Horiuno

One system. Not five disconnected vendors.

DORA applies from January 2025. NIS2 transposition is reaching the Spanish mid-market now. The EU AI Act lands in waves through 2026. None of these are documentation exercises. Each one redefines how systems must be built, operated, and evidenced.

Book a scoping call
NIS2EU AI ActBSIBAFINGDPREECCPSD2MICADORANIS2EU AI ActBSIBAFINGDPREECCPSD2MICADORA

The premise

Compliance is now an engineering problem.

DORA, NIS2, and the EU AI Act don't ask for a report. They ask whether your systems are built, operated, and evidenced to a regulatory standard — every day, not once a year.

For Spanish fintechs, insurers, and energy operators in the €100M–€1B range, this is a structural mismatch. Legal advice arrives as a PDF. The auditor arrives twice a year. Nobody arrives with the engineering.

Horiuno replaces this with a single operating model

  1. 01Legal interpretation translated directly into code
  2. 02Controls deployed as Helm charts, Terraform, and OPA policy
  3. 03Audit evidence generated continuously by the platform itself
  4. 04One engagement, one team, one accountable outcome
  5. 05Engineered with specialized legal and regulatory partners

The shift

Regulation has become an engineering constraint.

DORA applies from January 2025. NIS2 transposition is reaching the Spanish mid-market now. The EU AI Act lands in waves through 2026. None of these are documentation exercises. Each one redefines how systems must be built, operated, and evidenced.

The challenge is no longer"What do we need to comply with?"
It is"How do we build systems that remain compliant as they evolve?"

The system

Four disciplines. One operating layer.

01Regulatory Engineering

DORA, NIS2, and EU AI Act controls expressed as code. Evidence accumulated as the system runs.

02Platforms Engineering

Data and infrastructure governed under a single policy surface. One TLS config, two regulatory regimes satisfied.

03AI Governance Model

Deployment, oversight, and approvals built into the platform from day one — under EU AI Act Article 9 and 15 obligations.

04Operating Model Compliance

Ownership wired into the engineering organisation, not bolted onto it.

The library

The same control, deployed twice. That's the difference.

Most compliance work is bespoke once and forgotten. Our compounds.

Every engagement extends a shared library of Helm charts, Terraform modules, OPA policies, and CI/CD templates — each one mapped, in code, to specific articles of DORA, NIS2, and the EU AI Act. When the next Spanish fintech needs DORA Article 9(2) cryptographic controls, the policy already exists. We adapt; we don't rebuild. The buyer gets faster delivery and lower cost. We get a margin that improves with every client.

0%

Share of mid-market DORA/NIS2 controls that are structurally identical across clients. Cacioppo proved this for SOC 2. We've proved it for European compliance.

0wks

Typical cycle from scoping to deployed, evidenced control increment.

0x1

One TLS configuration satisfies DORA for a Barcelona fintech and NIS2 for a Madrid energy operator. That's the compounding mechanism.

0%

Audit evidence generated as the system runs, not assembled retrospectively.

The cadence

Built in cycles. Proven in production.

Horiuno delivers in defined increments — typically 10 to 24 weeks, €55K to €240K — replacing 18-month consulting programmes with testable, evidenced delivery.

01Working systems
02Encoded controls
03Verifiable outputs
04Audit-ready evidence

Our value

Static Reports vs Horiuno.

Most organisations still rely on

  1. 01Static reports
  2. 02Manual evidence collection
  3. 03Fragmented architectures across legal, audit, and IT
  4. 04Duplicated effort across DORA, NIS2, and EU AI Act

This model does not scale to a €500M Spanish fintech preparing for three regulatory regimes simultaneously.

Horiuno replaces it with

  1. 01Infrastructure-first delivery
  2. 02Compliance encoded as platform behaviour
  3. 03Continuous evidence generation
  4. 04One architecture, multiple regulations satisfied

Solutions

Four ways we solve regulated transformation.

Each solution is a different entry point. All are delivered through the same engineering system and the same library.

01DORA Readiness & Remediation

For Spanish fintechs, payment institutions, and asset managers under DORA scope. Gap assessment, ICT risk framework, third-party register, and operational resilience controls — deployed as infrastructure, not described in a report.

Engagement: €80K–€240K · 12–24 weeks

02NIS2 Implementation

For energy, healthcare, transport, and digital infrastructure operators newly in scope under Spanish transposition. Article 21 controls expressed in code, with continuous evidence for the CNI / INCIBE supervisory chain.

Engagement: €55K–€180K | 10–20 weeks

03EU AI Act Compliance

For firms deploying high-risk AI systems under Annex III. Risk management, data governance, technical documentation, human oversight, and post-market monitoring — built into the model lifecycle, not appended to it.

Engagement: €70K–€200K | 12–22 weeks

04PE/VC Tech Diligence & Remediation

For funds evaluating European portfolio companies and operating partners closing compliance gaps post-investment.

Diligence: €15K–€30K | 2–3 weeks. If gaps surface, the same team executes remediation under the engagements above. One buyer, two decisions, no handoff.

Operating environments

  1. 01Spanish mid-market firms (€100M–€1B revenue) under DORA, NIS2, or EU AI Act scope
  2. 02European PE/VC funds and their portfolio companies
  3. 03Sectors: financial services, insurance, energy, healthcare, digital infrastructure
  4. 04Regulatory regimes: DORA, NIS2, EU AI Act, RGPD, ENS, Banco de España, CNMV
  5. 05Delivery cycles measured in weeks

Proof

Built where regulation is real.

Horiuno's operating model was built by engineers who delivered national-scale regulated infrastructure in Germany — gematik, the German E-Rezept, and DAX-40 platforms at Siemens, Vodafone, and Union Investment — and transferred to the Spanish mid-market with specialized legal and regulatory partners.

0+

Citizens served by national-scale regulated infrastructure delivered by the founding team.

0reg

DORA, NIS2, and EU AI Act encoded into a single library of reusable controls.

0–0k

Typical engagement size. One team, fixed scope, deployed infrastructure.

0%

Audit evidence generated by the platform itself, not assembled by humans before an audit.

The partnership

Legal interpretation. Engineering execution. One contract.

Spanish mid-market firms have not been short of legal advice on DORA and NIS2. They have been short of teams who can take that advice and ship it as production infrastructure.

Horiuno engages alongside with one of Spain's leading regulatory and technology law firms — under a single delivery model. Law firm interprets. Horiuno engineers. The client gets one contract, one team, and one accountable outcome.

For a CISO or CTO, this collapses what is normally a three-vendor problem (legal counsel, audit firm, systems integrator) into one engagement.

Begin

Start with a real problem.

The right starting point is not a presentation. It is a system that needs to be built — a DORA deadline, an NIS2 supervisory letter, an AI Act gap surfaced in due diligence.

A scoping call is 45 minutes. We come with a hypothesis about what your library module looks like.