Quanloop runs a regulated investment firm in Cyprus together with supporting entities in Limassol, Budapest and Tallinn. The CISO / ICT Compliance Officer holds the second-line governance of information and ICT security across the group, with a direct mandate to the Cyprus investment firm and its Board.

The role is based in Limassol and reports to the CEO. It has a direct, unfiltered line to the CIF Board and the right to call an extraordinary Board session on ICT risk matters. It is a peer to the Chief IT Officer (CIF ICT Manager), who runs the first line. Regular travel to Budapest is part of the role.

This is a governance and assurance role. The CISO designs the framework, sets the controls, tests them, signs the regulatory artefacts and reports to the Board. The CISO does not build, write, run, administer or operate the systems being governed.

Core responsibilities

1. ICT risk management framework. Author and maintain the group-wide ICT risk framework: risk appetite, taxonomy, methodology, treatment standards. Material changes go to the Board.
2. ICT asset inventory and classification. Own the methodology and the approved register of ICT assets, with criticality and dependency classification. Verify completeness and challenge the first line where the inventory is thin.
3. Control framework and testing. Define the control catalogue, set design and operating effectiveness standards, and run the independent testing programme. Findings are tracked to closure.
4. Register of Information. Sign and maintain the Register of Information for third-party ICT arrangements on the regulator’s expected cadence.
5. Incident management and C700 reporting. Classify major ICT-related incidents, decide on notification, and deliver regulator-facing reporting within the applicable thresholds and timing rules. Detection and response sit with the first line; classification, escalation and reporting sit here.
6. Annual testing programme. Design and run the annual ICT testing programme aligned to DORA Articles 24 to 27, including scope, frequency, provider selection and remediation tracking.
7. Evidence vault. Maintain a controlled evidence repository for policies, control evidence, test results, incident records, third-party assessments and Board reporting. Regulator and auditor inspections rely on it.
8. Annual reports. Produce the ICT Risk Annual Report and the ICT section of the Compliance Annual Report, signed and submitted through the established governance route.
9. Internal Procedures Manual, ICT chapter. Own the ICT chapter of the Internal Procedures Manual and the Form 87-00-22 mapping, kept consistent with the framework and the Register.
10. CISO mandate and Board reporting. Maintain the CISO mandate document, deliver quarterly ICT risk reporting to the Board, and issue an annual statement of effectiveness on the ICT control environment.
11. Regulator and authority liaison. Sets the standard for how the group communicates with regulators and authorities on ICT risk, information security, and operational resilience matters. This covers regulatory submissions, incident notifications, supervisory responses, thematic reviews, and ad hoc requests. The role reviews and signs the ICT risk and security content of these artefacts before they leave the group and ensures responses are consistent with the documented framework, risk appetite, and prior positions taken with the same authority.
12. Awareness and training programme. Define the group-wide ICT security awareness and role-based training programme. Approve content, set completion standards, report participation and outcomes.

What this role is not

This role does not build, write, run, manage, administer or operate ICT or security systems. It does not own the SIEM, the identity platform, the network, the cloud estate or the engineering backlog. Those sit with the Chief IT Officer and the Head of Security in Budapest.

This is not an advisory role either. The CISO holds the mandate, signs the artefacts and carries the regulatory accountability for ICT compliance.

Requirements

Non-negotiable:

• Experience as CISO, ICT Risk & Compliance Officer or an equivalent second-line ICT compliance role in a regulated financial institution under an EU competent authority.
• Working command of DORA and the underlying regulatory technical standards: Register of Information, major incident reporting, threat-led testing, third-party ICT risk.
• Has authored and defended ICT risk and compliance documentation in front of a Board, an external auditor and a regulator.
• Able to operate independently from first-line IT and hold that independence when challenged.

Expected:

• Familiarity with the CySEC supervisory framework for Cyprus Investment Firms, including the Internal Procedures Manual and the relevant reporting forms.
• Working knowledge of recognised ICT control frameworks and how to apply them proportionately in a CIF context.
• Experience standing up or restructuring an ICT risk and compliance function in a small, multi-jurisdiction group.
• Able to work with engineering and infrastructure teams without taking over their work.

Location and working model

Limassol-based, office-first. Regular travel to Budapest is part of the role. Tallinn engagement is limited to ICT control oversight.

Language

English is the working language across the group. Regulatory artefacts, Board reporting and group-level documentation are produced in English.

Before You Apply

If you want more context before applying, the pages below may be useful:

• Benefits and rewards — details on health cover, time off, learning support and role-dependent bonus arrangements
• Our offices — information on our office-first model and locations
• Teams at Quanloop — an overview of how teams work and where this role sits
• Our story — background on the company and the way we work

This is optional reading, but it should give you a better sense of what to expect before you apply.

How to Apply

Apply with your CV. A short note is welcome, but not required.