What this service does
NIS2 (Oct 2024 deadline now enforced), DORA financial entities (Jan 2025 effective), EU AI Act high-risk Annex III conformity (Aug 2 2026 , €35M / 7%-of-turnover penalties). Extraterritorial readiness for US firms with EU subsidiaries or EU customers. Billed and delivered US-side, USD. We do not direct-sell to EU governments.
Senior practitioner on every engagement. Quinnlan Varcoe (Founder and CEO) oversees every engagement and reviews every case before findings leave the practice; Jose Santana, Lead Technical Consultant, oversees the practitioner team executing the technical work under her methodology. NDA-protected. No black-box delivery, no off-shoring, no junior staff bait-and-switch.
What we deliver
- EU AI Act High-Risk Conformity (Aug 2 2026). Annex III high-risk categorization, conformity assessment per Article 43, technical documentation per Annex IV, post-market monitoring per Article 72, CE-marking workflow. €35M or 7% of global turnover penalty exposure for non-compliance. ~95 days as of this writing.
- NIS2 Directive Compliance. NIS2 transposition deadline October 2024 , now enforced across EU Member States. Essential entity vs. Important entity classification, supply-chain security obligations, 24-hour early-warning reporting, registration with national authority. Direct + indirect applicability for US firms with EU subs or EU services.
- DORA , Digital Operational Resilience Act. Effective 17 January 2025 for EU financial entities. ICT risk management framework, ICT incident reporting, digital operational resilience testing (TLPT), ICT third-party risk including critical-third-party designation. Applies to US firms with EU financial subs + ICT third-party providers.
- GDPR Article 32 Cyber-Specific Controls. Technical and organisational measures, ICO/EDPB-aligned breach notification 72-hour clock, Data Protection Impact Assessments tied to security controls, supervisory authority coordination on cyber incidents.
- Schrems II / Cross-Border Data Transfer. EU-US Data Privacy Framework, Standard Contractual Clauses, Transfer Impact Assessments. Cybersecurity controls baked into TIA technical-measures section.
- NIS2 + DORA Crosswalks to US Frameworks. SOC 2 + ISO 27001 evidence covers ~70% of NIS2 + DORA technical requirements. We map the existing US compliance posture to the gap rather than rebuild from scratch.
How an engagement begins
- Confidential consultation. NDA-protected. 30 to 60 minutes. Direct conversation with Quinn, not a sales rep.
- Scoped engagement. Written proposal with defined deliverables and pricing. Hourly with milestone caps for open scopes; fixed fee where the work is well-defined.
- Delivery and reporting. Court-admissible methodology where evidence matters. Written deliverables you can hand to counsel, the board, or your auditor.
Why this work runs through Witness
Witness is the parent brand for the practice. The same firm operates a B2B sister brand at varcoe.ai for buyers whose procurement workflow expects a B2B website and a B2B sales motion. Same legal entity (Blueberry Security Global, Inc., Delaware C-corp). Same Quinn. Same delivery team. The split is by audience, not by capability.
