Varcoe.ai

Government Modernization · EU readiness

EU AI Act:
95 days.

EU AI Act high-risk Annex III conformity assessment becomes mandatory 2 August 2026. Penalty exposure: €35M or 7% of global turnover for non-compliance. NIS2 (Oct 2024) is enforced now; DORA (Jan 2025) is in effect; both reach extraterritorially into US firms with EU subsidiaries or EU customers. We run readiness from the US side, billed in USD, delivered remote — we do not sell direct to EU governments.

$140-180K NIS2 readiness · $220-320K DORA readiness · EU AI Act scoping $30K-$80K + conformity assessment partner-coordinated

Schedule a callGovernment hub

What we run for EU-readiness partners

Six components. All extraterritorial-aware.

EU AI Act High-Risk Conformity (Aug 2 2026)

Annex III high-risk categorization, conformity assessment per Article 43, technical documentation per Annex IV, post-market monitoring per Article 72, CE-marking workflow. €35M or 7% of global turnover penalty exposure for non-compliance. ~95 days as of this writing.

NIS2 Directive Compliance

NIS2 transposition deadline October 2024 — now enforced across EU Member States. Essential entity vs. Important entity classification, supply-chain security obligations, 24-hour early-warning reporting, registration with national authority. Direct + indirect applicability for US firms with EU subs or EU services.

DORA — Digital Operational Resilience Act

Effective 17 January 2025 for EU financial entities. ICT risk management framework, ICT incident reporting, digital operational resilience testing (TLPT), ICT third-party risk including critical-third-party designation. Applies to US firms with EU financial subs + ICT third-party providers.

GDPR Article 32 Cyber-Specific Controls

Technical and organisational measures, ICO/EDPB-aligned breach notification 72-hour clock, Data Protection Impact Assessments tied to security controls, supervisory authority coordination on cyber incidents.

Schrems II / Cross-Border Data Transfer

EU-US Data Privacy Framework, Standard Contractual Clauses, Transfer Impact Assessments. Cybersecurity controls baked into TIA technical-measures section.

NIS2 + DORA Crosswalks to US Frameworks

SOC 2 + ISO 27001 evidence covers ~70% of NIS2 + DORA technical requirements. We map the existing US compliance posture to the gap rather than rebuild from scratch.

What this is — and isn’t

Honest scope.

What this is: cybersecurity readiness for US firms with EU subsidiaries or EU customers facing NIS2, DORA, EU AI Act, GDPR Article 32. Billed + delivered US-side. SOC 2 / ISO 27001 / NIST 800-171 / ISO 42001 evidence converts to ~70% of EU framework requirements with translation overhead.

What this isn’t: direct-sell to EU governments. Direct EU public-sector cybersecurity contracting requires a local in-country partner (BSI Grundschutz partners in Germany, ANSSI-qualified providers in France, etc.). When that partnership economics make sense we’ll add it. For now, we’re honest that this page serves US firms reaching into the EU, not EU public sector directly.

Quinnlan Varcoe, CEO and Founder of Varcoe.ai

Who you’ll work with

Quinnlan Varcoe

CEO and Founder · OSCP · GIAC × 10 · 17 credentials across the practice

ISO 42001 + NIST AI RMF + EU AI Act crosswalks. SOC 2 + ISO 27001 + NIS2 + DORA evidence-mapping. US-side delivery for EU-extraterritorial obligations.

Every partnership begins with me. Not a sales rep, not an account executive, not a junior. The first call, the diagnostic, the strategy work — that’s mine.

Read the long version

EU subsidiary on the books? AI Act deadline closing in?

Schedule a call

Trusted by partners across the practice

DAS Health
Exhibit A Cyber
Ally
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management
DAS Health
Exhibit A Cyber
Ally
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management

Reviews

From the senior people
who’ve worked alongside Quinn.

The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.

The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.

Aaron Birnbaum

Managing Partner

Seron Security
Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.

Caroline Lombard

Threat Specialist

aws
I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.

Justin Cox

Senior AWS Security Analyst

PayPal
One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.

Soufiane Jihadi

Senior Incident Response Consultant

Deloitte.

Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request