IT Governance, Risk & Compliance (GRC) Specialist, Luxembourg

<h3><strong>Secure and Scale a Regulated Fintech Platform at the Heart of Stripe</strong></h3> <p><strong>Bridge Building S.A. (BBSA)</strong> is the Luxembourg regulated entity of <strong>Bridge</strong>, a Stripe company. We operate as an EMI and future CASP in one of Europe’s most demanding regulatory environments (CSSF, DORA, MiCA).</p> <p>BBSA is building a local regulated platform powered by a global-first technology model. In this context, we are looking for a sharp <strong>IT GRC Analyst</strong> to act as the bridge between strict European regulations and high-velocity global engineering.</p> <p>This role is the <strong>control and risk right hand</strong> of the Bridge Global CISO. While our global teams build the tech, you ensure it is compliant, resilient, and audit-ready. You will translate requirements like&nbsp;<strong>DORA</strong> and <strong>MiCA</strong> into tangible IT controls, oversee third-party risks, and maintain the integrity of our governance framework.</p> <p>This is not a "tick-the-box" compliance role. It is a operational position for a professional who understands technology well enough to govern it effectively. You will have high visibility, owning the frameworks that allow us to scale securely.</p> <h3><strong>Key Responsibilities</strong></h3> <ol> <li><strong style="font-size: 14px;">IT Governance &amp; Risk Management</strong> <ul> <li> <p class="p1">Maintain and evolve the IT Risk Register, ensuring risks are identified, assessed, and treated in line with the company’s risk appetite.</p> </li> <li> <p class="p1">Drive the local implementation of the&nbsp;<strong>DORA (Digital Operational Resilience Act)</strong> framework, including ICT risk management and incident classification.</p> </li> <li> <p class="p1">Bridge the gap between technical reality and policy by drafting, reviewing, and updating IT policies and procedures.</p> </li> <li> <p class="p1">Perform periodic control testing to ensure global engineering practices align with local regulatory requirements.</p> </li> <li>Act as primary support to the local Head of IT</li> </ul> </li> <li><strong>Third-Party Risk Management (TPRM)</strong> <ul> <li> <p class="p1">Support ICT due diligence and risk assessments of critical vendors and service providers, while assisting with&nbsp; Developer / Customer Oversight.</p> </li> <li> <p class="p1">Monitor SLAs and KPIs of critical vendors, challenging performance where necessary.</p> </li> <li> <p class="p1">Act as the primary support to the Outsourcing Manager regarding technical vendor oversight.</p> </li> </ul> </li> <li><strong>Access Governance &amp; Control (IAG)</strong> <ul> <li> <p class="p1">Oversee the <strong>Identity &amp; Access Governance</strong> strategy, including but not limited to adherence to Segregation of Duties, principle of least privileges and others.</p> </li> <li>Conduct periodic User Access Reviews for critical systems.</li> </ul> </li> <li><strong>Regulatory Compliance &amp; Audit Readiness</strong> <ul> <li> <p class="p1">Act as the primary liaison for Internal Audit regarding IT topics.</p> </li> <li> <p class="p1">Prepare technical inputs and evidence for CSSF notifications and regulatory reporting.</p> </li> <li>Monitor compliance with GDPR/Data Privacy controls (e.g., DLP oversight, data residency).</li> <li> <p class="p1">Coordinate Business Continuity (BCP) and Disaster Recovery (DR) testing documentation and reporting.&nbsp;</p> </li> </ul> </li> <li><strong>Incident Governance</strong> <ul> <li> <p class="p1">Oversee the IT incident management process to ensure proper classification, reporting, and root cause analysis (RCA).</p> </li> <li>Ensure major incidents are reported to regulators within mandated timeframes (in collaboration with Compliance).</li> </ul> </li> </ol> <p>&nbsp;</p> <h3><strong>Candidate Profile</strong></h3> <p><strong>Education</strong></p> <ul> <li>Bachelor’s or Master’s degree in Information Systems, Cybersecurity, or Business Administration (with a strong IT focus).</li> </ul> <p><strong>Experience</strong></p> <ul> <li><strong>3–6 years</strong> of experience in IT Audit, IT Risk, GRC, or Information Security.</li> <li>Experience in a regulated sector (Banking, Fintech, Insurance) or Big 4 Audit (IT Risk advisory) is highly preferred.</li> <li>Experience dealing with CSSF circulars, EBA guidelines, or DORA is a strong asset.</li> </ul> <p><strong>Core Competencies</strong></p> <ul> <li><strong>Framework Knowledge:</strong> Strong understanding of ISO 27001, NIST, or COBIT.</li> <li><strong>Tech Literacy:</strong> You don't need to code, but you must understand Cloud fundamentals (AWS), SaaS models, and modern infrastructure to audit them effectively.</li> <li><strong>Risk Mindset:</strong> Ability to distinguish between theoretical risk and actual business risk.</li> <li><strong>Communication:</strong> Ability to explain "Why we need this control" to engineers without slowing them down.</li> </ul> <p><strong>Languages</strong></p> <ul> <li><strong>English:</strong> Fluent professional (Mandatory).</li> <li><strong>French:</strong> Asset.</li> </ul> <p><strong>Mindset</strong></p> <ul> <li><strong>Pragmatic:</strong> You value effective controls over bureaucratic paperwork.</li> <li><strong>Resilient:</strong> You are comfortable dealing with ambiguity and evolving regulations.</li> <li><strong>Curious:</strong> You have a genuine interest in crypto-assets, blockchain, and the future of payments.</li> </ul>