ETEMAS Intelligent Systems

Fixed-scope cybersecurity packages you can run on day one

Outcome-based, fixed-fee engagements delivered founder‑led. Add a retainer to keep things current.

NIST CSF 2.0 Essentials

Who it’s for: SMEs (25–500 staff) without a full‑time CISO.

4–6 weeks • €9.5k–15k (EU, ex‑VAT) / $12k–18k (US)

  • Risk register (top 15–25 risks) & treatment plan
  • Core policy set & incident plan with roles & metrics
  • Supplier due‑diligence checklist & early wins
Request a sample deliverable (PDF)
  • Deliverables you own: policies, registers, runbooks, and metrics sheets.
  • What’s not included: tool licenses (SIEM/EDR), penetration testing, or heavy engineering.
  • Typical client roles involved: IT lead, Ops, HR, Finance.

NIS2 Essentials & DORA Lite

Who it’s for: MSPs/IT service firms, SaaS vendors selling to banks, healthcare/logistics suppliers, manufacturers (50–500 staff).

6–10 weeks • €14k–22k (EU, ex‑VAT) / $16k–25k (US)

  • NIS2 applicability memo & 24h/72h reporting workflow
  • Supplier risk process & contract clause kit
  • DORA register of information & incident classification
Request the checklist
  • Deliverables you own: applicability memo, registers, workflows, contract clause kit.
  • What’s not included: TLPT execution, legal advice (we coordinate through partners).
  • Typical client roles involved: CEO/Founder, IT, Legal/Procurement, Data Protection.

vCISO Retainers

Who it’s for: Teams that want a lightweight, ongoing vCISO to keep momentum.

€2.5k / €4.5k / €7.5k per month (EU, ex‑VAT) • $4k / $7k / $10k per month (US)

  • Quarterly risk reviews & KPI dashboard
  • Supplier reviews and tabletop exercises
  • Board‑ready reports and audit support
Get the retainer deck
  • Deliverables you own: quarterly risk reviews, KPIs, board-ready reports.
  • What’s not included: 24/7 incident response or SOC monitoring (available via partners).
  • Typical client roles involved: Exec sponsor, IT lead, Finance.

FAQ

What is NIS2 and why does it matter?

NIS2 is an EU law that raises baseline security and incident reporting for many “essential” and “important” entities. Practically, it means SMEs in certain sectors need documented controls, supplier oversight, and the ability to report incidents within 24/72 hours.

What is DORA and does it affect vendors?

DORA is the EU’s financial-sector rule for ICT risk. Even suppliers to banks are affected: you’ll be asked for an ICT risk framework, a Register of Information, contract clauses, and incident workflows that match your buyers’ expectations.

Are EU prices inclusive of VAT?

EU prices shown are exclusive of VAT. Local taxes may apply.

Do you provide penetration testing?

We coordinate testing with accredited partners and integrate findings into your plan.

* EU prices exclude VAT. USD prices exclude any applicable sales/use taxes.