European Union · Lisbon HQ · EU-resident processing
An EU-resident MSSP that doesn't need a transfer impact assessment.
Our Lisbon entity processes EU customer data in-region. No Standard Contractual Clauses bolted onto a U.S. relationship. No Schrems II workarounds. No DPO arguments about whether your alert telemetry counts as a personal-data transfer. NIS2, DORA, and GDPR — handled by a European team, in Europe.
- Lisbon-based EU entity, EU-resident processing
- NIS2 incident reporting workflows (24h / 72h / 30d)
- DORA ICT third-party risk + register of information
- GDPR Article 32 controls + Article 33 breach response
Why an EU-resident MSSP matters
Schrems II made U.S. providers expensive.
Since the 2020 Schrems II ruling, every EU controller using a U.S. processor has to carry Standard Contractual Clauses, perform a transfer impact assessment, and document supplementary measures. The EU-U.S. Data Privacy Framework helped — but it's already been challenged in court and may not survive.
An EU-resident MSSP processing your data in Lisbon sidesteps the entire transfer question. Article 32 controls are met by an EU controller using an EU processor under Article 28. That's it. No transfer assessment.
For your DPO
No Article 46 transfer mechanism needed
EU controller → EU processor (us). No SCCs, no IDTAs, no transfer impact assessment, no supplementary measures memo.
For your CISO
Same SOC stack, EU-resident processing
The platform, threat intel, and analyst quality you'd expect from a global MSSP — without the Schrems II tax.
For your General Counsel
No FISA 702 / CLOUD Act exposure
An EU entity processing in Portugal isn't subject to U.S. surveillance statutes the way a U.S. provider is. That's the entire point of the post-Schrems II analysis.
EU regulatory landscape
Three frameworks, one operational reality.
NIS2 covers ~160,000 EU entities. DORA went into force January 2025 for financial firms. GDPR has been law since 2018. Most mid-market EU companies now sit under at least two of the three.
In force · transposition ongoing
NIS2
Directive (EU) 2022/2555. Covers essential and important entities across 18 sectors. 24-hour early warning, 72-hour incident notification, 1-month final report. National transposition still rolling out across member states.
NIS2 service →
In force · Jan 2025
DORA
Regulation (EU) 2022/2554. Financial entities + ICT third-party providers. ICT risk management framework, incident classification, register of information, threat-led penetration testing for significant entities.
DORA service →
In force · since 2018
GDPR
Regulation (EU) 2016/679. Article 32 technical and organisational measures. Article 33 breach notification (72-hour). Article 28 processor obligations. We are an Article 28 processor under EU jurisdiction.
Talk to us →Who we serve in Europe
EU regulated mid-market.
We're not chasing pan-European enterprise deals. We're built for the mid-market companies that just got dragged into NIS2 scope and discovered they're a year behind.
Manufacturing & logistics
NIS2 Annex I + II. Supply chain risk. Operational technology security.
Financial services
DORA scope. ICT third-party register. Incident classification + reporting.
Healthcare & life sciences
NIS2 Annex I sector 5. GDPR special-category data. EU MDR exposure.
Digital infrastructure & SaaS
NIS2 Annex I sector 8. Article 28 processor obligations. ISO 27001 auditor evidence.
Talk to us
Skip the transfer assessment. Talk to a Lisbon team.
Tell us which member state you're regulated under, what your NIS2 or DORA scope looks like, and where you are on the timeline. We'll tell you whether we're the right fit — on the call, in English or Portuguese.