Our Value Proposition
Proven sovereignty. EU-only data residency and legal control, strong encryption and EU HSMs, fully documented subcontractor chains.
Compliance by design. Evidence packs, third-party (TIC) registers (DORA), exit plans (Data Act), identity and trust enablement (eIDAS/EUDI).
Measurable execution. Clear SLA/SLO commitments, KPI/OKR tracking, contractual reversibility, and interoperability (open formats & APIs).
Service Catalogue & Indicative Pricing (EUR, ex‑VAT)
| Code | Service | Description | Key Deliverables | Scope (w) | Price Range |
|---|---|---|---|---|---|
| AUDIT | Sovereignty & Compliance Fast-Track Audit (GDPR + NIS2) | Accelerated, end-to-end assessment of sovereignty and compliance posture. We map data, assets, and flows; analyze gaps against key requirements (GDPR: lawful bases, records of processing, DPIA, data subject rights; NIS2: risk governance, logging, incident response, continuity, supply chain); evaluate technical/organizational controls; and verify data residency and resilience. Includes stakeholder workshops, document review, and technical sampling (IAM, encryption, logs, backups). Executive and operational readout: prioritized risk register, 30/60/90-day quick wins, remediation backlog, RACI, tracking KPIs, and a compliance trajectory. Option: pre-built evidence pack for third-party audits. | Gap analysis, risk register, 90-day plan | 3–5 | 25k–60k |
| SLZ | Sovereign Landing Zone. EU qualified cloud | Design and deploy a sovereign EU Landing Zone (accounts/projects, networking, security, identity) using Infrastructure as Code. Scope: network segmentation (VPC/VNet, private links), policies and guardrails, EU KMS/HSM-managed encryption, identity and access (SSO, RBAC, PAM), key/secret management, centralized logging with SIEM integration, backups, bastions, tagging/FinOps. Aligned to GDPR/NIS2 (data residency, timestamped logs, separation of duties). Knowledge transfer and documentation (runbooks, diagrams, ADRs). Option: CI/CD pipelines for environments and ready-to-use workload blueprints (Kubernetes/VM/Serverless). | LZ design, IaC, identity, logging | 5–7 | 60k–120k |
| MCP | MCP Server + EU LLM PoC | Stand up a secure enterprise assistant based on MCP (Model Context Protocol) and EU-hosted/processed LLMs. Define use cases, connect data sources (RAG, internal search), implement MCP tooling (tools, policies), guardrails (PII filtering, action limits, audit logs), and select/benchmark models (open-source or EU providers). Deploy to hardened VPC/on-prem (private networking, strong auth, key isolation). Evaluation report covering quality/recall, hallucination rate, latency/cost, security, compliance, and industrialization recommendations. Option: admin portal, telemetry, and prompt traceability. | Secure assistant, guardrails, eval report | 6–16 | 120k–260k |
| MIG | 2–3 App Migrations to qualified cloud / hardened on-prem | Migration program for 2–3 critical applications to an EU-qualified cloud or hardened on-prem platform. Steps: discovery and mapping (dependencies, data, SLAs), target strategy (rehost/refactor/re-platform), Landing Zone preparation, security hardening (IAM, zero-trust networking, secrets), CI/CD pipelines, performance/security testing, DR/backup. Detailed cut-over plan (windows, rollback, communications) and operating runbooks. Risk management (vendor contracts, licensing, compatibility), change management and handover. Outcome: minimized downtime, improved security, observability, and cost control. | Target arch, runbooks, cut-over | 9–17 | 180k–420k |
| OBS | Observability & Data Quality foundation | Establish the foundations of observability (logs/metrics/traces) and data quality. Tooling architecture (OpenTelemetry/agents, data catalog/lineage), logging standards, SLO/SLA metrics and error budgets, trace–log correlation, symptom-based alerting. On the data side: define dimensions (completeness, freshness, uniqueness, etc.), executable DQ rules in pipelines, controls at critical points, dashboards, and data contracts between producers/consumers. Integrate with incident/problem management, runbooks, and a maturity review. Result: end-to-end visibility, reduced MTTR, and higher trust in datasets. | DQ rules, SLAs, metrics, dashboards | 5–10 | 70k–160k |
| DORA | DORA/TLPT readiness audit & remediation plan | Readiness assessment for DORA and TLPT (Threat-Led Penetration Testing) for financial entities. Scope definition and critical functions, ICT asset register, risk governance, operational controls (logging, backups, incident response), third-party dependencies and continuity. Build an evidence pack, article-by-article gap mapping, prioritized remediation plan with owners and deadlines. Pre-design a TLPT program: adversary-led scenarios, threat-intel objectives, legal prerequisites, and third-party coordination. Executive readout and a compliance/resilience roadmap. | Evidence pack, TIC register, scenarios | 4–8 | 85k–190k |
| EUDI | eIDAS 2.0 / EUDI wallet integration blueprint | Integration blueprint for the European Digital Identity Wallet (EUDI) under eIDAS 2.0. Design the trust architecture (issuers, holders, verifiers), verifiable credentials & identity flows, QTSP integration and trusted lists, protocol choices and UX for journeys (onboarding, consent, selective disclosure, QES). Security: secure storage, proof-of-possession, replay protection, logging. Pilot use cases (KYC, qualified e-signature, application access), KPIs (conversion, latency, fraud prevented), and governance (attribute lifecycle, revocation). Compliance dossier and industrialization plan. | Trust architecture, pilots, KPIs | 8–16 | 220k–480k |
| RUN | Managed Sovereign Ops — NOC/SOC/FinOps | Sovereign managed operations with NOC/SOC/FinOps. 24/7 monitoring, detection and response, change and vulnerability management, patching, backups/DR tests, compliant log retention. SOC: use cases, correlations, threat hunting, reporting, and post-incident guidance. FinOps: tag-based allocation, resource optimization, budget alerts, and monthly reviews. SLA-backed commitments (response times, availability), tailored runbooks, and monthly/quarterly steering committees. Integrates with the client's tooling or a Eurathos-managed stack. | 24/7 monitoring, incident mgmt, reports | — | 12k–45k / month |
| CIO | CIO/CISO Advisory Retainer | CIO/CISO advisory on retainer. Strategic guidance and decision support (make/buy, sovereign cloud, data/AI), program framing, steering committees, board preparation, and compliance oversight (GDPR/NIS2/DORA/eIDAS). Architecture and security reviews, vendor due diligence, RFP/RFI support, and team coaching. Includes a defined number of days per month, a priority channel, and themed sessions (cyber crises, continuity, responsible AI). Recurring deliverables: executive briefs, roadmaps, and actionable recommendations. | Board briefs, steering, reviews | — | 6k–20k / month |
90‑Day Outcomes
Regulator‑ready compliance audit (reports & evidence).
Operational MCP + EU LLM PoC for a concrete business use case.
Sovereign landing zone deployed and signed reversibility plan.
References & Ecosystem (EU)
Cloud & labels: European qualified ecosystems (e.g., SecNumCloud / ENS / C5).
AI: Mistral, Aleph Alpha (private deployments in the EU).
Trust services: QTSP, qualified signatures, EUDI Wallet integration.
Public procurement: support across TED/eForms and relevant CPV codes.
Assumptions & Exclusions (pricing)
Prices exclude VAT, software licences, public cloud consumption, and travel.
Client ensures timely access to stakeholders, systems, and documentation.
Security‑cleared personnel or additional background checks may affect pricing and lead time.
Changes are governed via Change Requests (CRs) in Jira project SVC‑PORTFOLIO.
SLAs & SLOs (high‑level)
Response: P1 within 30 minutes (24/7), P2 within 4 hours (business hours), P3 within 2 business days.
Availability: Managed services target 99.9% monthly SLO for monitoring plane; project work best‑effort within agreed sprint cadence.
Reporting: Monthly KPI/OKR dashboard; quarterly executive review.
Procurement & CPV Mapping (guidance)
CPV 72220000‑3 (Systems & technical consultancy), 72500000‑0 (IT services), 72260000‑5 (Software support), 72250000‑2 (System & support services).
We support TED/eForms and national frameworks; we can align to Lot structures and award criteria weighting.