Michael (Georg) Speller
Bridging Law, ICT-Operations & Best Practices
Experience
Freelance Compliance & IT Regulation Consultant
Various financial institutions and regulated companies
- Advising financial institutions on implementing DORA and NIS2 requirements
- Conducting gap analyses between existing governance structures and new regulatory requirements
- Creating and revising policies, process descriptions, contract annexes and technical-organizational measures
- Designing digital operational resilience testing programs (DORA Art. 24–25)
- Third-party risk management: setting up a third-party register, LEI reconciliation, value chain analysis
- Training internal staff on DORA/NIS2 requirements
- Negotiating and renegotiating outsourcing contracts according to DORA/NIS2 requirements
- Using technologies/frameworks: DORA, NIS2, EBA guidelines, BaFin requirements, NIST CSF, ISO 27001
- Engagements are subject to strict NDAs
IT-Audit Defense Manager
DÜRR AG
- Defending IT findings against auditors during annual financial audits
- Coordinating remediation measures across multiple project streams
- Acting as interface between business units, IT and external auditors
- Ensuring the quality of communications and technical concepts
- Reporting remediation measures to the supervisory board
- Proactively advising business units on NIS2, critical infrastructures, ISO 27001, TISAX and SAP authorizations
- Result: Successful sign-off by auditors, all critical findings closed
- Using technologies/frameworks: NIS2, critical infrastructures regulations, ISO 27001, TISAX, GDPR
Audit Defense Consultant
Financial institution
- Supporting and defending the EBA/ECB regulatory inspection
- Acting as head of mission on the client side during on-site inspections
- Coordinating all internal stakeholders during the audit
- Preparing and conducting interviews with regulators
- Reviewing and organizing documents for regulatory requirements
- Developing remediation plans for identified gaps
- Result: Successful completion of the OSI without major remarks
- Using technologies/frameworks: EBA guidelines, MaRisk, BAIT, ECB supervisory requirements
- Detailed information is subject to NDA
Senior IT-Compliance Consultant
Stuttgarter Versicherung
- Designing and managing the full outsourcing process from on-premise to Microsoft 365/Azure Cloud
- Compliance assessment under DORA, NIS2, EIOPA guidelines and VAGO/VAIT
- Conducting due diligence and audits of cloud service providers and MSPs
- Creating new internal procedures and risk management methodologies
- Training staff (outsourcing management, legal department, FinOps)
- Registering the project through BaFin's MVP portal
- Documenting board decisions according to regulatory requirements
- Result: Successful BaFin approval, go-live without findings
- Using technologies/frameworks: Microsoft 365, Azure, EIOPA guidelines, VAGO/VAIT, DORA (preparation)
IT-Governance Strategy Consultant
Zwilling AG
- Developing global IT governance for 14 countries considering different compliance requirements (EU, APAC, US)
- Transitioning to SIAM (Service Integration and Management)
- Preparing a continuous auditing framework
- Ensuring international data protection requirements (GDPR, APAC privacy laws, US regulations)
- Using technologies/frameworks: SIAM, GDPR, multi-jurisdictional compliance
IT Compliance & Outsourcing Consultant
Bank Norddeutschland
- Risk assessment of IT vendor services and outsourcing under MaRisk 08/2021
- Process adjustments in IT governance and IT security
- Audit of IT service providers for compliance adherence
- Training on segregation of duties and Three Lines of Defense
- Creation of playbooks for major IT incidents
- Use of technologies/frameworks: MaRisk 2021, Three Lines of Defense, IT Incident Management
Cloud Outsourcing Advisor
Großbank Hessen
- Due diligence of public cloud outsourcing projects
- Analysis of subcontractor value chains
- Assessment against MaRisk 2021, BAIT 2021, EBA Guidelines (outsourcing, ICT Risk Management)
- Contract analysis and renegotiation with hyperscalers
- Review of audit and instruction rights in cloud contracts
- Use of technologies/frameworks: AWS, Azure, Google Cloud, MaRisk, BAIT, EBA Guidelines
Senior Cloud Compliance Consultant
TeamBank Bayern
- Risk analysis of cloud outsourcing under MaRisk 2021 and BAIT 2021
- Renegotiation of standard hyperscaler contracts
- Due diligence with AWS, Microsoft, Google, Genesys
- Analysis of subcontractor chains and contractual audit rights
- Use of technologies/frameworks: AWS, Azure, Google Cloud, Genesys, MaRisk, BAIT, EBA Guidelines
IT Outsourcing & Cloud Governance Consultant
Oldenburgische Landesbank
- Scenario-based risk analysis for cloud outsourcing
- Gap analysis of contractual rules against regulatory requirements
- Reorganization of internal governance structures
- Auditing of subcontractor value chains
- Contract negotiation with AWS, Microsoft, Google, SAP, and Salesforce
- Preparation for the §44 KWG audit by BaFin on outsourcing topics
- Use of technologies/frameworks: AWS, Azure, Google Cloud, SAP, Salesforce, MaRisk 2021, BAIT, ENISA Cloud Certification
Cloud Outsourcing Consultant
dwpbank
- Risk analysis of cloud outsourcing for banking service providers
- Gap analysis between customer contracts, provider contracts, and EBA Guidelines
- Establishment of Three Lines of Defense Governance
- Negotiations with around 300 institutional banking clients on compliance requirements
- Use of technologies/frameworks: EBA Guidelines, Three Lines of Defense, Multi-Tenant Banking
IT-Audit Defense Task Force Manager
Viridium SE
- Task force to correct BaFin findings and notices in IT outsourcing
- Reassessment of IT outsourcing risks
- Gap analysis against EIOPA requirements
- Restructuring IT outsourcing and IT security governance (Three Lines of Defense)
- Revising IT reporting according to VAIT requirements
- Result: successful BaFin follow-up review, all notices closed
- Use of technologies/frameworks: Solvency II, §32 VAG, MaGo, VAIT, EIOPA, GDPR
Head of Central Outsourcing Management
LBBW (Landesbank)
- Building a global outsourcing management (Second Line of Defense) for Germany, the UK, the US, and Singapore
- Auditing cases for outsourcing relevance according to MaRisk AT9
- Gap analyses between EBA, FCA, and MAS requirements and the current state
- Monitoring regulatory updates across all branches
- Advising business units on risk analyses (cloud, KRITIS, cyber security)
- Implementing the EBA Guidelines on Outsourcing group-wide
- Introducing uniform provider evaluation standards
- Use of technologies/frameworks: MaRisk AT9, EBA Guidelines, FCA, MAS, multi-jurisdictional compliance
IT-Audit Defense Lead
Finanz Informatik (Sparkassen-Finanzgruppe)
- Supporting correction projects after ECB audit
- Restructuring outsourcing assessments according to §25 KWG, MaRisk, and BAIT
- Reassessing significant outsourcing
- Revising IT reporting according to BCBS 239
- Developing a contract toolkit for technicians, legal experts, and buyers
- Advising on provider contract negotiations
- Preparing the establishment of central outsourcing management
- Use of technologies/frameworks: §25 KWG, MaRisk, BAIT, MaGo, KRITIS, GDPR, BCBS 239
IT-Outsourcing Governance Manager
Postbank AG
- Redesigning contracts and governance after audit restructuring
- Defining new governance and organizational interfaces
- Optimizing provider management processes
- Revising IT reporting according to BCBS 239 and MaRisk 2016
- Introducing provider management toolsets
- Use of technologies/frameworks: KWG, MaRisk 2016, BCBS 239, provider management
IT-Audit Defense Consultant
ING-DiBa
- Preparing for §44 KWG BaFin audit
- Project management of operational governance and outsourcing as backup
- Defining technical and organizational interfaces
- Establishing provider management
- Use of technologies/frameworks: §44 KWG, MaRisk, provider management
KRITIS IT Governance Manager
Amprion GmbH
- Project lead “Design Operative Governance” for critical infrastructure
- Definition of technical and organizational interfaces
- Mapping GRC processes for the energy sector
- Creation of RACI matrices and cross-reference tables
- Definition of information governance and KPIs
- Documenting processes in ARIS as value chains
- Use of technologies/frameworks: KRITIS (energy), EnWG, GRC, ARIS
Summary
There are hardly any areas where so many amateur lawyers gather as in IT compliance. At first this may seem cheaper, but it often becomes costly due to the EU-wide shift from voluntary best practices to mandatory regulations and personal liability of executive management.
As a graduate lawyer and computer scientist with extensive IT service, risk management, and audit preparation & defense expertise, I close the gaps between binding law, ICT operations & best practices.
Legal laypeople often overlook the accompanying norms in commercial, civil, and criminal law – underestimating the new acute liability risks when advice is lacking.
As an expert in regulatory implementation and best practices, I bring around 30 years of experience as an operational lawyer and IT service and outsourcing manager.
My topics: DORA | NIS2 | AI Act | CRA | CSA | DNA | Audit-Prep & Defense | Third-Party Risk Management (TPRM) | EU Compliance | ISO 2700x | BSI Basic Protection | GRC | ToM | sfO | Procedures | Measures | Guidelines | Processes | IKS
SERVICE PROFILE:
IT Regulation & EU Compliance Focus: Executive management liability, audit preparation: DORA, NIS2, AI Act, CRA, CSA Frameworks: SOX, IDW, NIST, ISO 2700x, ITIL, COBIT High-end audit prep, management & defense Regulatory inspections: Preparation and support of on-site inspections (OSI) by ECB, BaFin (§ 44 KWG), CSSF, FINMA. Post-audit support: IT annual financial audit (JAP) support, efficient remediation and mitigation of findings
Third-Party Risk Management (TPRM) & Governance 20 years of experience in outsourcing management with complex value chains. Implementation of xBoM Support for complex outsourcing negotiations Exit strategies
Project support, training & second opinion Proactive, complementary compliance support for ICT projects Sparring partner for project teams Management workshops on statutory competency requirements (Fit & Proper)
Background & Qualifications Academic degree: Dual qualification as Graduate Lawyer (Univ.) & Graduate Computer Scientist (FH) Certifications (selection): CISA, CISSP, BSI Basic Protection, CSA Auditor, ITIL v2/v3
Industry portfolio Banks & insurance, ICT service providers, automotive industry, telecommunications, energy, healthcare,...
Confidentiality (NDA & GDPR) Due to my work in sensitive areas – supporting regulatory inspections and addressing critical findings – mandates are generally subject to NDAs. References can be discussed on a professional level. Disclosure of sensitive information or personal data is in accordance with NDA and GDPR.
Skills
Dora Compliance
Nis2 Implementation
Cra
Ai Act (Ai Regulation)
It Audit Defense
Third-party Risk Management
Cloud Governance
Cyber Resilience Testing
Outsourcing Management
Regulatory Due Diligence
Third-party Risk Management
Advising, Preparing And Following Up On It Compliance Audits, Annual Financial Audits (Jap) And On-site Inspections (Osi) By Eu And National Authorities
Implementing Regulatory Requirements And Integrating International Standards (Dora, Nis2, Ai Act, Eba, Eiopa, Esma, Enisa, Iso, Iec, Nist, Itil, Bsi C5)
Documentation, Sfo And Policy Management As Well As Product, Service And Offering Descriptions
Proactive Compliance Support For It Projects
Conducting Risk And Vulnerability Analyses
Deriving Corrective Actions
Automating Compliance And Control Processes Wherever Possible
Identifying, Assessing And Managing It And Third-party Risks
Developing Measures, Security Concepts, Resilience Tests, Xbom Strategies
Building Sustainable It Governance
Simulating, Supporting And Defending It Audits, Osis And Regulatory Inspections (Ecb, Bafin, Finma, Bsi)
Assisting With Contract Negotiations, Outsourcing And Due Diligence Processes
Checking Compliance Gaps To Avoid Findings And Fines
Supporting The Regulatory Shift From 'Best Practice' To 'Compliance Obligation'
Harmonizing International Frameworks: Dora 2025, Idw Ps 528, Iec 62443, Bsi Tr-03183, Nist Ssdf, Sbom Etc.
Training Videos For Online Learning Platforms In The Regulatory Field
Planning And Conducting Workshops To Meet Legal Competency Requirements
Awareness Programs For Management And Specialist Teams
Eu Regulation: Dora, Nis2, Cer, Cra, Ai Act, Dsa, Dma, Data Act, Cyber Resilience Act
Financial Supervision: Eba, Eiopa, Esma, Marisk, Bait, Vait, Eba Guidelines
Data Protection & Security: Enisa Guidelines, Iso 27001, Tisax, Bsi Basic Protection, Nist Csf
Critical Infrastructures: Bsi, It Security Act, Critical Infrastructures
It Audit Preparation, Management And Defense (Ecb, Bafin, Finma, Auditors)
Third-party Risk And Supply Chain Management
Cloud Governance (Aws, Azure, Google Cloud, Salesforce)
Digital Operational Resilience Testing (Dora, Tlpt)
It Outsourcing: Contract Negotiation, Due Diligence, Exit Management
Incident Management And Cyber Security Response
Governance, Risk & Compliance (Grc) Frameworks
Itil, Cobit, Iso 27001, Nist, Three Lines Of Defense
Risk Assessment And Risk Management Frameworks
Contract Management And Sla Design
Devsecops Security Assessment
Business Continuity Management (Bcm)
Cloud Platforms: Aws, Microsoft Azure, Google Cloud Platform, Salesforce
Compliance Tools: Grc Platforms, Risk Assessment Tools, Audit Management Systems
Security Tools: Nessus, Siem Systems, Vulnerability Scanners, Penetration Testing Tools
Documentation: Aris, Visio, Confluence, Sharepoint
Project Management: Ms Project, Jira, Agile/scrum Methodologies
Standards & Frameworks: Itil, Cobit, Iso 27001, Nist Csf, Cis Controls, Owasp
Fast Onboarding Into Complex Regulatory Requirements
Bridging Technology, Law And Business
Pragmatic, Implementation-oriented Advice
Proven Success In Audit Defense
Train-the-trainer Expertise
Financial Services (Banks, Insurance, Asset Management)
Critical Infrastructures (Energy, Telecommunications)
Industry And Medium-sized Enterprises
It Service Providers
Remote And On-site (All Dach Region)
Flexible Project Durations (Interim Management, Project Consulting, Task Force)
Languages
Education
Graduate Computer Scientist (FH) · Information and communication sciences
Business administration studies · Business administration, organization/BA
Graduate Lawyer, First State Exam · Law
Certifications & licenses
Building an ISO 27001-Compliant Cybersecurity Program: The Annex A Controls
LinkedIn Learning
Similar Freelancers
Discover other experts with similar qualifications and experience
Compliance Consultant
Senior IT PM & Governance & Operational Resilience Consultant | Financial Services
NIS2 & Risk Strategy Consultant
Owner and Managing Director
ISO – Senior Consultant Quality & Information Security
Oracle Fusion Transformation Program Lead
Project Manager / Senior Consultant (multiple projects)
Interim Project Manager
Program and Project Manager / Internal Auditor / CISO
Cloud Architect & Security Advisor
Project Manager NIS-2
Project Manager AOS
Consultant
Management Consultant
IT Project Manager and Senior Consultant
Senior Manager, Project Manager, Auditor and Consultant
Interim CISO (Germany, Austria, US, APAC), Auditor
Ansible Automation, Windows Third Level Support
IT Regulatory Compliance & GRC (BCM, IT Risk, DORA, ISO 22301, Outsourcing)
IT & Cybersecurity Project Manager
KRITIS Consultant
Consultant for Data Protection, AI, Compliance and Organizational Development
Vice President Technology
OT Security Champion Europe
Consultant and Trainer, Managing Partner
IT Security Consultant – Creation & Management of the IT Security Roadmap
ICT Risk Management and Information Security
AI Project Management and Governance Setup
Lead OT Security | Industrial Cybersecurity | Cyber Program Manager | CISO Advisor
