GRC Engineer

Role Summary

Ensure Qonto remains continuously compliant with key security certifications and regulatory requirements (ISO 27001, PCI DSS, DORA) by leading end‑to‑end audits. Working closely with the VP Security and the manager, you will protect Qonto’s ability to operate regulated products by transitioning compliance processes from manual evidence collection to a streamlined, automated system.

Responsibilities

• Own and deliver external and internal audits/certifications end‑to‑end with minimal findings, starting with upcoming deadlines such as the PCI DSS audit.
• Deliver meaningful tooling and automation to reduce manual evidence collection and reporting, beginning with ISO 27001 controls.
• Build and maintain the documentary corpus and control mapping for upcoming regulations (notably DORA), shifting Qonto toward continuously provable compliance.
• Translate compliance requirements into clear, actionable requests for technical teams without creating unnecessary bureaucracy.
• Prepare and defend Qonto’s compliance positions with auditors by combining the spirit of regulatory texts with pragmatic, risk‑based implementations.

What you can expect

• Rare multi‑framework exposure: Work across multiple certifications and audits (ISO 27001, PCI DSS, DSP2, PDP, DORA) rather than a single‑norm niche.
• “GRC + Automation” scope: Build tooling and scripts to transition from point‑in‑time checks to automated compliance.
• High‑stakes, fast‑paced context: Manage a high audit cadence (~6–7 external and ~5–6 internal audits per year) in a highly regulated fintech environment.
• Pragmatic methodology: Value risk‑based argumentation and balance between strict regulatory requirements and engineering velocity.
• Cross‑functional collaboration: Act as a key bridge between Internal Control, external auditors (e.g., Mazars or Deloitte), and the Security engineering teams.

About your future manager

Report directly to the Head of Security, who approaches leadership as an engineer first, favoring technical truth over titles and hierarchy. The team is horizontal, with the manager providing context and stepping back to let people own execution. A “question everything” mindset is expected, encouraging challenge of the status quo to find leaner, more automated solutions. Your initial onboarding will be closely supported by the VP Security to transfer knowledge on current frameworks.

About You

• Proven experience owning security compliance frameworks and audits (e.g., ISO 27001, PCI DSS) end‑to‑end within regulated environments.
• Automation mindset: Hands‑on approach to problem solving and prior work building tools, scripts, or integrations to automate repetitive compliance tasks and evidence collection.
• Regulatory reasoning: Ability to constructively challenge interpretations and defend pragmatic, risk‑based compliance positions with external auditors.
• High autonomy: Strong project management skills, organizing work around an audit calendar and juggling multiple stakeholders and deadlines.
• Growth mindset: Naturally curious, able to quickly grasp technical contexts to collaborate with engineers, and motivated by working across multiple regulatory frameworks.