Ideal Client Profiles

Built for Organisations
That Can't Afford to
Get This Wrong

Yamasuki was founded specifically for mid-market and growing organisations — companies big enough to face serious regulatory obligations, but without the internal compliance teams, budgets, or bandwidth of a large enterprise. If that sounds like you, read on.

NIS2 scope
50+ employees or €10M+ turnover in a regulated sector
DORA scope
Any ICT supplier to a bank, insurer, or investment firm
Supply chain
Even smaller companies inherited through regulated clients

Two regulations. One critical question for your business.

The starting point for every mid-market company in Ireland and the EU is determining which regulation applies — and understanding that the answer is often "both, in different ways."

DORA — Digital Operational Resilience Act
Applies directly to financial entities and — crucially — to ALL ICT third-party suppliers who provide services to those financial entities. A 40-person SaaS company supplying one Irish bank is in scope contractually. In force since January 2025.
Applies to: Any company supplying ICT services to a regulated financial entity
NIS2 — Network & Information Security Directive
Applies to medium and large organisations in 18 designated sectors — manufacturing, healthcare, energy, digital services, transport, food production and more. Ireland is bringing 4,500–6,000 organisations into scope. National Cyber Security Bill expected 2026.
Applies to: 50+ employees or €10M+ turnover in a regulated sector
Who We Serve

Six Client Profiles
We Exist to Serve

These are not generic personas. They are the six specific types of organisation whose regulatory situation, internal capability gaps, and compliance triggers align precisely with what Yamasuki delivers. If you recognise your company in one of these profiles, we can help.

Priority Client
01

ICT & SaaS Suppliers to Financial Services

50 – 500 employees
€2M – €100M revenue
Ireland, UK & EU-based
DORA (indirect) NIS2 Highest volume
"Our biggest client just sent us a 47-page DORA compliance questionnaire. We have six weeks to respond. We don't even know where to start."
Software houses, managed service providers, cloud platforms, data analytics firms, IT consultancies, and payroll or HR SaaS companies whose client base includes even one bank, insurer, investment firm, or regulated payment institution. DORA's third-party provisions make their regulated clients directly responsible for auditing them — which means the compliance pressure lands as a contract questionnaire, not a regulatory letter, and it lands with a deadline. This is the most common profile we work with. These companies have strong technical teams but no compliance capability, no regulatory framework, and often no awareness that they are in scope at all until the questionnaire arrives.
Primary trigger
Receiving a DORA third-party risk questionnaire from a regulated client, typically with a 4–6 week response window.
Typical gap
No formal ICT risk management framework, no incident response plan, no third-party supplier documentation.
What's at stake
Failure to respond adequately can result in contract termination or removal from the regulated client's ICT supplier register.
Timeline pressure
Usually critical — 4–8 weeks. Some companies come to us with 2 weeks remaining.
Typical first call: "We supply software to AIB / Bank of Ireland / a fintech and they've just sent us a compliance questionnaire with a deadline. Can you help us respond and get compliant quickly?"
3-Day Maturity Assessment DORA Supply Chain Posture Audit Advisory Retainer
Priority Client
02

Mid-Market FinTechs & Payment Processors

50 – 500 employees
Directly regulated under DORA
Central Bank of Ireland authorised
DORA (direct) Central Bank regulated High urgency
"We're DORA in-scope, our CBI review is coming up, and our Head of Compliance just told the board we have serious gaps in our ICT risk framework. We need senior help, fast."
Payment institutions, e-money firms, crypto-asset service providers, regulated investment platforms, insurance intermediaries, and credit servicing firms. Ireland hosts one of Europe's largest FinTech ecosystems — and most of these companies are directly regulated under DORA by the Central Bank of Ireland, with no transitional period. The challenge is that FinTechs typically build exceptional technical capability while treating regulatory compliance as secondary. That trade-off is no longer viable. Enforcement is intensifying and the CBI is actively reviewing compliance frameworks.
Primary trigger
CBI regulatory engagement, preparation for a funding round that requires compliance evidence, or a board-level risk review.
Typical gap
Strong technology but weak governance — no formal ICT risk management, incomplete incident reporting procedures, inadequate third-party risk oversight.
What's at stake
Regulatory fines, licence risk, reputational damage, and investor concern. DORA fines can reach 2% of annual global turnover.
What they need most
A credible, board-presentable compliance framework that satisfies the CBI and positions the company for growth.
Typical first call: "We're a Series B fintech with a Central Bank authorisation. DORA is live, our CBI review is coming and we're exposed. We need a programme, not a report."
3-Day Maturity Assessment Full DORA Implementation vCISO Retainer
Priority Client
03

Manufacturing Companies Running SAP

100 – 2,000 employees
NIS2 important entities
SAP S/4HANA or ECC environments
NIS2 important entity SAP ECC sunset 2027 SAP GRC / IAM
"We went live on SAP five years ago. Nobody's looked at the access controls since. We've got a NIS2 scope assessment coming and the auditors are going to find something ugly."
Mid-market manufacturers in food production, pharmaceuticals, chemicals, industrial equipment, packaging, and electronics. All are in scope under NIS2 as important entities. Most run SAP ERP environments — either S/4HANA or ECC — that have accumulated years of role changes, new joiners, and neglected access controls. Segregation of Duties conflicts are endemic. Two simultaneous pressures drive urgency: NIS2 compliance obligations that require formal ICT risk management, AND the 2027 SAP ECC end-of-mainstream-maintenance deadline forcing migrations that present a critical reset moment for GRC and access control frameworks. This window will close.
Primary trigger
NIS2 scope assessment, SAP S/4HANA migration project kick-off, external audit findings, or a supply chain security questionnaire from an enterprise client.
Typical gap
SAP roles with toxic SoD combinations that have never been reviewed. Privileged accounts that exist for former employees. No formal access governance process.
What's at stake
Audit failure, fraud exposure, NIS2 fines, and loss of enterprise supplier status with major clients in pharma, retail, or public sector.
Why Yamasuki fits
Deep SAP GRC and IAM specialism combined with NIS2 expertise. No other boutique advisory combines both at this price point.
Typical first call: "We're in scope under NIS2, we're migrating to S/4HANA next year, and the board wants to know our SAP access controls are clean before we go live. Can you do both?"
SAP IAM Governance Audit NIS2 Implementation Compliance Standard Retainer
Priority Client
04

Healthcare, Pharma & Medical Device Organisations

50 – 1,000 employees
NIS2 essential entities
Ireland's largest regulated sector
NIS2 essential entity €10M fine exposure Ireland pharma hub
"We supply clinical software to three Irish hospital groups. They've told us that under NIS2, they need to audit us as a critical supplier. We have no idea what that means for us operationally."
Healthcare providers, hospital groups, pharmaceutical manufacturers, medical device companies, contract research organisations, and clinical software suppliers. Ireland is home to the largest concentration of pharmaceutical and MedTech companies in Europe — many mid-market companies in this sector are classified as essential entities under NIS2, carrying the highest fine exposure (up to €10 million or 2% of turnover). This sector commonly runs complex SAP environments, handles extremely sensitive personal health data, and faces overlapping GDPR and NIS2 obligations. Board-level personal liability under NIS2 is a particularly powerful concern for executives in this sector.
Primary trigger
NIS2 essential entity classification, supply chain audit request from a big pharma client, or regulatory inspection preparation.
Typical gap
IT security treated as an IT department problem, not a board-level governance issue. Incident response plans either absent or untested. SAP access controls unreviewed.
What's at stake
Maximum NIS2 fines apply to essential entities. Personal liability for directors. Patient data exposure. Supply contract loss with enterprise pharma clients.
Key conversation hook
Director personal liability under NIS2 is a powerful board-level concern. Yamasuki translates this into a concrete action plan.
Typical first call: "We've been told we're an essential entity under NIS2. Our legal team says the directors are personally liable if we get this wrong. We need a clear programme and a board presentation."
3-Day Maturity Assessment NIS2 Full Implementation Board Compliance Workshop Executive vCISO Retainer
Strong Fit
05

Professional Services Firms

50 – 500 employees
Law firms, accountancies, consultancies
Ireland & EU
NIS2 important entity Client due diligence GDPR + NIS2 convergence
"We've just had our third large client ask us to complete a vendor security questionnaire this month. Our IT team is two people and none of them know what DORA is. This is becoming an issue."
Law firms, accounting practices, management consultancies, HR and payroll firms, and staffing agencies. These organisations handle highly sensitive client data, are increasingly classified as important entities under NIS2, and face a new source of compliance pressure: their large enterprise clients — banks, insurers, pharma companies — are beginning to require NIS2 compliance evidence as a condition of procurement. Their greatest asset is their reputation for discretion and confidentiality, which makes a security breach or compliance failure existentially threatening. They rarely have any internal technical security capability.
Primary trigger
Client procurement questionnaire, data breach scare or near-miss, NIS2 scope assessment, or losing a tender on security grounds.
Typical gap
Security relies on the IT support provider rather than a formal governance framework. No incident response plan. No awareness of NIS2 scope.
What's at stake
Loss of enterprise and regulated-sector clients, reputational damage from breach, NIS2 fines, and professional indemnity exposure.
Best entry point
3-Day Maturity Assessment followed by a Foundations Retainer. Low cost, high impact on client confidence.
Typical first call: "We're a 120-person law firm and three of our biggest clients — all in financial services — have sent us security questionnaires in the last month. We think NIS2 might apply to us. Can you help?"
3-Day Maturity Assessment DORA Supply Chain Audit Foundations Retainer
Strong Fit
06

Logistics, Distribution & Supply Chain Operators

100 – 1,000 employees
NIS2 important entities · Transport sector
SAP EWM / WM environments
NIS2 transport SAP EWM / WM Enterprise supply audits
"We run SAP EWM for a retail client's distribution operation. They've told us they need a DORA-aligned supply chain risk assessment completed before they renew our contract next quarter."
Third-party logistics providers, cold chain operators, freight forwarders, port and customs agents, and distribution companies. Classified as transport-sector important entities under NIS2. Most operate complex SAP EWM or legacy WM environments for warehouse and logistics management, with access controls that haven't been reviewed in years. Face double pressure: NIS2 compliance obligations AND supply chain security requirements flowing down from large retail, pharma, and public sector clients. SoD conflicts in SAP EWM are common and often overlooked because the focus is on operational performance, not security governance.
Primary trigger
Enterprise client contract renewal requiring security evidence, NIS2 scope assessment, or SAP EWM upgrade or migration project.
Typical gap
SAP EWM roles assigned on operational need with no governance process. Multiple users with conflicting access. No formal ICT risk framework.
What's at stake
NIS2 fines, loss of enterprise logistics contracts, operational disruption from access control failure or ransomware targeting SAP environments.
Yamasuki advantage
Rare combination of SAP EWM/WM specialism and EU regulatory expertise. Most advisers have one or the other, not both.
Typical first call: "We operate a distribution centre on behalf of a large retailer. They've sent us a security questionnaire referencing NIS2 and DORA. We run SAP EWM and our IT team doesn't know where to start."
3-Day Maturity Assessment SAP IAM Governance Audit DORA Supply Chain Posture

The hidden reach of DORA and NIS2 through supply chains

The formal regulatory thresholds — 50 employees, €10M turnover — describe who is directly in scope. But the actual impact extends far further. When a bank must comply with DORA, every company supplying digital services to that bank inherits compliance obligations contractually, regardless of size. This is how a 30-person software company finds a DORA questionnaire in its inbox.

🏦
Bank / Insurer / Investment Firm
Directly regulated under DORA · must audit all ICT suppliers
💻
Your SaaS / ICT Company
Receives DORA questionnaire · contractual compliance required
🔗
Your Sub-Contractors & Suppliers
Also pulled in — you must document and monitor your own supply chain

Even companies with fewer than 50 employees are being pulled into compliance scope via supply chain contractual obligations — before Irish NIS2 legislation is even fully enacted.

Are You in Scope?

Quick Scope
Self-Assessment

Answer five questions to get an instant indication of whether DORA or NIS2 applies to your organisation — and how urgently you should act.

Does Yamasuki's target profile match your organisation?

Check all that apply to your company:

You are almost certainly in scope — and you need to act now.
Based on your answers, your organisation faces real and immediate compliance obligations under DORA and/or NIS2. The cost of non-compliance — fines, contract loss, board liability — significantly outweighs the cost of getting proper advisory support. Book a free 30-minute scoping call and we'll tell you exactly where you stand.
You may be in scope — and supply chain pressure may already be reaching you.
Even if you don't meet the formal thresholds directly, your clients or customers may be pulling you into compliance obligations contractually. It's worth a 30-minute conversation to be certain.
You may be outside direct scope — but don't assume you're immune.
Even companies below the formal thresholds face supply chain compliance pressure. If any of your clients are banks, insurers, pharma companies, or public sector bodies, check whether they've started asking security questions.

Who we're not the right fit for

Honesty is part of our operating model. Not every organisation is the right client for Yamasuki — and we'll tell you that upfront rather than take an engagement we can't serve well.

Large enterprises with 2,000+ employees — if you have a substantial internal compliance function, the Big Four or large system integrators are likely a better structural fit for your scale and procurement process.
Companies genuinely outside regulatory scope — micro-businesses under 10 employees with no regulated-sector clients, who have no NIS2 or DORA exposure. We won't create a compliance problem where one doesn't exist.
Non-EU companies with no EU operations — if you have no EU-based operations, clients, or employees, DORA and NIS2 are unlikely to apply and you don't need what we provide.
Companies looking for checkbox compliance only — if you want a certificate to frame on the wall without building real operational resilience, we're not the right partner. Our work produces outcomes, not paper.
You're exactly right for Yamasuki if...
You're a growing company where compliance is becoming real and urgent but you have no internal capability to address it
You face a specific, time-pressured compliance event — a client questionnaire, an audit, a migration, or a funding round
Your board or leadership team needs to understand their obligations but doesn't speak technical security language
You run SAP and know your access controls need attention — but your implementation partner doesn't do security governance
You want a named expert who understands your business, not a rotating team of junior consultants
You want to know the total cost upfront, with no billing surprises at the end of the month

Recognise Your Organisation in One of These Profiles?

Book a free 30-minute scoping call. No sales pitch — just an honest assessment of your regulatory exposure and whether Yamasuki can help you address it. Written scope and fee within 48 hours if we can.