Skip to main content

CISO as a Service (vCISO)

 Your cyber governance. Compliant. On-demand. Scalable.

Contact us
Submit RFP

Why It Matters – The NIS2 Imperative and Beyond

The Network and Information Systems 2 (NIS2) and Critical Entities’ Resilience directives introduce stringent obligations regarding cybersecurity and resilience for thousands of entities across the Czech Republic, Slovakia, and the broader EU. The requirements stemming from these directives have to be transposed into national laws within set deadlines, thus altering the obligations for the target group of organizations, including critical infrastructure, essential services, and a wide range of private and public organizations in sectors such as finance, healthcare, manufacturing, energy, and ICT.

Directly under the local Cybersecurity Act and Critical Infrastructure Resilience Act, transposing the two directives in the Czech Republic, as well as under the oversight by authorities such as the Czech National Bank (ČNB), NÚKIB, and other sector-specific regulators, the affected organizations are required to assign clear executive-level accountability for cybersecurity. This includes appointing a qualified Chief Information Security Officer (CISO) with the mandate to manage cyber risks, oversee incident response, and ensure ongoing regulatory compliance.

But Cybersecurity Governance Challenges Extend Well Beyond NIS2

While NIS2 and CER introduce significant changes to the regulatory landscape, effective cybersecurity governance and compliance spans an expanding web of regulations, evolving threats, and operational challenges.

  • Increasingly complex regulatory landscape including GDPR, DORA, eIDAS, ISO/IEC 27001, NIST CSF, IEC 62443, and sector-specific mandates;
  • Intensifying and evolving cyber threats – ransomware, supply chain attacks, state-sponsored espionage, OT/ICS disruptions
  • Acute shortage of qualified cybersecurity leadership globally, making recruitment and retention of full-time CISOs challenging
  • Heightened legal and reputational risks as executives and boards become personally accountable for cybersecurity failures
  • Demand for comprehensive auditability, real-time incident preparedness, and transparent communication with authorities such as NÚKIB, ČNB, NBÚ, ÚOOÚ, ENISA, ECB, and others

Mid-sized organizations and many regulated entities often cannot justify or find the right talent to maintain a full-time CISO. Deloitte’s CISO-as-a-Service (vCISO) offers an optimal solution – providing expert executive leadership and customized cybersecurity governance on-demand, fully tailored to your business and compliance needs.

What You Get with Deloitte vCISO

Deloitte’s vCISO offering provides you with a dedicated cybersecurity executive who becomes an integrated part of your team. Backed by Deloitte’s experts in cyber, legal, and risk advisory, our vCISO service delivers end-to-end strategic oversight tailored to your needs. Here’s what you can expect:

  • Cybersecurity Leader - Executive-level accountability aligned with NIS2 Articles 20 & 21, DORA, GDPR, ISO 27001, NIST CSF, and sectoral requirements.
  • Strategic Cybersecurity Governance - Development and management of a tailored cybersecurity governance framework grounded in global best practices and local regulatory demands.
  • Cyber Risk Management & Board Reporting - Continuous risk assessments, risk register maintenance, and succinct reporting for boards, executives, and regulators.
  • Incident Preparedness & Crisis Coordination - Comprehensive incident management frameworks including detection, response, escalation, stakeholder coordination, and crisis simulations fully aligned with local CERT / national CSIRT standards.
  • Third-Party & Supply Chain Security Oversight - Vendor and supplier risk assessments and continuous monitoring to meet relevant supply chain security obligations (e.g. Cybersecurity Act ) and ENISA recommendations.
  • Awareness, Training & Human Risk Management - Customized training and awareness programs targeting employees, IT staff, and executives, emphasizing real threats and regulatory responsibilities.  
  • Regulatory & Audit Readiness - Support for inspections and audits conducted by ČNB, NÚKIB, ÚOOÚ, and sectoral regulators through gap analysis, remediation plans, and regulator engagement .

How Deloitte vCISO Works

Deloitte’s vCISO is designed for maximum flexibility, scalability, and impact. We offer a variety of delivery models to match your organizational needs, risk profile, and budget.

A senior CISO-level expert dedicated part-time (typically 4–12 days per month), fully supported by Deloitte’s cyber risk, legal, and compliance teams. Perfect for mid-sized organizations requiring executive leadership without a full-time hire.

Immediate executive coverage during leadership transitions, reorganizations, or unexpected vacancies to maintain compliance, risk management, and incident readiness.

Targeted CISO expertise for specific initiatives such as NIS2 compliance implementation, security strategy development, audit preparation, or incident response testing.

Flexible SLA-based engagement allowing clients to scale advisory hours up or down according to operational or regulatory needs.

Rapid-response expert teams focused on regulatory findings, enforcement actions, cyber incidents, or audit-driven remediation to restore compliance efficiently.

Deployment of a full-time embedded CISO (or security leadership team) into your organization for temporary (6–18 months) or longer-term engagements. This model enables you to benefit from executive presence on-site combined with Deloitte’s global knowledge and resources. Ideal for complex, large-scale, or highly regulated environments where local leadership is critical.

One named Deloitte CISO supports multiple entities within a corporate group, portfolio, or public sector cluster. This model provides centralized governance, harmonized policies, group-wide cyber risk oversight, and cost-efficiency.

Partnership model where Deloitte’s vCISO works alongside your internal security leadership to mentor, enable, and complement existing teams. Helps organizations build internal capabilities while ensuring compliance and governance excellence.

A comprehensive managed service combining vCISO leadership with continuous governance operations—risk assessments, control maturity, third-party risk management, tabletop exercises, documentation, and regulator liaison—designed for organizations requiring sustained oversight without a full internal team.

Your CISO. Reimagined.

With Deloitte vCISO, you receive more than expert leadership - you gain a fully integrated governance function tailored to the evolving regulatory landscape and built for the dynamic cyber threat environment. We enable you to stay compliant, resilient, and confident under NIS2 and beyond.

Our Other Related Services

NIS2 and Cybersecurity Act

The amendment to the Czech Cyber Security Act, implementing the NIS2 directive, brings several changes, including new and tightened obligations and an expanded range of obliged subjects, to whom the new legal text will apply. Although the transposition of the directive in the Czech Republic is only at the beginning of the legislative process, the law is expected to come into force by the end of 2024, and it is therefore time to start preparing for it.
Service

CER Directive

The Critical Entities Resilience (CER) Directive 2022/2557, forming a set of EU guidelines and recommendations aimed at reducing vulnerabilities and enhancing the resilience of critical entities against various threats, came into effect in 2024. 
Service

Critical Entities Resilience

Our Cyber Strategy team will guide you through a comprehensive assessment of your preparedness in relation to the Cyber Resilience Act (CRA).
Service

IT Attestation Services

The role of IT and information security is one of the key factors in maintaining competitiveness. To achieve sustainable growth, companies must enhance transparency, relevance, and the value of performance-related information shared with investors, regulators, and the market. We provide a range of IT consulting services, including audit analytics, technology audits with a focus on security and internal controls, SOC1, SOC2, and SOC2+ reporting, readiness assessments and gap analyses for frameworks such as TISAX, as well as Extended Enterprise Risk Management (EERM).
Service

Why Deloitte – Global Scale, Local Expertise

Deloitte brings unmatched global experience, local presence, and multi-sector expertise to your cybersecurity leadership challenges.

  • Cybersecurity professionals in over 150 countries delivering governance and compliance engagements across the world’s most regulated industries
  • Proven track record supporting EU entities in implementing the requirements stemming from the local Cybersecurity Act and EU regulations, such as GDPR, DORA, and sectoral mandates with a deep understanding of Czech and Slovak legal frameworks
  • Close cooperation with European and local regulators and standard bodies, such as ENISA, ECB, ČNB, NÚKIB, and NBÚ
  • Access to real-time global cyber threat intelligence, emerging regulatory trends, and proprietary governance frameworks refined through hundreds of audits and incident simulations
  • Integration of legal, risk, privacy, IT/OT security, and digital resilience disciplines ensuring a holistic, business-aligned approach

Deloitte’s combined local and global capability means you do not just get a CISO – you gain a trusted partner shaping your cyber strategy and operational resilience to meet today’s and tomorrow’s challenges.

Contact us

Jakub Höll

Jakub Höll

Director
+420 734 353 815
Marek Fišer

Marek Fišer

Manager