  • Governance structures and accountability trail
  • Regulator-ready evidence package
Services

What I deliver.

Senior advisory across four domains — each delivered end-to-end, from assessment through implementation.

⚖️
Primary · GRC

Cyber & AI Governance

Gap assessment and end-to-end implementation — policies, procedures, controls, risk management frameworks, and governance structures that translate regulatory requirements into how your organisation actually operates.

NIS2 DORA NIST CSF NIST AI RMF ISO 27001
🤖
Primary · AI Governance

AI Risk Management

Governance structures for AI deployment — from AI inventory and risk classification to accountability frameworks and AI Act compliance readiness.

NIST AI RMF AI Act ISO 42001
🔗
Primary · TPRM

Third-Party Risk Management

Supply chain risk assessment, vendor due diligence frameworks, and NIS2/DORA-compliant third-party contractual requirements — because your vendor's gap is your compliance exposure.

NIS2 Art.21 DORA ICT TPRM ISO 27036
🔒
Secondary · Privacy

Privacy Program Design

GDPR compliance programs, DPIAs, privacy-by-design integration, and breach readiness — structured for organisations operating across multiple jurisdictions.

GDPR AI Act CCPA
🛡️
Secondary · Resilience

Business Continuity & Resilience

Business impact analysis, continuity planning, ITDR, and tabletop exercises — designed for organisations where operational disruption carries regulatory and reputational consequence.

DORA NIS2 ISO 22301
🏛️
Board Advisory

Board & Executive Advisory

Decision architecture for cyber and AI risk at board level. Governance structures, management accountability frameworks, and board-ready reporting — without technical jargon.

NIS2 Art.20 DORA Board GRC
Who This Is For

Three audiences.
Three languages of risk.

Board / C-Suite

Leadership & Accountability

"Who is responsible if something goes wrong — and can we prove we made informed decisions?"

  • Personal liability under NIS2 and DORA
  • Defensible decision trail at board level
  • Cyber risk integrated into business decisions
  • Board-ready reporting without technical translation
CISO / Security Leadership

Governance That Works

"How do I build governance that holds under scrutiny — not just looks right on paper?"

  • Gap assessment from the implementation perspective — not the document
  • Policies, procedures and controls that reflect how the organisation actually operates
  • Risk management framework design with documented risk acceptance process
  • Governance structures and audit trail that hold under regulatory scrutiny
Risk Manager / Compliance

Regulatory Readiness

"What does this regulation actually require — and how do we prove we've done it?"

  • Regulatory requirements mapped to organisation context and operating model
  • Risk management processes — identification, assessment, treatment, acceptance
  • Audit trail, evidence management, and regulator-ready documentation
  • Multi-jurisdictional compliance alignment across NIS2, DORA, GDPR, AI Act
About

Senior advisory.
From the implementation side.

I'm Senad Džananović — a Cyber and AI Governance advisor with over 20 years of experience across Central and Eastern Europe, working with regulated industries across multiple jurisdictions.

My work covers the full lifecycle: assessment of current state, prioritised remediation roadmap, and implementation of the frameworks, policies and controls that translate governance requirements into how an organisation actually operates.

The differentiator is not knowledge of the frameworks. It's the implementation experience — knowing where organisations get stuck between steps, why governance structures collapse under regulatory scrutiny, and what defensible actually means in practice.

Former CSO & CISO — regulated industry leadership
Advisory background — Big Four consulting experience
NIS2 · DORA · NIST AI RMF · GDPR · AI Act
CEE region — multiple jurisdiction experience
Jurisdiction Coverage
🇧🇦Bosnia & Herzegovina
🇭🇷Croatia
🇷🇸Serbia
🇲🇪Montenegro
🇸🇮Slovenia
🇲🇰North Macedonia
🇦🇹Austria
🇩🇪Germany
"Governance built on assessed reality holds. Governance built on assumptions collapses — usually at the moment it matters most."
AI Governance

How ready is your organisation for AI governance scrutiny?

20 questions across NIST AI RMF domains — Govern, Map, Measure, Manage. Takes 8 minutes. Produces an honest current-state picture.

Answer 20 questions about your current AI governance posture
Receive a domain-level readiness score across 4 NIST AI RMF areas
Identify where the gaps are before a regulator does
📊

AI Governance Readiness Assessment

Free. 8 minutes. No account required.

Take the Assessment
Contact

Let's talk about where the gap is.

If your organisation is facing regulatory pressure, an upcoming audit, or you're not sure what your actual governance posture is — that's exactly the conversation I'd like to have.

Start the conversation

Tell me what you're working on. No pitch, no template response.