DORA, MaRisk, VAG/MaGo and NIS2 — not just advice. Implemented.
As an interim manager, I take on the hands-on implementation of regulatory
requirements in banks, insurance companies, payment service providers, asset
management companies, service providers and industrial companies — from gap
assessment to an audit-proof handover to your line organisation.
No abstract opinion papers — concrete registers, processes, policies and evidence
that stand up to scrutiny by supervisors, external auditors and internal audit.
At the centre: implementing DORA, MaRisk, VAG/MaGo and NIS2.
DORAArt. 5–16Art. 17–23Art. 28–30
DORA implementation
Digital Operational Resilience Act — for banks, insurers, payment service providers and asset management companies
Build and maintain the register of information — including initial assessment and reporting readiness
Hands-on tool implementation and migration — incl. Garancy, One Identity, Omada, FSP, CyberArk, SailPoint and others; connected to AD, Entra ID, RACF
Remediation of IAM findings from ECB, BaFin and external audits
AIEU AI Act
How do I use AI the right way?
Productive use of AI in compliance & risk — value-adding and supervisory-compliant
Identify the use cases with real leverage: due diligence evaluation, contract analysis, monitoring of external risk sources
AI governance in line with the EU AI Act, DORA and supervisory expectations: AI register, risk classification, human oversight
AI strategy and policies — aligned with the ICS, data protection and outsourcing management
Already in production: AI agents for questionnaire evaluation with risk scoring and DORA-compliant contract review
Enabling your teams instead of creating dependency on external tools
Approach
From gap to an audit-proof line organisation
A proven implementation path — tailored in every mandate to the size,
risk profile and maturity of your organisation.
Phase 1
Analysis & scoping
Gap assessment against DORA, MaRisk, VAG/MaGo and NIS2, prioritisation by
risk and deadline, a sound basis for management decisions.
Phase 2
Target picture & roadmap
Target operating model, roles, committees and reporting lines —
including decision papers for the board and executive management.
Phase 3
Implementation in the line
Registers, processes, policies, contracts and tools are built —
leading interdisciplinary teams from compliance, risk, IT and legal.
Phase 4
Audit readiness & handover
Evidence management, support during audits and an orderly handover
to your line organisation — including enabling your staff.
Interim means: I come in, implement and hand over.
No never-ending consulting — a functioning organisation that runs without me.
References
Selected mandates
Build-up and implementation mandates in banks, insurance companies and financial service providers.
Insurance company
Building a compliance organisation & operationalising DORA
Overall responsibility for building a compliance, governance and risk organisation.
Integrated GRC model, executive reporting for the board, AI-supported automation
of due diligence evaluation and contract analysis.
IT & media service provider for banks (critical infrastructure)
Outsourcing management & central procurement under DORA, NIS2, PSD2
Complete register of information and outsourcing register, third-party management
with an SLA/KPI model, BCM for a critical-infrastructure service provider,
handover of the department to the line organisation.
Insurance group
DORA implementation in third-party management
Register of information, definition of critical functions and providers,
due diligence processes, DORA-compliant contract amendments, exit planning
and exit strategy.
International insurance group
Strategic advisory VAIT / DORA
Written rules of procedure for all VAIT/DORA topics, policies for IAM and
information security, roll-out of a GRC tool, register of information with
initial assessment.
IT service provider for banks
ICS, IAM & support of regulatory examinations
Roll-out of Garancy, SoD conflict management incl. exception processes,
audit-proof authorisation concepts. Support of Sec. 44 KWG, PS 951, external
and data protection audits and remediation of the findings.
Custodian bank / fund platform
Project lead & IAM architecture
Leading a ten-person project team, transforming the IAM solution to the cloud,
building IT contingency management and outsourcing processes, protection needs
analysis and information security.
Further roles (selection): Big Four audit firm · Direct bank ·
Landesbank · Central institution of the cooperative banks · European energy exchange ·
IT subsidiary of a major bank · Securities house of the German savings banks
Partner network
One point of contact — and around 50 specialists behind me.
For 25 years I have been working in a successful, well-established partnership
with around 50 independent consultants — specialists who are available on call.
This allows us to handle larger programmes as well, without you buying the
overhead of a large consultancy.
The decisive difference: these teams are well-rehearsed. We know each other’s
working styles, strengths and interfaces from many joint mandates — which is why
we can assemble fully operational teams at short notice, tailored to your project.
And you always keep a single point of contact: me.
Interim CIO, CRO / Head of Compliance & Risk / Head of Governance
More than 25 years of leadership experience in banks, insurance companies, payments,
asset management companies, service providers and industry. Specialised in building
and transforming compliance, risk and governance organisations in highly regulated
companies — with a proven track record in implementing major regulatory programmes
and supporting supervisory examinations.
I combine board-level strategic advice with a distinctly hands-on mentality:
decision papers that get decided. Registers that are maintained. Processes
that are lived.
Location
Hamburg, Germany — assignments across Europe & remote
Languages
German, English, Italian (basic)
Roles
Interim manager · Project lead · Sparring partner to executive management
Focus
Regulation, governance & standards: DORA, MaRisk, BAIT, VAIT, NIS2 as well as information security and resilience standards under ISO/IEC 27001, 27002, 27005 and ISO 22301; complemented by data protection governance and privacy requirements in the context of GDPR / ISO 27701 as well as audit and attestation standards under SOC 2
Whether gap assessment, register of information or building an entire
organisation — in a no-obligation initial consultation we clarify where you
stand and the fastest path to audit readiness.
Registered in the companies register of the Republic of Cyprus (Department of the
Registrar of Companies and Intellectual Property, Nicosia)
Registration number: HE 428319
VAT identification number: CY10428319Q
Responsible for content pursuant to Sec. 18 (2) MStV
Michael Schwendemann
Lilli Zografou 5
4102 Limassol, Cyprus
Dispute resolution
The European Commission provides a platform for online dispute resolution (ODR):
https://ec.europa.eu/consumers/odr. We are neither willing nor obliged to participate
in dispute resolution proceedings before a consumer arbitration board.
Liability for content
The contents of this website have been created with the greatest possible care.
However, we cannot guarantee that the contents are accurate, complete or up to date.
As a service provider we are responsible for our own content on these pages under
general law. We are, however, not obliged to monitor third-party information
transmitted or stored on this website or to investigate circumstances indicating
unlawful activity. Obligations to remove or block the use of information under
general law remain unaffected. Liability in this respect only arises from the moment
we become aware of a specific infringement. Upon becoming aware of such infringements,
we will remove the content in question immediately.
Liability for links
This website may contain links to external third-party websites over whose content
we have no control. We therefore cannot accept any liability for such third-party
content. The respective provider or operator of the linked pages is always responsible
for their content. The linked pages were checked for possible legal violations at the
time of linking; no unlawful content was identifiable at that time. Permanent
monitoring of the content of linked pages is not reasonable without concrete
indications of an infringement. Upon becoming aware of legal violations, we will
remove such links immediately.
Copyright
The content and works created by the site operator on these pages are subject to
copyright. Reproduction, editing, distribution and any kind of use beyond the limits
of copyright law require the written consent of the respective author or creator.
Downloads and copies of this site are permitted for private, non-commercial use only.
Privacy Policy
Last updated: July 2026
1. Controller
The controller within the meaning of the General Data Protection Regulation (GDPR) is:
Sifor LTD
Michael Schwendemann
Lilli Zografou 5
4102 Limassol, Cyprus
We treat your personal data confidentially and in accordance with the statutory data
protection provisions, in particular the GDPR, and this privacy policy. This website
can generally be used without providing any personal data. Where personal data (such
as name, email address or phone number) is collected, this is done on a voluntary
basis wherever possible.
3. Data collection when visiting this website (server log files)
When you access this website, the hosting provider automatically collects information
in so-called server log files, which your browser transmits automatically. This
includes: browser type and version, operating system used, referrer URL, host name of
the accessing computer, time of the server request and IP address. This data is not
merged with other data sources. Collection is based on Art. 6 (1) (f) GDPR; our
legitimate interest lies in the technically error-free presentation and the security
of this website. The log files are automatically deleted after a short period.
4. Contact
If you contact us by email or telephone, your details, including the contact data you
provide, will be stored for the purpose of processing your enquiry and in case of
follow-up questions. Processing is based on Art. 6 (1) (b) GDPR where your enquiry
relates to the initiation or performance of a contract, and otherwise on our
legitimate interest in the effective handling of enquiries addressed to us
(Art. 6 (1) (f) GDPR). We do not pass on this data without your consent. The data
will be deleted as soon as it is no longer required to achieve the purpose for which
it was collected and no statutory retention obligations apply.
5. Cookies and tracking
This website does not use cookies for analytics or marketing purposes, does not use
any tracking or analytics services and does not embed any third-party content
(e.g. external fonts, map or video services).
6. Your rights as a data subject
Within the scope of the applicable statutory provisions, you have the right at any time to:
obtain free information about your stored personal data, its origin and recipients
and the purpose of the data processing (Art. 15 GDPR); rectification of inaccurate
data (Art. 16 GDPR); erasure of your data (Art. 17 GDPR); restriction of processing
(Art. 18 GDPR); data portability (Art. 20 GDPR); and to object to the processing of
your data (Art. 21 GDPR). Where processing is based on your consent, you may withdraw
it at any time with effect for the future.
You also have the right to lodge a complaint with a data protection supervisory
authority (Art. 77 GDPR), in particular in the Member State of your habitual
residence, your place of work or the place of the alleged infringement. The authority
responsible for the controller is the Office of the Commissioner for Personal Data
Protection, Cyprus (www.dataprotection.gov.cy).
7. SSL/TLS encryption
For security reasons and to protect the transmission of confidential content, this
site uses SSL/TLS encryption. You can recognise an encrypted connection by the
address bar of your browser changing from “http://” to “https://”.
8. Currency and amendment of this privacy policy
Due to the further development of our website or changed legal or regulatory
requirements, it may become necessary to amend this privacy policy. The current
version can be accessed on this website at any time.