Proposition de valeur
Services & Catalogue
Souverainete prouvee
Residentialite donnees UE, controle juridique, chiffrement et HSMs europeens, chaines de sous-traitance documentees.
Conformite by design
Dossiers de preuves, registres TIC (DORA), plans de sortie (Data Act), identite et confiance (eIDAS/EUDI).
Execution mesurable
Engagements SLA/SLO, suivi KPI/OKR, reversibilite contractuelle, interoperabilite (formats et APIs ouverts).
Service Catalogue & Indicative Pricing (EUR, ex‑VAT)
| Code | Service | Description | Key Deliverables | Scope (w) | Price Range |
|---|---|---|---|---|---|
| AUDIT | Sovereignty & Compliance Fast-Track Audit (GDPR + NIS2) | Accelerated, end-to-end assessment of sovereignty and compliance posture. We map data, assets, and flows; analyze gaps against key requirements (GDPR: lawful bases, records of processing, DPIA, data subject rights; NIS2: risk governance, logging, incident response, continuity, supply chain); evaluate technical/organizational controls; and verify data residency and resilience. Includes stakeholder workshops, document review, and technical sampling (IAM, encryption, logs, backups). Executive and operational readout: prioritized risk register, 30/60/90-day quick wins, remediation backlog, RACI, tracking KPIs, and a compliance trajectory. Option: pre-built evidence pack for third-party audits. | Gap analysis, risk register, 90-day plan | 3–5 | 25k–60k |
| SLZ | Sovereign Landing Zone. EU qualified cloud | Design and deploy a sovereign EU Landing Zone (accounts/projects, networking, security, identity) using Infrastructure as Code. Scope: network segmentation (VPC/VNet, private links), policies and guardrails, EU KMS/HSM-managed encryption, identity and access (SSO, RBAC, PAM), key/secret management, centralized logging with SIEM integration, backups, bastions, tagging/FinOps. Aligned to GDPR/NIS2 (data residency, timestamped logs, separation of duties). Knowledge transfer and documentation (runbooks, diagrams, ADRs). Option: CI/CD pipelines for environments and ready-to-use workload blueprints (Kubernetes/VM/Serverless). | LZ design, IaC, identity, logging | 5–7 | 60k–120k |
| MCP | MCP Server + EU LLM PoC | Stand up a secure enterprise assistant based on MCP (Model Context Protocol) and EU-hosted/processed LLMs. Define use cases, connect data sources (RAG, internal search), implement MCP tooling (tools, policies), guardrails (PII filtering, action limits, audit logs), and select/benchmark models (open-source or EU providers). Deploy to hardened VPC/on-prem (private networking, strong auth, key isolation). Evaluation report covering quality/recall, hallucination rate, latency/cost, security, compliance, and industrialization recommendations. Option: admin portal, telemetry, and prompt traceability. | Secure assistant, guardrails, eval report | 6–16 | 120k–260k |
| MIG | 2–3 App Migrations to qualified cloud / hardened on-prem | Migration program for 2–3 critical applications to an EU-qualified cloud or hardened on-prem platform. Steps: discovery and mapping (dependencies, data, SLAs), target strategy (rehost/refactor/re-platform), Landing Zone preparation, security hardening (IAM, zero-trust networking, secrets), CI/CD pipelines, performance/security testing, DR/backup. Detailed cut-over plan (windows, rollback, communications) and operating runbooks. Risk management (vendor contracts, licensing, compatibility), change management and handover. Outcome: minimized downtime, improved security, observability, and cost control. | Target arch, runbooks, cut-over | 9–17 | 180k–420k |
| OBS | Observability & Data Quality foundation | Establish the foundations of observability (logs/metrics/traces) and data quality. Tooling architecture (OpenTelemetry/agents, data catalog/lineage), logging standards, SLO/SLA metrics and error budgets, trace–log correlation, symptom-based alerting. On the data side: define dimensions (completeness, freshness, uniqueness, etc.), executable DQ rules in pipelines, controls at critical points, dashboards, and data contracts between producers/consumers. Integrate with incident/problem management, runbooks, and a maturity review. Result: end-to-end visibility, reduced MTTR, and higher trust in datasets. | DQ rules, SLAs, metrics, dashboards | 5–10 | 70k–160k |
| DORA | DORA/TLPT readiness audit & remediation plan | Readiness assessment for DORA and TLPT (Threat-Led Penetration Testing) for financial entities. Scope definition and critical functions, ICT asset register, risk governance, operational controls (logging, backups, incident response), third-party dependencies and continuity. Build an evidence pack, article-by-article gap mapping, prioritized remediation plan with owners and deadlines. Pre-design a TLPT program: adversary-led scenarios, threat-intel objectives, legal prerequisites, and third-party coordination. Executive readout and a compliance/resilience roadmap. | Evidence pack, TIC register, scenarios | 4–8 | 85k–190k |
| EUDI | eIDAS 2.0 / EUDI wallet integration blueprint | Integration blueprint for the European Digital Identity Wallet (EUDI) under eIDAS 2.0. Design the trust architecture (issuers, holders, verifiers), verifiable credentials & identity flows, QTSP integration and trusted lists, protocol choices and UX for journeys (onboarding, consent, selective disclosure, QES). Security: secure storage, proof-of-possession, replay protection, logging. Pilot use cases (KYC, qualified e-signature, application access), KPIs (conversion, latency, fraud prevented), and governance (attribute lifecycle, revocation). Compliance dossier and industrialization plan. | Trust architecture, pilots, KPIs | 8–16 | 220k–480k |
| RUN | Managed Sovereign Ops — NOC/SOC/FinOps | Sovereign managed operations with NOC/SOC/FinOps. 24/7 monitoring, detection and response, change and vulnerability management, patching, backups/DR tests, compliant log retention. SOC: use cases, correlations, threat hunting, reporting, and post-incident guidance. FinOps: tag-based allocation, resource optimization, budget alerts, and monthly reviews. SLA-backed commitments (response times, availability), tailored runbooks, and monthly/quarterly steering committees. Integrates with the client's tooling or a Eurathos-managed stack. | 24/7 monitoring, incident mgmt, reports | — | 12k–45k / month |
| CIO | CIO/CISO Advisory Retainer | CIO/CISO advisory on retainer. Strategic guidance and decision support (make/buy, sovereign cloud, data/AI), program framing, steering committees, board preparation, and compliance oversight (GDPR/NIS2/DORA/eIDAS). Architecture and security reviews, vendor due diligence, RFP/RFI support, and team coaching. Includes a defined number of days per month, a priority channel, and themed sessions (cyber crises, continuity, responsible AI). Recurring deliverables: executive briefs, roadmaps, and actionable recommendations. | Board briefs, steering, reviews | — | 6k–20k / month |
Resultats a 90 jours
- Audit de conformite pret pour le regulateur (rapports et preuves).
- PoC MCP + LLM EU operationnel pour un cas d'usage concret.
- Landing zone souveraine deployee et plan de reversibilite signe.
References & Ecosysteme
- Cloud & labels : ecosystemes qualifies europeens (SecNumCloud / ENS / C5).
- IA : Mistral, Aleph Alpha (deploiements prives dans l'UE).
- Services de confiance : QTSP, signatures qualifiees, EUDI Wallet.
- Marches publics : TED/eForms et codes CPV pertinents.
SLAs & SLOs
- Reponse : P1 sous 30 min (24/7), P2 sous 4h (heures ouvrables), P3 sous 2 jours.
- Disponibilite : 99.9% mensuel pour les services manages.
- Reporting : tableau de bord KPI/OKR mensuel, revue executive trimestrielle.
Conditions
- Prix hors TVA, licences, consommation cloud et deplacements.
- Acces aux parties prenantes, systemes et documentation garanti par le client.
- Habilitations securite possibles (impact sur delais et tarifs).
- Modifications via Change Requests dans le projet Jira SVC-PORTFOLIO.