Frequently Asked Questions
Everything you need to know about working with Cyvra: our services, how engagements work, compliance, AI, and more. Can't find your answer? Just ask us directly.
Cyvra is an IT, cybersecurity, and AI consultancy formed from the merger of three specialist firms operating across the Netherlands, UK, and Brazil. We work with businesses in regulated sectors where IT decisions carry real consequences.
We help organisations manage and secure their IT, cloud and technology systems, achieve and maintain compliance, adopt AI responsibly, and take full control of their IT operations through practical, hands-on work rather than theory.
Cyvra is a consultancy, not a software company. We do not sell, license, or resell security products, automated scanning tools, phishing simulation platforms, or off-the-shelf software of any kind. We can recommend good ones for you if needed.
What we do is work directly with your team. We assess your environment, identify what actually needs addressing, and implement improvements and build the right controls around your specific situation, whether that is an IT infrastructure overhaul, a compliance programme, or an AI adoption plan. The work is hands-on and specific to your business, not a packaged product.
We have deep experience in healthcare, financial services, and hospitality: sectors where data protection obligations, regulatory scrutiny, and operational continuity are non-negotiable. We understand the specific frameworks that govern each: from GDPR and NIS2 in healthcare, to DORA and PCI DSS in financial services, to the guest data and distributed IT challenges in hospitality.
We also work with businesses in other industries. If your situation involves regulated data, compliance pressure, or IT complexity, we are likely a good fit.
Cyvra is based in Amsterdam (Netherlands) and London (United Kingdom). We work with businesses across the Netherlands and UK.
Most engagements can be handled remotely, though we travel on-site when the work calls for it, whether that is running a workshop, conducting a physical security audit, or supporting a go-live.
Yes. Cyvra has roots in Latin America and our Brazil practice continues to serve clients across the region. Latin American engagements are handled through our dedicated Brazil entity — visit cyvra.com.br for more information.
Our team brings over 20 years of combined experience across organisations including Microsoft, ING, HSBC, NHS, Booking.com, and PPHE. We have helped more than 200 businesses across healthcare, financial services, and hospitality.
Certifications held across the team include CISSP, CISM, CCSP, ISO 27001 Lead Implementer, PCI-DSS, ITIL v4, Azure, Microsoft 365, PMP, and CompTIA. More importantly, these are credentials backed by real delivery, not just exam passes.
Our engagements are scoped and priced based on the size of your organisation, the complexity of the work, and the deliverables required. We provide a fixed-price proposal after an initial scoping call, so there are no surprises mid-engagement.
The scoping call is free and there is no obligation. It is simply to make sure we understand what you actually need before we put anything in writing.
We offer four core service areas:
Cybersecurity: risk assessments, penetration testing, security frameworks, identity and access management, incident response, and security awareness training.
IT Management: IT strategy, cloud infrastructure (Azure, Microsoft 365), service desk, vendor management, cost optimisation, and backup and disaster recovery.
Artificial Intelligence: AI strategy and readiness assessments, machine learning implementation, Microsoft Copilot deployment, LLM integration, and AI governance.
Audits & Compliance: ISO 27001 certification, GDPR, PCI DSS, NIS2, DORA, internal audits, and ongoing compliance monitoring.
Both. Depending on your needs, we can provide strategic advisory (assessments, gap analysis, and roadmaps) or hands-on implementation and ongoing management. We do not push clients into retainers they do not need. We scope what is right for your situation.
Yes. Our cybersecurity team can support active incident response, including containment, forensic analysis, and recovery. We also help organisations build incident response playbooks and run tabletop exercises in advance, so your team knows exactly what to do when something happens.
If you are dealing with an active incident right now, contact us immediately and we will prioritise your request.
Yes. We cover the full ISO 27001 journey: gap analysis, risk assessment, control design and implementation, documentation, policy development, internal audit, and certification body preparation. We stay involved throughout the process. We do not hand off a folder of documents and wish you luck.
We also help organisations maintain their certification long-term, because compliance that drifts after the initial audit is compliance that fails at the next one.
NIS2 is the EU's updated Network and Information Security directive, which came into effect in October 2024. It significantly expands the scope of the original NIS directive, covering a broader range of sectors including healthcare, financial services, digital infrastructure, managed services, and more.
Under NIS2, organisations face stricter requirements around risk management, incident reporting, supply chain security, and executive accountability. Penalties for non-compliance can be substantial. If you are unsure whether NIS2 applies to your business, get in touch and we can help you assess your obligations quickly.
Our GDPR work covers lawful basis mapping, Records of Processing Activities (RoPA), Data Protection Impact Assessments (DPIAs), breach notification procedures, data subject rights processes, and DPO support. We treat compliance as something that has to be embedded into how the business operates. It is not a one-time box-ticking exercise.
Yes. We provide audit readiness reviews that replicate what auditors will look for: evidence walkthroughs, stakeholder interview preparation, documentation reviews, and gap remediation. 58% of organisations fail their first compliance audit. 70% of those failures stem from documentation and process gaps rather than any malicious action. That is exactly the territory we work in.
Our engagements are scoped to a defined deliverable, but we do not disappear the moment the work is done. If follow-up questions come up, a finding surfaces six months later, or your auditor raises something unexpected, you can come back to us. We will scope any additional work needed honestly and without unnecessary upselling.
For ongoing needs — monitoring, periodic reviews, or continued support through a certification cycle — we can also structure longer-term arrangements. We do not push clients into retainers they do not need, but the option is there if it makes sense for your situation.
Start with an AI Strategy and Readiness Assessment. We assess your data maturity, map your existing processes, identify the highest-impact use cases for your specific business and sector, and produce a prioritised roadmap with realistic effort and cost estimates.
This gives you a clear picture of where AI will actually deliver value before you commit to anything. 85% of AI projects fail to move beyond pilot into production. Most of those failures are avoidable with better upfront scoping.
Yes. We handle Microsoft Copilot deployment from end to end: tenant readiness checks, configuration, data access governance, security controls, and user adoption. Copilot can surface sensitive information if your Microsoft 365 permissions are not properly structured before enabling it. This is one of the most common deployment mistakes we help clients avoid.
We cover AI governance, ethics, and regulatory compliance as a core part of any AI engagement. This includes EU AI Act alignment, bias testing, model explainability, data provenance, and responsible AI frameworks. We make sure your AI deployments are not only effective but defensible if scrutinised by regulators or auditors.
We work on fixed-price engagements with clear timelines and costs. You know exactly what you are getting and what it will cost before work begins. No surprises, no scope creep billed at day rates, no hidden fees.
We do not lock clients into ongoing retainers they do not need. If you need a one-time assessment, that is what we scope. If you need ongoing support, we can structure that too, on your terms and not as a default condition.
It depends on scope. A focused assessment (such as a security audit, compliance gap analysis, or AI readiness review) typically runs two to four weeks. A full ISO 27001 implementation, cloud migration, or AI deployment project can take three to six months.
We give you a realistic timeline as part of your proposal, including key milestones. We do not pad timelines or drag engagements out unnecessarily.
We work with businesses of all sizes. From startups finding their feet to large enterprises running complex operations, we adapt our approach to fit your scale, sector, and objectives. If you have a problem we can help with, the size of your organisation is not a barrier.
You send us a message describing your situation, and we respond within 24 hours, usually the same business day. We then have a 30 to 45 minute introductory call to understand your needs, your environment, and your goals.
From there, we put together a clear proposal covering scope, timeline, and cost in plain language. No jargon, no padding, no pressure. If we are not the right fit, we will tell you and point you in the right direction.
You work directly with senior consultants throughout the engagement. We do not use account managers as a buffer or rotate helpdesk staff onto your project. The people you speak to at the start are the people doing the work, and they stay involved until it is done.
A specialist across cybersecurity, compliance, AI, and IT management is expensive to hire full-time, and nearly impossible to find in one person. With Cyvra, you get a team of specialists across all four disciplines for the duration you need them, with no recruitment cost, no on-boarding time, and no ongoing salary commitment when the work is done.
We are also vendor-neutral. We recommend what is right for your situation, not what we have a commercial incentive to sell. That independence matters when you are making decisions about your infrastructure and security posture.
We are happy to answer anything directly. Send us a message and we will come back to you within 24 hours. There is no sales pitch, no obligation. Just a straight answer to your question.
Tell us where you are and we will come back with a plan that fits. No jargon, no fluff.
Get in touch