ACE MATES · Nordic Cyber & Compliance

We start by
getting to know you.
Then we fit the service.

No pre-packaged solutions. No overselling. We understand your maturity, your priorities, and your constraints first — then configure the right level of support. You stay in control of the scope and the spend.

From €250/month + €45/hr 35 specialists · Nordic–India team On-site within 48 hours
What you will find on this page
Step 1
Discovery & Onboarding
We get to know you — maturity, priorities, constraints, goals
Step 2
Configure How We Help
Choose the role you want us to play — inform, fix, coach, or stay close
Step 3
Plan A or Plan B
Task-focused delivery or always-on retainer — two clear options
Pricing
€250/mo + €45/hr
Simple, transparent — what's included and what's separate scope
The Team
35 Specialists
Three layers · Nordic–India blend · why the rate holds
Get Started
Register & What Happens Next
2-minute form · we respond within 24h
Step 1 — Discovery & Onboarding

Before anything else, we listen.

Every engagement starts the same way — a structured discovery that gives us a clear picture of where you are, where you want to go, and what's in the way. No cost, no obligation.

The ACE MATES discovery session
Your maturity.
Your priorities.
Your pace.

We don't assume. We ask. A 60–90 minute structured session that maps your current security and compliance posture — honestly, without jargon. The output is a clear picture of where you stand and a proposed service configuration that fits your situation.

  • Current maturity level — where are you today across cyber, compliance, and privacy
  • Destination — what does good look like for your organisation in 12 months
  • Priority gaps — what keeps you up at night and what has a hard deadline
  • Constraints — budget, team capacity, regulatory timelines, existing tools
  • Areas of uncertainty — what you don't know you don't know
  • How you want to work — do it for you, with you, or coach you to do it yourself
Discovery questions we'll work through together
01
What is your current relationship with cyber security and compliance?
Do you have any existing policies, a security person, or a previous audit? Have you had an incident? Are you under a specific regulatory obligation now, or anticipating one? This gives us your baseline — we work from where you are, not where we assume you should be.
02
What's driving the urgency — regulation, customer pressure, or risk?
Is NIS2 coming up in your board conversations? Has a customer sent you a security questionnaire? Are you preparing for a funding round? Or is this proactive — you want to build it right from the start? The driver shapes the priority order.
03
Where do you have clarity — and where do you have concern?
Every organisation has areas they feel confident about and areas they don't. We map both — the known gaps and the uncertain territories. The uncertain areas often matter more, because they're where unpleasant surprises come from.
04
What are your constraints — budget, team capacity, timing?
We size the engagement to what's realistic for your organisation. A startup with three engineers has different capacity than a 200-person manufacturer. We work with your constraints, not against them — and we're honest when a constraint creates a risk worth knowing about.
05
How do you want to work with us — and how involved do you want to be?
Some organisations want us to handle things end-to-end. Others want to be coached so their team builds the capability themselves. Most want something in between. We configure the engagement around your preferred working style — not ours.
06
What does success look like in 6 and 12 months?
Is it passing a customer audit? Having a documented incident response plan? Being NIS2 compliant? Getting ISO 27001? Or simply having a clear, maintained picture of your risk? We align on what "done" looks like before we start — so the engagement has a clear destination, not an open-ended scope.
Step 2 — Configure How We Help

Tell us the role you need us to play.

Pick one or more. Your selection shapes the type of engagement, the rhythm of work, and the service configuration we propose.

📡
Keep me informed
Regulatory horizon scanning — changes to NIS2, GDPR, AI Act, CRA timelines, sector-specific guidance. We surface what matters before it becomes urgent.
📂
Maintain my records
Ongoing compliance bookkeeping — policies, ROPA, evidence logs, audit trails, DPA registers. Everything organised so audit day is never a scramble.
🔍
Find my gaps
Structured gap assessments against NIS2, GDPR, ISO 27001, or AI Act. A clear picture of what's missing and why it matters — prioritised by risk, not alphabet.
🔧
Fix my gaps
Not just identify — remediate. Policy drafting, control implementation, supplier contract updates, training delivery. We close the gap, not just document it.
🛡️
Stay by my side
Always-available expert cover for questions, incidents, decisions, and surprises. When something happens that you don't know how to handle — we're there.
🎓
Coach us to own it
Consulting and coaching so your team builds the capability themselves. We work alongside, transfer the knowledge, and step back as your confidence grows.
Your selections shape the service configuration we propose after discovery. Most clients choose 2–3 roles. All are covered under the same €250/month + €45/hr commercial model.
Step 3 — Choose Your Engagement Mode

Task-focused or always on.

Two modes. Same commercial model. The right choice depends on how much clarity you have and how much risk you're comfortable carrying between engagements.

Plan A
Objective-Focused Tasks

You know what you need. We scope it, price it, deliver it — clean start, clean finish.

No long retainer, no open-ended scope. Each task is defined, priced, and completed independently.

Best for: clear requirements · defined deliverables · project-style work · first engagements
  • NIS2 obligation mapping — scoped, delivered, done
  • GDPR gap assessment with remediation plan
  • Policy suite creation (10–15 core documents)
  • Specific audit preparation and evidence pack
  • One-off security assessment with board report
  • Supplier security questionnaire response pack
  • DPIA for a specific product or process
Plan B
Always-On Retainer

We stay close. You assign tasks, ask questions, and get expert cover when surprises arrive.

The safety net while building your security posture. You're never alone with a decision, incident, or requirement you don't fully understand.

Best for: evolving requirements · ongoing compliance · incident risk · team capability building
  • Monthly regulatory briefing — what changed, what it means for you
  • Continuous compliance record maintenance
  • Ad-hoc consulting hours — questions, reviews, decisions
  • Incident response support when it happens
  • Quarterly posture review and board update
  • Ongoing policy and control maintenance
  • Team coaching sessions and security awareness delivery
Commercial Model

Simple pricing. No surprises.

A low floor to stay connected, a fair blended rate for everything you need, and a clear boundary on what's included versus separate scope.

Monthly minimum
€250 / month
Keeps the relationship active. Covers regulatory horizon scanning, record maintenance, and a monthly check-in. Activates access to the full team at the blended rate.
Monthly regulatory briefing included
Compliance record maintenance included
No lock-in period — monthly rolling
Blended hourly rate
€45 / hour
All billable work beyond the monthly minimum. One rate — regardless of which specialist is on the task. No senior/junior tiering, no surprises at invoice.
Time-tracked and reported monthly
Expert or delivery layer — same rate
On-site within 48h when requested
All of the following are covered at €45/hr
Compliance monitoring
NIS2, GDPR, AI Act, CRA tracking
Regulatory reporting
Incident notifications, authority responses
Audit support
Evidence prep, auditor liaison
Gap assessments
Any framework — risk-prioritised output
Policy drafting & review
Creation and ongoing maintenance
Data mapping & ROPA
Records of processing, data flows
Supplier questionnaires
Customer security questionnaires, vendor reviews
DPIA support
Impact assessments for new products/processes
Incident response
First response, coordination, notifications
Security awareness training
Team delivery, tailored to your context
Board & management reporting
Plain-language security updates
Consulting & coaching
Decisions, questions, team capability building
Separate scope
Quoted per engagement
Threat modelling Penetration testing ISO 27001 / SOC 2 programme CRA / AI Act conformity Forensic investigation — surfaced during retainer, scoped & priced transparently before starting
The Team

35 specialists. Nordic presence.
Blended expertise.

Three layers of seniority, a deliberate Nordic–India blend, and a clear delivery model. This is what justifies the €45/hr blended rate — and why it holds.

Expert layer · 15+ years
9 specialists total
6 in Sweden · 3 offshore India
Nordic / Offshore presence
Sweden · 6
India · 3
Client-facing · on-site within 48h Offshore · timezone-aligned
What this layer delivers
CISO-level strategy & board advisory
Regulatory interpretation & complex compliance
Client relationship ownership
Technical architecture review
Senior layer · 7–15 years
16 specialists total
8 in Sweden · 8 offshore India
Nordic / Offshore presence
Sweden · 8
India · 8
Local delivery & client contact Offshore · timezone-aligned
What this layer delivers
Assessment delivery and gap analysis
Policy development and control implementation
Incident response coordination
Audit preparation and evidence management
Delivery layer · up to 7 years
10 specialists total
7 in Sweden · 3 offshore India
Nordic / Offshore presence
Sweden · 7
India · 3
Primarily local · day-to-day delivery Offshore support
What this layer delivers
Record maintenance and compliance bookkeeping
Regulatory horizon scanning and briefings
Questionnaire and documentation support
Training delivery and awareness programmes
35
Specialists total
48h
On-site anywhere in Nordics
€45
One blended rate · no tiers
Why one blended rate works: The €45/hr rate reflects the full team — senior expertise available when needed, efficient delivery capacity for routine work. You don't pay senior rates for record maintenance, and you don't get a junior when you need a CISO. The right person for the task, at one predictable rate. Work is primarily delivered in your local timezone. A consultant can be at your location within 48 hours of a requested in-person meeting.
Startup & Product Track

Built-in from day one — not bolted on later.

For startups in product development, the window to embed privacy, security, and compliance into the architecture is now — before the technical debt compounds. These are the three frameworks you cannot ignore.

🔒
Privacy by Design
GDPR requires privacy to be designed into your product from the start — not added as a feature later. We embed data minimisation, purpose limitation, and consent architecture into your product decisions before the first line of code becomes a compliance liability. Avoiding a GDPR fine that scales with your revenue starts here.
⚙️
CRA — Cyber Resilience Act
If you ship a product with digital elements to the EU market, the Cyber Resilience Act applies — and it has teeth. Vulnerability handling, security update obligations, and conformity documentation are now product requirements, not optional extras. We map your product against CRA requirements before launch, not after a regulator asks.
🤖
EU AI Act
If your product uses AI to make decisions affecting users — hiring, credit, health, access — you have risk classification obligations today. High-risk AI systems require conformity assessments, human oversight, and documented training data governance. We classify your AI components and build the governance before a regulator does it for you.
The startup engagement model
Same €250/month + €45/hr structure. For early-stage companies we offer a Startup Onboarding Package — a fixed-scope first engagement that covers your CRA product classification, Privacy by Design architecture review, and AI Act risk mapping. Delivered in 3 weeks. Everything you need to know before you build further.
Book startup discovery →
Get Started

Register in two minutes.

Tell us who you are. We'll take it from there — no lengthy questionnaires, no commitment required at this stage.

ACE MATES · Discovery Registration
Start your discovery session
No commitment required. We'll contact you to arrange the discovery session.
What happens after you register
01
Within 24 hours
We acknowledge your registration
A personal email from Amit or a team member confirming receipt and proposing two time slots for your discovery session.
02
Within 3–5 days
Discovery session (60–90 min)
A structured conversation — your current maturity, priorities, constraints, and goals. Video call or in-person. No slides, no pitch. We listen and map.
03
Within 48 hours after session
Service configuration proposal
A short written summary of what we heard, our recommended engagement mode (Plan A or Plan B), and proposed scope with transparent pricing. No surprises.
04
You decide
No pressure, no clock ticking
Take the time you need to review. If you want to proceed, we agree scope and start. If not, the discovery session itself — and everything we shared — is yours to keep.
The discovery session costs nothing. Even if you don't proceed, you'll leave with a clearer picture of your current security and compliance posture.
// Or reach us directly

Prefer to just send an email?

Drop us a line with your company name and what's on your mind. We'll take it from there.

Email Amit directly → [email protected]