Michael (Georg) Speller
Bridging Law, ICT-Operations & Best Practices
Experience
Freelance compliance & IT regulatory consultant
Various financial institutions and regulated companies
- Consulting financial institutions on implementing DORA and NIS2 requirements
- Gap analyses between existing governance structures and new regulatory requirements
- Creation and revision of policies, process descriptions, contract annexes, and technical-organizational measures
- Design of digital operational resilience testing programs (DORA Art. 24–25)
- Third-party risk management: building third-party registers, LEI matching, value chain analysis
- Training internal staff on DORA/NIS2 requirements
- Negotiation and renegotiation of outsourcing contracts according to DORA/NIS2 guidelines
- Use of technologies/frameworks: DORA, NIS2, EBA guidelines, BaFin requirements, NIST CSF, ISO 27001
- Engagements are subject to strict NDAs
IT-Audit Defense Manager
DÜRR AG
- Defending IT findings against auditors in the annual audit
- Coordinating countermeasures across multiple project streams
- Interface between business departments, IT, and external auditors
- Quality assurance of communication and technical concepts
- Reporting remediation measures to the supervisory board
- Proactive advice to business units on NIS2, CRITIS, ISO 27001, TISAX, and SAP authorization
- Outcome: successful approval by auditors, all critical findings closed
- Use of technologies/frameworks: NIS2, CRITIS, ISO 27001, TISAX, GDPR
Audit Defense Consultant
Financial institution
- Support and defense during the EBA/ECB regulatory audit
- Head of mission on the client side during on-site inspection
- Coordinating all internal stakeholders during the audit
- Preparation and support for interviews with regulatory authorities
- Review and preparation of documents for regulatory requirements
- Development of remediation plans for identified gaps
- Outcome: successful completion of the OSI without major remarks
- Use of technologies/frameworks: EBA guidelines, MaRisk, BAIT, ECB regulatory requirements
- Detailed information is subject to NDA
Senior IT-Compliance Consultant
Stuttgarter Insurance
- Design and management of the complete outsourcing process from on-premise to Microsoft 365/Azure cloud
- Compliance assessment under DORA, NIS2, EIOPA guidelines, and VAGO/VAIT
- Due diligence and audit of cloud service providers and MSPs
- Creation of new internal procedures and risk management methodology
- Training employees (outsourcing management, legal department, FinOps)
- Registration of the project via BaFin's MVP portal
- Documenting board decisions according to regulatory requirements
- Outcome: successful BaFin approval, go-live without findings
- Use of technologies/frameworks: Microsoft 365, Azure, EIOPA guidelines, VAGO/VAIT, DORA (preparation)
IT-Governance Strategy Consultant
Zwilling AG
- Development of global IT governance for 14 countries, considering different compliance requirements (EU, APAC, US)
- Transition to SIAM (Service Integration and Management)
- Preparation of a continuous auditing framework
- Ensuring international data protection requirements (GDPR, APAC privacy laws, US regulations)
- Use of technologies/frameworks: SIAM, GDPR, multi-jurisdictional compliance
IT Compliance & Outsourcing Advisor
Bank Norddeutschland
- Risk assessment of IT third-party services and outsourcing according to MaRisk 08/2021
- Process adjustments in IT governance and IT security
- Auditing IT service providers for compliance
- Training on Segregation of Duties and Three Lines of Defense
- Creation of playbooks for major IT incidents
- Technologies/frameworks used: MaRisk 2021, Three Lines of Defense, IT Incident Management
Cloud Outsourcing Advisor
Großbank Hessen
- Due diligence for public cloud outsourcing initiatives
- Analysis of subcontractor value chains
- Assessment against MaRisk 2021, BAIT 2021, and EBA Guidelines (Outsourcing, ICT Risk Management)
- Contract analysis and renegotiation with hyperscalers
- Review of audit and instruction rights in cloud contracts
- Technologies/frameworks used: AWS, Azure, Google Cloud, MaRisk, BAIT, EBA Guidelines
Senior Cloud Compliance Consultant
TeamBank Bayern
- Risk analysis of cloud outsourcing under MaRisk 2021 and BAIT 2021
- Renegotiation of standard contracts with hyperscalers
- Due diligence with AWS, Microsoft, Google, Genesys
- Analysis of subcontractor chains and contractual audit rights
- Technologies/frameworks used: AWS, Azure, Google Cloud, Genesys, MaRisk, BAIT, EBA Guidelines
IT Outsourcing & Cloud Governance Advisor
Oldenburgische Landesbank
- Scenario-based risk analysis for cloud outsourcing
- Gap analysis of contractual provisions against regulatory requirements
- Reorganization of internal governance structures
- Auditing of subcontractor value chains
- Contract negotiations with AWS, Microsoft, Google, SAP, and Salesforce
- Preparation for the BaFin §44 KWG audit on outsourcing topics
- Technologies/frameworks used: AWS, Azure, Google Cloud, SAP, Salesforce, MaRisk 2021, BAIT, ENISA Cloud Certification
Cloud Outsourcing Consultant
dwpbank
- Risk analysis of cloud outsourcing for banking service providers
- Gap analysis between customer contracts, provider contracts, and EBA Guidelines
- Establishment of Three Lines of Defense governance
- Negotiations with around 300 institutional banking clients on compliance requirements
- Technologies/frameworks used: EBA Guidelines, Three Lines of Defense, multi-tenant banking
IT-Audit Defense Task Force Manager
Viridium SE
- Task force to correct BaFin findings and recommendations in IT outsourcing
- Reassessment of IT outsourcing risks
- Gap analysis against EIOPA requirements
- Restructuring IT outsourcing and IT security governance (Three Lines of Defense)
- Revision of IT reporting according to VAIT requirements
- Result: Successful BaFin follow-up audit, all recommendations closed
- Technologies/Frameworks used: Solvency II, §32 VAG, MaGo, VAIT, EIOPA, GDPR
Head of Central Outsourcing Management
LBBW (Landesbank)
- Established a global outsourcing management (Second Line of Defense) for Germany, UK, US, and Singapore
- Audited matters for outsourcing relevance according to MaRisk AT9
- Gap analyses between EBA, FCA, and MAS requirements and the current status
- Monitored regulatory updates in all branches
- Advised business units on risk analyses (cloud, KRITIS, cyber security)
- Implemented EBA Guidelines on Outsourcing group-wide
- Introduced standardized provider evaluation standards
- Technologies/Frameworks used: MaRisk AT9, EBA Guidelines, FCA, MAS, multi-jurisdictional compliance
IT-Audit Defense Lead
Finanz Informatik (Sparkassen-Finanzgruppe)
- Supported remediation projects after ECB audits
- Restructured outsourcing assessments according to §25 KWG, MaRisk, and BAIT
- Reassessed significant outsourcing arrangements
- Revised IT reporting according to BCBS 239
- Developed a contract template library for technicians, lawyers, and procurement
- Advised on provider contract negotiations
- Prepared for the establishment of a central outsourcing management function
- Technologies/Frameworks used: §25 KWG, MaRisk, BAIT, MaGo, KRITIS, GDPR, BCBS 239
IT-Outsourcing Governance Manager
Postbank AG
- Redesigned contracts and governance after audit restructuring
- Defined new governance and organizational interfaces
- Optimized provider management processes
- Revised IT reporting according to BCBS 239 and MaRisk 2016
- Implemented provider management toolsets
- Technologies/Frameworks used: KWG, MaRisk 2016, BCBS 239, provider management
IT-Audit Defense Consultant
ING-DiBa
- Prepared for a §44 KWG BaFin audit
- Led projects on operational governance and outsourcing as a backup solution
- Defined technical and organizational interfaces
- Established provider management
- Technologies/Frameworks used: §44 KWG, MaRisk, provider management
KRITIS IT Governance Manager
Amprion GmbH
- Project lead “Design operative Governance” for critical infrastructure
- Definition of technical and organizational interfaces
- Mapping of GRC processes for the energy sector
- Creation of RACI matrices and cross-reference tables
- Definition of information governance and KPIs
- Documentation of processes in ARIS as value chains
- Use of technologies/frameworks: KRITIS (energy), EnWG, GRC, ARIS
Industry Experience
See where this freelancer has spent most of their professional time.
Experienced in Banking and Finance, Manufacturing, Insurance, and Energy.
Business Area Experience
See which departments and functions this freelancer has contributed to most.
Experienced in Information Technology, Audit, Legal, Project Management, and Operations.
Summary
There are hardly any areas where so many hobby lawyers gather as in IT compliance. That may seem cheaper at first, but nowadays it often gets expensive due to the EU-wide paradigm shift from voluntary best practices to mandatory regulations and the personal liability of management.
As a law graduate and computer scientist with extensive IT service, risk management, and audit prep & defense expertise, I close the gaps between mandatory law, ICT operations & best practices.
Legal laypersons often miss the accompanying norms in commercial, civil, and criminal law—and thus underestimate the new acute recourse risks when advice is insufficient.
As an expert in regulatory implementation and best practices, I bring around 30 years of experience as an operational lawyer as well as an IT service and outsourcing manager.
My topics: DORA | NIS2 | AI-Act | CRA | CSA | DNA | Audit-Prep & Defense | Third-Party Risk Management (TPRM) | EU-Compliance | ISO 2700x | BSI basic protection | GRC | ToM | sfO | procedures | measures | policies | processes | ICS
SERVICE PROFILE:
IT Regulation & EU Compliance Focus areas: management liability, audit preparation: DORA, NIS2, AI Act, CRA, CSA Frameworks: SOX, IDW, NIST, ISO 2700x, ITIL, COBIT Audit Prep, Management & Defense (High-End) Regulatory audits: preparation and support for on-site inspections (OSI) by ECB, BaFin (§ 44 KWG), CSSF, FINMA. Post-audit follow-up: support for IT year-end audits (JAP), efficient remediation and mitigation of findings Third-Party Risk Management (TPRM) & Governance 20 years of experience in outsourcing management with complex value chains. Implementation of xBoM Support for complex outsourcing negotiations Exit strategies Project support, training & second opinion Proactive, complementary compliance support for ICT projects Sparring partner for project management teams Management workshops on legal competence requirements (Fit & Proper) Background & qualifications Academic degree: dual qualification as law graduate (Univ.) & Diploma in Computer Science (FH) Certifications (selection): CISA, CISSP, BSI basic protection, CSA Auditor, ITIL v2/v3 Industry portfolio Banks & insurance, ICT service providers, automotive industry, telecommunications, energy, healthcare,...
Confidentiality (NDA & GDPR) Due to my work in sensitive areas – supporting regulatory audits and resolving critical findings – engagements are usually subject to NDAs. References can be discussed technically. Disclosure of sensitive information or personal data is governed by NDA and GDPR.
Skills
Dora Compliance
Nis2 Implementation
Cra
Ai Act Or Ai Regulation
It Audit Defense
Third-party Risk Management
Cloud Governance
Cyber Resilience Testing
Outsourcing Management
Regulatory Due Diligence
Third-party Risk Management
Consulting, Preparation, And Follow-up For It Compliance Audits, Year-end Audits (Jap), And On-site Inspections (Osi) By Eu And National Authorities
Implementation Of Regulatory Requirements And Integration Of International Standards (Dora, Nis2, Ai Act, Eba, Eiopa, Esma, Enisa, Iso, Iec, Nist, Itil, Bsi C5)
Documentation, Sfo And Policy Management, As Well As Product, Service, And Solution Descriptions
Proactive Compliance Support For It Projects
Creation Of Risk And Vulnerability Analyses
Derivation Of Corrective Measures
Automation Of Compliance And Control Processes Where Possible
Identification, Assessment, And Management Of It And Third-party Risks
Development Of Measures, Security Concepts, Resilience Tests, Xbom Strategies
Establishment Of Sustainable It Governance
Simulation, Support, And Defense Of It Audits, Osis, And Regulatory Inspections (Ecb, Bafin, Finma, Bsi)
Assistance With Contract Negotiations, Outsourcing, And Due Diligence Processes
Checking Compliance Gaps To Avoid Findings And Fines
Support Through The Regulatory Paradigm Shift From "Best Practice" To "Compliance Obligation"
Harmonization Of International Frameworks: Dora 2025, Idw Ps 528, Iec 62443, Bsi Tr-03183, Nist Ssdf, Sbom, Etc.
Training Videos For Online Learning Systems In The Regulatory Field
Planning And Conducting Workshops To Meet Legal Competence Requirements
Awareness Programs For Management And Specialist Departments
Eu Regulation: Dora, Nis2, Cer, Cra, Ai Act, Dsa, Dma, Data Act, Cyber Resilience Act
Financial Supervision: Eba, Eiopa, Esma, Marisk, Bait, Vait, Eba Guidelines
Data Protection & Security: Enisa Guidelines, Iso 27001, Tisax, Bsi Basic Protection, Nist Csf
Critis: Bsi, It Security Act, Critical Infrastructures
It Audit Preparation, Management, And Defense (Ecb, Bafin, Finma, Auditors)
Third-party Risk Management And Supply Chain Management
Cloud Governance (Aws, Azure, Google Cloud, Salesforce)
Digital Operational Resilience Testing (Dora, Tlpt)
It Outsourcing: Contract Negotiation, Due Diligence, Exit Management
Incident Management And Cyber Security Response
Governance, Risk & Compliance (Grc) Frameworks
Itil, Cobit, Iso 27001, Nist, Three Lines Of Defense
Risk Assessment And Risk Management Framework
Contract Management And Sla Design
Devsecops Security Assessment
Business Continuity Management (Bcm)
Cloud Platforms: Aws, Microsoft Azure, Google Cloud Platform, Salesforce
Compliance Tools: Grc Platforms, Risk Assessment Tools, Audit Management Systems
Security Tools: Nessus, Siem Systems, Vulnerability Scanners, Penetration Testing Tools
Documentation: Aris, Visio, Confluence, Sharepoint
Project Management: Ms Project, Jira, Agile/scrum Methodologies
Standards & Frameworks: Itil, Cobit, Iso 27001, Nist Csf, Cis Controls, Owasp
Quick Onboarding To Complex Regulatory Requirements
Bridge Builder Between Technology, Law, And Business
Pragmatic, Implementation-focused Consulting
Proven Successes In Audit Defense
Train-the-trainer Expertise
Financial Services (Banks, Insurance, Asset Management)
Critical Infrastructures (Energy, Telecommunications)
Industry And Smes
It Service Providers
Remote And On-site (Dach Region)
Flexible Project Durations (Interim Management, Project Consulting, Task Force)
Languages
Education
Diploma in Computer Science (FH) · Information and communication sciences
Business Administration studies · Business Administration, Organization
Law degree, 1st state exam · Law
Certifications & licenses
Building an ISO 27001-Compliant Cybersecurity Program: The Annex A Controls
LinkedIn Learning
Statistics
Experience
Global Experience
Expertise
Qualifications
Profile
Frequently asked questions
Do you have questions? Here you can find further information.
Where is Michael based?
What languages does Michael speak?
How many years of experience does Michael have?
What roles would Michael be best suited for?
What is Michael's latest experience?
What companies has Michael worked for in recent years?
Which industries is Michael most experienced in?
Which business areas is Michael most experienced in?
Which industries has Michael worked in recently?
Which business areas has Michael worked in recently?
What is Michael's education?
Does Michael have any certificates?
What is the availability of Michael?
What is the rate of Michael?
How to hire Michael?
Average rates for similar positions
Rates are based on recent contracts and do not include FRATCH margin.
Similar Freelancers
Discover other experts with similar qualifications and experience
Experts recently working on similar projects
Freelancers with hands-on experience in comparable project as a Freelance compliance & IT regulatory consultant
Nearby freelancers
Professionals working in or nearby Arbon, Switzerland
