Outsourced DPO & CISO · GDPR · AI Act · NIS 2 · DORA
Outsourced DPO and CISO in Luxembourg. One team — lawyers, cybersecurity engineers and developers — to cover GDPR, AI Act, NIS 2 and DORA. You appoint us officially, we take operational responsibility.
You appoint us officially, we take operational responsibility. Strategy, implementation and regulator relations.
Certified, registered with the CNPD. Maintains the register, conducts impact assessments (DPIA and AI Act), responds to data subjects, manages breaches, liaises with the CNPD on your behalf.
Security policy, ICT risk management, ISO 27001-aligned governance, incident management, regulator reporting within legal timeframes.
Four regulatory frameworks are entering or have already entered into force. We track every change and adapt your setup continuously.
General regulation applicable to any organisation processing personal data. Register, DPIA, rights, processors, breaches.
EU regulation on AI systems. Inventory, risk-level classification, transparency, human oversight.
Directive for essential and important entities (energy, health, transport, IT). Governance, supply chain, 24h reporting.
Regulation for the financial sector. ICT risk management, critical third-party oversight, operational resilience testing.
Every legal obligation combines legal and technical aspects. Luxgap brings both together — plus a developer team for custom tools.
Luxgap is the Luxembourg firm on which Luxapps builds its own commitments (ISO 27001 in progress, GDPR native, AI Act in preparation). You benefit from the same level of rigour, under a formal mandate.
A no-commitment initial conversation to identify the regulations that apply to you and estimate the scope.
Configure my quoteLuxapps publishes platforms (FXP, MySafeBox, AI Studio) that are already compliant by design. Luxgap is our advisory partner: it operates outsourced DPO and CISO mandates, covering GDPR, AI Act, NIS 2 and DORA. One point of contact, two complementary areas of expertise.
The DPO (Data Protection Officer) handles GDPR and AI Act compliance: processing register, DPIA, data subject rights, CNPD liaison, AI systems inventory and classification. The CISO (Chief Information Security Officer) handles operational security and NIS 2 / DORA compliance: security policy, ICT risk management, incident management, regulator reporting. The two mandates are complementary and often activated together.
Case by case. NIS 2 targets essential and important entities (energy, health, transport, IT, critical providers). DORA only applies to the financial sector (banks, insurance, funds, critical ICT providers). The AI Act applies as soon as you deploy or market an AI system, with obligations graduated by risk level. The initial scoping call answers this question for your specific case.
For DPO or CISO appointment: a few weeks — the mandate is operational from signing. For full compliance (register, security policy, DPIA, incident response plan), typically 3 to 9 months depending on size and maturity. An ISO 27001 certification takes 6 to 12 months from start to audit.
No. The DPO and CISO mandates operated by Luxgap are standalone: they apply to your organisation and existing IT systems, regardless of whether you use FXP, MySafeBox or AI Studio. If you are already on our platforms, part of the technical scope is already covered, which reduces the workload.
With a no-commitment initial scoping call: a short conversation to identify applicable regulations (GDPR? AI Act? NIS 2? DORA?), choose the relevant mandates (DPO only, CISO only, or both) and estimate the scope. A roadmap is provided. You then decide whether to engage.