Compliance that runs at the speed of your product. Senior advisors who translate evolving Dutch, EU, and audit frameworks — Wwft, DORA, AI Act, Sanctions, GDPR, ISO, SOC 2 — into operational workflows your engineers can ship.
We work directly with Product and Engineering — embedding controls during the design phase, not bolting them on after launch. We automate transaction monitoring and reporting to remove operational drag, not add it.
Translate Wwft, Sanctions Act, DORA into repeatable operational workflows. Act as primary liaison with DNB and AFM. Manage UAR submissions to FIU-Netherlands and equivalent bodies.
Final escalation authority on AML, sanctions, adverse media. Enhanced Due Diligence for high-risk clients with complex UBO structures. Systematic Integrity Risk Analysis (SIRA) operated as a living document.
DORA-aligned vendor due diligence on critical fintech and banking partners. Multi-layer audit engagements. Control mapping that survives a regulator's request for evidence.
AP-compliant breach protocols. EU AI Act-aligned risk categorisation and transparency documentation. Ethical and legal review of every consequential AI deployment.
Embed controls during product design. Automate transaction monitoring and reporting. Measurable reduction in false positives — operational hours saved, not just dashboards.
Strategic advisor on Risk Acceptance Forum. Senior-management alignment of growth appetite and risk-based decisions. Specialised training: AML, Sanctions, GDPR, AI ethics.
| Framework | Coverage | Operational output |
|---|---|---|
| DORA Digital Operational Resilience Act | ICT risk, third-party risk, incident reporting, resilience testing, information sharing | Control library · vendor mapping · incident runbooks |
| Wwft Dutch AML Act | Customer due diligence, UBO verification, transaction monitoring, UAR submission | SIRA · CDD workflows · FIU pipeline |
| EU AI Act | Risk classification, transparency obligations, conformity assessment, post-market monitoring | AI risk register · model cards · HITL gates |
| GDPR | Lawful basis, DPIA, breach notification, data subject rights, international transfers | DPIA library · AP-ready breach protocol |
| Sanctions Act | Screening, designation lists, evasion typologies, escalation thresholds | Real-time screening · automated escalation |
| NIS2 · CER | Critical-entity resilience, supply-chain security, incident notification | Control mapping · regulator coordination |
| ISO 27001 · 27701 · 42001 | Information security, privacy information management, AI management system controls | Control register · audit evidence · corrective-action tracking |
| SOC 2 Trust Services Criteria | Security, availability, confidentiality, processing integrity, privacy control evidence | TSC mapping · evidence pack · exception register |
| EBA Guidelines | ICT and security risk, outsourcing, ML/TF risk factors | Outsourcing register · control evidence |
We do not staff out generic auditors. Every Ophanix compliance engagement is led by a senior practitioner with named regulator relationships — operating inside your team for the duration.
Named senior accountable for AML, sanctions, or data protection. Regulator-facing. Operates 2–3 days per week with on-call escalation. Ideal for Series B–D fintechs.
Full-time embedded team for DORA readiness, AI Act conformity, or AML remediation. Architecture-led. Integrated with engineering. Time-boxed to outcome, not retainer.
Quarterly Risk Acceptance Forum participation. Annual SIRA refresh. On-call for inspections, incidents, novel regulatory questions. Lightweight, durable, defensible.
Senior practitioner introduction within five business days. Operations brief in 30. We do not do strategy decks — we do controls, evidence, and regulator relationships.