Compliance Consultant

The Role

We are looking for an experienced cybersecurity and compliance professional with strong knowledge of the EU Cyber Resilience Act (CRA).

In this role, you’ll work directly with clients to assess and improve their CRA readiness, leading gap analysis, shaping compliance frameworks, and supporting ongoing alignment. A particular focus will be on vulnerability management and incident reporting requirements under Article 14. This is a hands‑on, client‑facing role suited to someone comfortable working across hardware, embedded systems, and cloud or SaaS environments.

Key Responsibilities

• Lead CRA scoping exercises to determine product classification (default, Important Class I/II or Critical) across hardware, software and connected infrastructure
• Conduct gap analysis workshops to assess clients' current security posture against CRA requirements
• Design and implement CRA compliance frameworks within GRC platforms (e.g. Vanta, ServiceNow GRC)
• Advise on Article 14 obligations including the definition of "severe incidents" and "actively exploited vulnerabilities," and establish reporting processes to ENISA and relevant CSIRTs
• Advise on corrective measure notification timeframes and patching obligations in line with regulatory requirements
• Define SBOM (Software Bill of Materials) requirements and support clients in establishing SBOM processes where applicable
• Map CRA controls to existing client frameworks (e.g. ISO 27001, SOC 2, NIS2)
• Produce client-ready proposals, compliance roadmaps and remediation plans
• Deliver ongoing advisory and retainer‑based support post‑initial engagement

Essential Skills

• Demonstrable experience with the EU Cyber Resilience Act, including its product scope, classification criteria and Article 14 reporting obligations
• Familiarity with ENISA and CSIRT reporting mechanisms and processes
• Strong understanding of vulnerability management, incident response and secure development lifecycle (SDL/SSDLC)
• Experience working with connected hardware and software products (e.g. IoT, telematics, embedded systems)
• Experience with GRC tooling such as Vanta, Drata or equivalent
• Ability to advise on SBOM generation and management (e.g. CycloneDX, SPDX formats)
• Knowledge of complementary EU regulatory frameworks including NIS2 and GDPR
• Excellent written and verbal communication skills, with the ability to translate regulatory requirements into practical client guidance
• Comfortable leading workshops and stakeholder engagements at technical and executive level

Desirable Skills

• Knowledge of relevant product certification schemes and EU market access requirements
• Multilingual ability (French is a strong advantage given the client base)
• Prior experience in automotive, telematics or connected vehicle sectors

Qualifications

• Degree in Computer Science, Information Security, Law or a related discipline (or equivalent experience)
• Relevant certifications such as CISSP, CISM, ISO 27001 Lead Implementer or equivalent
• Formal training or certification in EU cybersecurity regulation is advantageous