What is a fractional CISO or CRCO?

A fractional CISO or CRCO is a senior security, risk and compliance executive embedded part-time in your leadership team. You get board-level authority and accountability without the €150K–€250K annual cost of a full-time hire.

Which regulations does NEXUS.ai cover?

EU AI Act, ISO 27001, ISO 42001, ISO 13485 (SaMD), SOC 2, GDPR, NIS2, and sector-specific obligations for HealthTech and regulated SaaS. Banking is explicitly out of scope.

How quickly can an engagement start?

Typically within 2 weeks of a signed scoping agreement. Scoping calls are 30 minutes and written proposals are delivered within 5 business days.

NEXUS.ai

AI Governance · GRC · Fractional Leadership

Compliance shouldn't
cost you the deal.

Fortune 200–grade governance, AI Act readiness, and cybersecurity leadership for scaling companies.

Request scoping → See our methodology →

Why NEXUS exists

I built NEXUS because I lived the problem it solves.

As COO of a HealthTech startup, I carried the full regulatory weight — medical-device rules, health data, security standards — that Fortune 200 companies dedicate departments to. We made it through because I'd spent fifteen years inside those departments, running those programmes at PMI, EY, PwC, and Siemens.

Most founders don't have that background. NEXUS is how I deliver it to them — replacing entire governance departments, at a fraction of the cost, as embedded leadership rather than a distant advisor.

— Hachem Elwachem, Founder

15+ YEARS · PMI · EY · PWC · SIEMENS
150+ COMPANIES AUDITED

The practitioner behind NEXUS.ai

Hachem Elwachem

Founder · Fractional CRCO · CISO · DPO

Fifteen years of operator experience inside Fortune 200 environments — Philip Morris International, EY, PwC, Siemens — leading global assurance, security, and regulatory programmes across 70+ markets.

Now embedded with scale-ups who need the same rigour without the enterprise cost structure.

Full background →

How we help

Four practices.
One senior operator.

AI Governance & Compliance

AI Act readiness, model lifecycle controls, and governance frameworks for companies building or deploying AI in regulated markets.

EU AI Act ISO 42001 NIST AI RMF Model risk

Learn more →

GRC & Cybersecurity

Certification readiness, privacy operations, and security governance that accelerate enterprise deal cycles rather than blocking them.

ISO 27001 SOC 2 GDPR NIS2 TPRM

Learn more →

Fractional Executive Leadership

Embedded CRCO, CISO, or DPO presence for board cycles, investor diligence, and regulator relationships.

CRCO CISO DPO Board reporting

Learn more →

Operations & Growth

Process design, operational scaling, and market & product readiness for new geographies or enterprise segments.

Process design Operational scaling Market entry GTM readiness

Learn more →

Proprietary Methodology

The ITCA^™ Framework

Four disciplined stages that convert regulatory complexity into operating reality.

Identify

What actually applies — regulatory scope mapped to your product, data, and jurisdictions.

Translate

Regulation converted into operational requirements your team can execute.

Control

One unified control framework mapped to every applicable standard.

Activate

Designed, governed, handed over — your team runs it independently.

ITCA™ in depth →

Recent work

Six regulatory workstreams.
One fractional executive.

HealthTech scale-up, MENA & EU — ISO 27001, ISO 42001, ISO 13485, GDPR-by-design, SOC establishment, and TPRM running in parallel. The in-house equivalent: months of senior hiring and half a million a year fully loaded.

Read the case →

Ways to work together

Three engagement models.
Structured for the stage you're at.

Fixed scope

Compliance Sprint

Regulatory mapping → control build → audit preparation.

Ongoing

Fractional CISO / CRCO

Embedded executive for board cycles, regulator contact, audit response.

Lightweight

Advisory Retainer

Senior oversight and review; your team executes.

All engagement models →

Let's see if this fits.

30-minute scoping call. Written proposal within 5 business days. Kick-off within 2 weeks of agreement.

Request scoping →

Compliance shouldn't cost you the deal.

I built NEXUS because I lived the problem it solves.

Hachem Elwachem

Four practices.One senior operator.

AI Governance & Compliance

GRC & Cybersecurity

Fractional Executive Leadership

Operations & Growth

The ITCA™ Framework

Identify

Translate

Control

Activate

Six regulatory workstreams. One fractional executive.

Three engagement models.Structured for the stage you're at.

Let's see if this fits.

Compliance shouldn't
cost you the deal.

Four practices.
One senior operator.

The ITCA^™ Framework

Six regulatory workstreams.
One fractional executive.

Three engagement models.
Structured for the stage you're at.