Do you operate outside Luxembourg?

Yes. We support clients in Luxembourg, Belgium and France. All deliverables and interactions are available in French and English.

What sets Tomeris apart from large consulting firms?

Tomeris is a three-person firm where the founders carry out the engagements themselves. No account managers, no rotating consultants, no last-minute junior assignments.

Can you provide ongoing support beyond one-off audits?

Yes. Our DPO as a Service and CISO as a Service offerings provide continuous compliance monitoring and long-term support. Several of our clients have maintained MONARC risk assessments with annual iterations for over 10 years.

Which frameworks and regulations do you cover?

ISO 27001, ISO 27005, GDPR, NIS2, DORA and the EU AI Act. On the operations side, we assess against CIS Benchmarks, OWASP, ANSSI guidelines and the AWS Well-Architected Framework security pillar.

Innovation with confidence,
security by design

A team of ICT experts supporting you in Compliance & Cybersecurity

View services

Trusted by public institutions and regulated industries in Luxembourg, Belgium and France

25+

Risk assessments completed for public institutions and regulated industries

Certifications

CISSP CISA CISM ISO 27001 Lead Implementer

Industry sectors

Government · Healthcare · Financial services · Cultural institutions

Our commitments!

Staying on top of your compliance

Regulatory frameworks evolve constantly — compliance work that is not maintained becomes obsolete within months. Tomeris structures its compliance engagements as iterative processes so that risk registers, policies and controls stay aligned with current requirements.

DevSecOps & Security by design

Rather than checking security at the end of the development cycle, Tomeris advocates DevSecOps practices to embed security best practices across the organisation and the SDLC. We work directly with development and infrastructure teams to help integrate controls and architecture decisions all the way through to deployment.

An ongoing collaboration

Most of our client relationships span several years, with annual reviews and an evolving scope. We invest in understanding your environment, your constraints and your regulatory context. The maturity gains from this accumulated knowledge grow stronger with every engagement.

Our Services

Compliance

ISO 27001 Implementation

Full ISMS (information security management system) build-out: gap analysis, risk assessment, control implementation and preparation for the certification audit.

ISMS Risk Assessment

Structured risk assessment aligned with ISO 27001 Annex A controls. Audit-ready risk register and treatment plan.

DORA / NIS2 Audit

Gap analysis and compliance roadmap for financial services (DORA) and essential or important entities (NIS2).

Records of Processing

GDPR Article 30 register: data flow mapping and legal basis review.

DPIA

Data Protection Impact Assessment for high-risk processing activities under GDPR Articles 35–36.

DPO as a Service

Outsourced Data Protection Officer — ongoing GDPR compliance monitoring, register maintenance and liaison with supervisory authorities.

CISO as a Service

Part-time Chief Information Security Officer — security strategy, policy governance and executive reporting.

Operations

DevSecOps Audit

Integrated security assessment across the entire application lifecycle. 75 controls evaluated across three maturity levels with actionable recommendations.

Security Code Review

Manual and automated analysis of application source code: vulnerabilities, logic flaws and insecure practices.

Kubernetes Security Audit

Cluster configuration, RBAC, network policies and workload security evaluated against the CIS Kubernetes Benchmark.

Security Architecture Review

Security and resilience maturity assessment of your infrastructure and software architecture using Security by Design principles. DORA and NIS2 alignment.

AWS Security Audit

IAM, networking, encryption and logging evaluated against the CIS AWS Foundations Benchmark.

AWS Security Hardening

Operational remediation: account structure, guardrails and implementation of proactive security governance and controls.

Pentest

Targeted penetration testing for web applications, AWS infrastructure and Kubernetes clusters.

Backup Strategy Review

Assessment of backup architecture, retention policies, restore procedures and ransomware resilience.

AI Agent for the Enterprise

Secure deployment of AI code assistants: access controls, data perimeters and governance framework. Agentic coding skills and methodology.

AI Agent Security Audit

Vulnerability assessment of autonomous AI agents: prompt injection, tool hijacking, privilege escalation and data exfiltration.

AI Agent Hardening

Remediation and implementation of guardrails and tools for AI agents in production — from tool design to output validation.

Methodology

How every engagement unfolds

Scoping and preparation

We begin by defining the engagement scope, planning each workshop and establishing clear roles and responsibilities on both sides. The full activity plan is shared before work begins.

Execution with checkpoints

Work is delivered in structured phases with regular progress reviews at each stage. The same dedicated team stays on the engagement from start to finish, and risks are tracked and communicated continuously.

Concrete, actionable results

Every engagement concludes with detailed deliverables — containing prioritised recommendations and a formal knowledge-transfer session.

Let's discuss your security and compliance needs

Attentive, responsive and committed, we are dedicated to understanding the real challenges to deliver tailored solutions.

Book a discovery call [email protected]

Innovation with confidence, security by design