Compliance
Confidence through compliance — structured, documented, and auditable.
Aginion’s Compliance Services help organizations align their technology, processes, and documentation with European and Luxembourg regulatory frameworks.
Our expertise covers GDPR, EU AI Act, DORA, and specifically for Luxembourg CSSF Circulars 22/806, 25/882, and 25/883 — ensuring that every control, report, and policy is both technically sound and regulator-ready.
We transform regulatory requirements into operational practices, delivering not only documentation but measurable compliance across your IT landscape.
While this page focuses on how compliance is demonstrated and maintained, our Governance
services define the structure, responsibilities, and decision-making processes that make effective compliance possible.
GDPR
Data protection embedded in every system and process.
We help organizations design, document, and maintain GDPR compliance across both technical and organizational layers.
- Data mapping and ROPA (Records of Processing Activities)
- Privacy Impact Assessments (PIAs) and data-classification schemes
- Secure data-transfer and subprocessor agreements
- Policy and process alignment: retention, consent, rights management, and breach notification
- Integration of GDPR controls into IT and vendor management procedures
Our GDPR approach goes beyond documentation. It ensures privacy-by-design and accountability in daily operations.
DORA — Digital Operational Resilience Act
Operational resilience through structured compliance and evidence.
Governance Policies and Gap Analysis
Understand where you stand and close the gaps.We assess your existing ICT governance framework against DORA requirements:
- Mapping of existing policies and controls to DORA Articles 5–15
- Development or revision of governance documentation (ICT strategy, risk management, incident reporting, etc.)
- Cross-reference to regulator circulars and your ISMS
- Delivery of a prioritized remediation plan and improvement roadmap
You gain a clear overview of DORA readiness and the practical steps to achieve full alignment.
DORA Strategy
Turning compliance into resilience.We help you design a strategic and proportional approach to digital resilience that integrates into your corporate governance and IT operations:
- Definition of ICT objectives, roles, and oversight structures
- Strategic alignment with business continuity and risk frameworks
- Establishment of regular management reporting and board oversight
- Long-term DORA roadmap integrated into your ISMS improvement plan
Your DORA strategy becomes a living governance instrument, not a one-time project.
Proportionality Analysis
Compliance scaled to your business size and complexity.Not every entity faces the same DORA obligations. We conduct a proportionality analysis to ensure your controls are right-sized and efficient:
- Determination of your DORA applicability and risk classification
- Documentation of proportionality justification (scope, systems, dependencies)
- Validation with internal/external auditors or regulator feedback when required
This ensures your compliance efforts are adequate, documented, and cost-effective.
Third-Party ICT Provider Management and Due Diligence
Visibility and accountability across your ICT supply chain.We help implement DORA-aligned third-party governance, from initial due diligence to ongoing monitoring:
- Creation and maintenance of ICT Third-Party Register — Ready for submission to your regulator
- Supplier risk assessment and control evaluation
- Due diligence templates and evidence collection procedures
- Contract review and SLA alignment with DORA requirements
- Reporting of critical dependencies and subcontractor chains
Our methodology integrates supplier management into your overall resilience and compliance ecosystem.
Resilience Testing: Technical Implementation and Evidencing
Resilience must be provableWe assist in implementing and evidencing technical resilience tests in line with DORA’s expectations:
- Definition of test scope, objectives, and frequency
- Design of tabletop, technical, and scenario-based tests
- Evidence documentation and reporting templates for audit
- Integration of test results into your continuous improvement cycle and risk matrix
Resilience testing becomes a repeatable and verifiable process, supporting both internal assurance and external audits.
Incident Management and Reporting
Structured detection, response, and escalation — with evidence to match.We help define and automate your incident management lifecycle to meet DORA reporting requirements:
- Classification and severity determination aligned with Annex II
- Definition of detection, containment, and reporting workflows
- Integration with SIEM, ticketing, and communication tools
- Preparation of incident reporting templates and post-incident review reports
Our framework ensures every incident is handled, reported, and learned from — transparently and consistently.
Audit Preparation and Support
Be ready when auditors or regulators arrive.We prepare you for external reviews by ensuring all controls, evidence, and reporting structures are audit-ready:
- Review of audit scope, sampling, and evidence requirements
- Documentation mapping between DORA, Industry Best-Practices, and regulator obligations
- Assistance with internal and external audit interviews
- Preparation of post-audit remediation plans
With Aginion’s support, audits become a confirmation of readiness, not a source of stress
Luxembourg-Specific Regulations
Expert guidance for the Luxembourg regulatory environment.
We support companies subject to CSSF circulars and local financial sector obligations, providing practical implementation assistance and documentation:
- CSSF 22/806: Outsourcing arrangements
- CSSF 25/882: DORA alignment for supervised entities
- Preparation of documentation, registers, and control evidence for CSSF reviews
- Coordination with local auditors and legal partners for ongoing compliance
Our Luxembourg expertise ensures alignment with both EU-wide and domestic expectations, enabling seamless integration into your existing GRC framework.
ISO 27001 – Information Security Management
Structured security — proven by certification.
We help organizations implement or refine their Information Security Management System (ISMS) based on ISO/IEC 27001:2022 — building the structure that keeps data protected, risks managed, and responsibilities clear.
Our support covers:
-
Gap assessments and readiness reviews for initial certification or surveillance audits.
-
Policy and control development based on Annex A (2022 version).
-
Risk management frameworks aligned with business priorities.
-
Internal audit and management review preparation.
Aginion is itself ISO 27001:2022 certified, and we use the same practical approach with our clients — focusing on clarity, documentation, and measurable improvement, not unnecessary complexity.
EU AI Act
Compliant and trustworthy use of Artificial Intelligence.
We support organizations in preparing for the EU AI Act, helping to categorize AI systems, manage risks, and document compliance obligations:
- AI system classification (minimal, limited, high, or prohibited risk)
- Governance of AI model training, validation, and explainability
- Risk assessments and technical documentation aligned with ISO/IEC 42001 and AI Act requirements
- Implementation of policies on data quality, transparency, and human oversight
- Preparation for future conformity assessments and regulatory reporting
Our Private AI and governance expertise allow us to bridge the gap between AI innovation and regulatory responsibility.
Interested in more details or a custom quote?
We’ll listen, share ideas, and see whether our Compliance services fit your needs.
Choose your preferred format — Zoom, Teams, or Phone — and a time that works for you.