Services
Bridging Compliance & Innovation
With Effective Strategy & Execution
We help organisations meet regulatory expectations, without losing momentum.
Introduction
The Power of GovernanceAdvisory · Delivery · Training
Dawn Horizon is an Irish AI governance, cybersecurity and privacy consultancy, led by Lee Bristow, advising boards and regulated organisations across Ireland and the EU on the EU AI Act, NIS2, DORA, GDPR and ISO management systems.
Dawn Horizon helps organisations govern technology decisions, meet regulatory expectations, and bring AI to market with confidence, without losing momentum. We work at the intersection of cybersecurity, privacy, and AI governance, across three connected pillars: Advisory, Delivery, and Training.
Our clients operate where the stakes are highest, and the scrutiny is real. We partner with HealthTech innovators preparing for clinical launch, financial services firms navigating CBI and DORA expectations, engineering firms operating critical national infrastructure, insurance providers transforming digital operations, software consultancies launching agentic AI products, and specialist consultancies extending their capability through ours.
Each pillar can stand alone. Together, they create the conditions for governed, defensible, and commercially sound technology decisions.
Our Premise
Technology decisions are, in the end, human decisions.Governance is not bureaucracy. It is leadership.
Pillar I · Advisory
Strategic counsel for leaders accountable for technology, AI, and risk outcomes.
Advisory is where most engagements begin. Boards, founders, and executive teams come to us when the regulatory landscape feels too complex to navigate alone, or when governance structures have grown in silos and require unification. Across Ireland and the EU, Dawn Horizon's advisory practice gives boards and executives independent counsel on cybersecurity, AI governance and regulatory exposure.
Board & Executive Advisory
Independent, board-level counsel for Boards, Risk Committees, and Non-Executive Directors, built around the accountability now landing on directors personally. Under NIS2 and Ireland's forthcoming National Cyber Security Bill, senior managers are responsible for approving and overseeing cybersecurity risk, and can be held personally liable for failures. We help directors get ahead of that, alongside their converging obligations under DORA and the EU AI Act. We advise the governing body on the executive, never as the executive, so the assurance an audit committee receives is genuinely independent of delivery. Complexity translated into accountability, clear decision rights, and defensible oversight.
Retained Board Advisory
A standing, independent seat at the table for cyber and AI oversight. Retained rather than project-based, we attend board and risk committee meetings through the year, brief directors on emerging obligations under NIS2, DORA, and the EU AI Act, and challenge the executive on the board's behalf. The continuity of a board member, with the independence of an outside adviser, and none of the conflict that comes from also delivering the work.
AI Governance & Product Launch Advisory
Guidance for organisations bringing AI-powered products to market, including high-risk systems under the EU AI Act. Regulatory trigger mapping, AI risk classification, and governance strategy that turns compliance into commercial advantage. Trusted by HealthTech innovators, seed-stage AI companies, and teams launching agentic AI products.
→ See it in practice: AileenRegulatory Strategy & Readiness
Practical positioning across the regulations that actually bear on your business, sequenced around commercial priorities rather than regulatory panic. AI governance under the EU AI Act. Cyber and operational resilience under NIS2, DORA, and the Cyber Resilience Act. Data protection under GDPR. And sector-specific obligations including the Medical Device Regulation and Central Bank of Ireland expectations. We map where each one bites, then sequence the work around what your business needs first.
Mergers, Restructures & Transformation Risk
Cyber, AI, and governance advisory through mergers, divestitures, leadership transition, digital transformation, and platform migration.
Pillar II · Delivery
Hands-on programme execution. We do the work, not just the slides.
Delivery is where governance becomes evidence. We run the programmes that regulators, boards, and auditors actually scrutinise, from integrated management system builds to remediation against fixed Central Bank deadlines, and we stay accountable for the outcome. Dawn Horizon delivers the hands-on programmes regulated organisations rely on, including integrated management systems, NIS2 and DORA readiness, regulatory remediation, and cyber and AI procurement.
Integrated Management Systems & Risk Frameworks
Regulatory obligations met through the standards built to satisfy them. We turn the EU AI Act, GDPR, DORA, and NIS2 into defensible compliance by integrating their underlying certifiable standards, ISO 27001, ISO 42001, and ISO 27701, mapped against the NIST CSF 2.0 and NIST AI RMF. One certified control set, evidenced once, defensible against every regulator and auditor, and extended to ISO 13485 and MDR where medical device obligations apply.
→ See it in practice: Alto HealthNIS2 & Cyber Resilience Readiness
Board-ready preparation for NIS2 and Ireland's National Cyber Security Bill. Entity classification, cybersecurity risk management measures, incident reporting against the 24 and 72 hour windows, supply chain security obligations, and registration readiness with the NCSC. We get essential and important entities prepared before the supervisory regime takes effect, not scrambling after it.
Operational Resilience & DORA
Operational resilience delivered as evidence, not policy. DORA implementation, ICT and third-party risk management, regulated outsourcing oversight, and resilience testing, structured for financial services firms and credit unions under Central Bank scrutiny.
Regulatory Remediation Programmes
Board-grade remediation for when a regulator has set the clock. Control mapping, evidence pack assembly, thematic review response, and remediation tracking, delivered to fixed deadlines, including Central Bank of Ireland IT risk reviews and remediation managed across concurrent mergers.
Independent Audit & Assurance
Independent reviews calibrated for investor and regulator scrutiny, covering AI governance maturity, certification readiness, control effectiveness, and governance posture validation. Assurance that holds because we never grade our own delivery.
Cyber & AI Procurement
Independent procurement leadership for SOC, SIEM, MDR, GRC tooling, AI vendors, and regulated outsourcing. We run the full process, requirements discovery, structured RFP, competitive proof-of-concept design, and telemetry-based evaluation, so the selection is commercially defensible and the governance stands up to challenge.
IT & Digital Strategy
Board-ready IT and digital strategy tied to governance objectives, operational direction, and commercial priorities. Multi-year strategy a board can approve and a regulator can follow, without generic consultancy language.
Privacy & Data Protection Engineering
Operational privacy delivery, not paperwork. DPIAs, AI impact assessments, ROPAs, SCCs and transfer mechanisms, and GDPR alignment cross-mapped to ISO 27701 and ISO 42001.
Fractional & Interim Leadership
vCISO, vDPO, and AI Governance Lead support, embedded directly into governance forums, supplier oversight, executive reporting, and regulatory engagement. Senior delivery, held to the outcome, and kept separate from the board advisory line by design.
Pillar III · Training
Capability uplift for the people who carry the work after we leave.
Training is commissioned when organisations need internal confidence, operational understanding, and governance capability that outlasts the engagement, not box-ticking compliance training. We build the people who will own the controls, answer the regulator, and carry the accountability once we step back. Dawn Horizon equips boards, executives and practitioners to govern cyber and AI risk across NIS2, DORA, the EU AI Act and ISO standards including ISO 27001 and ISO 42001.
Executive & Board Education
Board-level education for directors and executives now personally accountable for cyber and AI risk. We prepare Boards, Risk Committees, and Non-Executive Directors to meet their oversight duties under NIS2, DORA, and the EU AI Act, and to challenge their executive with the right questions, so that when a regulator asks who approved what, the board's decisions are documented and defensible.
AI Policy & Governance Design
Programmes for organisations building AI governance capability from the ground up: policy architecture, AI and agentic risk classification, operational governance artefacts, and practical implementation that teams can actually run.
Practitioner Workshops
Outcome-led workshops for the people doing the work, across ISO 27001, ISO 42001, and ISO 27701, the NIST CSF 2.0 and NIST AI RMF, DORA, NIS2, AI risk assessment, and third-party governance.
Bespoke Programmes
Custom programmes built around your situation: AI rollout governance, certification readiness, merger integration, and regulatory preparation, designed to leave capability behind rather than dependency.
Thought Leadership & Speaking
Keynotes, panels, and strategic speaking across AI governance, cybersecurity, regulatory transformation, and the future of work, at industry summits, policy launches, and executive forums.
How We Work
Governanceby Design
Governance by Design is Dawn Horizon's methodology for integrating governance at the point of decision, rather than retrofitting it at the point of audit. It builds a single control set, mapped once across every obligation an organisation carries, so the same evidence satisfies multiple regulators and auditors. Every engagement produces artefacts that are usable, defensible, proportionate and operationally relevant. We work alongside in-house teams and partner consultancies as lead advisers, specialist contributors or independent assurance partners.
Usable
Built for the people who actually operate them, not to satisfy a template.
Defensible
Capable of standing up to regulators, auditors, and adversarial scrutiny.
Proportionate
Calibrated to the organisation's size, risk profile, and maturity.
Operationally Relevant
Embedded in the workflows where decisions are actually made.
Sectors
Where our work lives.
Regulated, complex, consequential, environments where governance is not optional.
HealthTech & MedTech
Clinical-launch readiness across the EU Medical Device Regulation (MDR), ISO 13485 and EU AI Act obligations, without slowing innovation.
Financial Services & Credit Unions
Central Bank of Ireland (CBI) expectations, the Digital Operational Resilience Act (DORA) and operational resilience translated into defensible operating positions for banks, credit unions and regulated financial firms.
Insurance
Operational resilience, third-party and outsourcing risk, and governance evidence for regulated insurers navigating digital transformation and DORA.
Critical National Infrastructure & Engineering
Cyber, AI and governance assurance for essential and important entities under NIS2 and Ireland's forthcoming National Cyber Security Bill, for organisations operating the systems the country depends on.
Software & AI Product Companies
Governance scaffolding for agentic AI, regulated AI products, and products with digital elements under the EU AI Act and the Cyber Resilience Act (CRA), for seed-stage innovators preparing for enterprise sale.
Specialist Consultancies & Professional Services
Capability extension for partner firms delivering governance, AI and cyber engagements alongside ours.
Common Questions
Plain answers to the questions boards and executives ask most.
What is Governance by Design?
Governance by Design is Dawn Horizon's methodology for embedding governance at the point of decision rather than retrofitting it at audit. It builds one control set, mapped across every regulation an organisation carries, so a single body of evidence is defensible to multiple regulators and auditors.
What does Dawn Horizon do?
Dawn Horizon is an Irish consultancy specialising in AI governance, cybersecurity and privacy. Led by Lee Bristow, it advises boards and regulated organisations across Ireland and the EU, delivering advisory, hands-on programme delivery and training across the EU AI Act, NIS2, DORA, GDPR and ISO management systems.
How should Irish boards prepare for NIS2?
Ireland is transposing the NIS2 Directive through the forthcoming National Cyber Security Bill, which is expected to bring thousands of additional entities into scope and make senior managers personally accountable for cybersecurity oversight. Boards should confirm whether they are an essential or important entity, document who approves cyber risk decisions, and put risk management and incident reporting measures in place before the regime takes effect.
What does DORA require of credit unions and financial firms?
The Digital Operational Resilience Act (DORA) has applied to EU financial entities, including credit unions, since 17 January 2025. It requires information and communications technology risk management, third-party and outsourcing oversight, operational resilience testing and structured incident reporting, all evidenced to the Central Bank of Ireland.
Do I need ISO 42001 to comply with the EU AI Act?
ISO 42001 is the international standard for AI management systems and is not legally mandated by the EU AI Act. However, a certified ISO 42001 management system provides structured, independently auditable evidence of responsible AI governance, which supports and streamlines EU AI Act compliance.
When does the EU AI Act apply?
The EU AI Act entered into force in 2024 and applies in phases. Prohibited practices applied first, and most obligations for high-risk AI systems apply from August 2026, with some provisions following in 2027. Organisations placing AI products on the EU market should classify their systems and map obligations to that timeline now.
What is the Cyber Resilience Act and does it affect my product?
The Cyber Resilience Act (CRA) sets binding cybersecurity requirements for any product with digital elements placed on the EU market. Vulnerability and incident reporting obligations apply from 11 September 2026, and full requirements, including secure-by-design engineering and a software bill of materials, apply from 11 December 2027. It affects most connected hardware and software products, including AI products.
Who provides AI governance and cybersecurity consulting in Ireland?
Dawn Horizon, led by Lee Bristow, provides AI governance, cybersecurity and privacy consulting in Ireland and across the EU. The firm works with HealthTech, financial services, critical national infrastructure and software organisations on the EU AI Act, NIS2, DORA, and ISO 27001, ISO 27701 and ISO 42001 certification readiness.
Engagement
Start a Conversation
Whether preparing for AI adoption, regulatory change, operational transformation, or governance modernisation, Dawn Horizon provides strategic guidance grounded in accountability, clarity, and human judgement.
Don't start on a blank page.