IT Governance, Risk & Compliance (GRC) Analyst, Luxembourg

<h3><strong>Secure and Scale a Regulated Fintech Platform at the Heart of Stripe</strong></h3> <p><strong>Bridge Building S.A. (BBSA)</strong> is the Luxembourg regulated entity of <strong>Bridge</strong>, a Stripe company. We operate as an EMI and future CASP in one of Europe’s most demanding regulatory environments (CSSF, DORA, MiCA).</p> <p>BBSA is building a local regulated platform powered by a global-first technology model. In this context, we are looking for a sharp <strong>IT GRC Analyst</strong> to act as the bridge between strict European regulations and high-velocity global engineering.</p> <p>This role is the <strong>control and risk right hand</strong> of the Luxembourg Head of IT. While our global teams build the tech, you ensure it is compliant, resilient, and audit-ready. You will translate requirements like <strong>DORA</strong> and <strong>MiCA</strong> into tangible IT controls, oversee third-party risks, and maintain the integrity of our governance framework.</p> <p>This is not a "tick-the-box" compliance role. It is a operational position for a professional who understands technology well enough to govern it effectively. You will have high visibility, owning the frameworks that allow us to scale securely.</p> <h3><strong>Key Responsibilities</strong></h3> <ol> <li><strong> IT Governance & Risk Management</strong></li> </ol> <ul> <li> <ul> <li>Maintain and evolve the IT Risk Register, ensuring risks are identified, assessed, and treated in line with the company’s risk appetite.</li> <li>Drive the local implementation of the <strong>DORA (Digital Operational Resilience Act)</strong> framework, including ICT risk management and incident classification.</li> <li>Bridge the gap between technical reality and policy by drafting, reviewing, and updating IT policies and procedures.</li> <li>Perform periodic control testing to ensure global engineering practices align with local regulatory requirements.</li> <li>Act as primary support to the local Head of IT </li> </ul> </li> </ul> <ol> <li><strong> Third-Party Risk Management (TPRM)</strong></li> </ol> <ul> <li> <ul> <li>Support ICT due diligence and risk assessments of critical vendors and service providers, while assisting with  Developer / Customer Oversight.</li> <li>Monitor SLAs and KPIs of critical vendors, challenging performance where necessary.</li> <li>Act as the primary support to the Outsourcing Manager regarding technical vendor oversight.</li> </ul> </li> </ul> <ol> <li><strong> Access Governance & Control (IAG)</strong></li> </ol> <ul> <li> <ul> <li>Oversee the <strong>Identity & Access Governance</strong> strategy, including but not limited to adherence to Segregation of Duties, principle of least privileges and others..</li> <li>Conduct periodic User Access Reviews for critical systems.</li> </ul> </li> </ul> <ol> <li><strong> Regulatory Compliance & Audit Readiness</strong></li> </ol> <ul> <li> <ul> <li>Act as the primary liaison for Internal Audit regarding IT topics.</li> <li>Prepare technical inputs and evidence for CSSF notifications and regulatory reporting.</li> <li>Monitor compliance with GDPR/Data Privacy controls (e.g., DLP oversight, data residency).</li> <li>Coordinate Business Continuity (BCP) and Disaster Recovery (DR) testing documentation and reporting.</li> </ul> </li> </ul> <ol> <li><strong> Incident Governance</strong></li> </ol> <ul> <li> <ul> <li>Oversee the IT incident management process to ensure proper classification, reporting, and root cause analysis (RCA).</li> <li>Ensure major incidents are reported to regulators within mandated timeframes (in collaboration with Compliance).</li> </ul> </li> </ul> <h3><strong>Candidate Profile</strong></h3> <p><strong>Education</strong></p> <ul> <li>Bachelor’s or Master’s degree in Information Systems, Cybersecurity, or Business Administration (with a strong IT focus).</li> </ul> <p><strong>Experience</strong></p> <ul> <li><strong>3–6 years</strong> of experience in IT Audit, IT Risk, GRC, or Information Security.</li> <li>Experience in a regulated sector (Banking, Fintech, Insurance) or Big 4 Audit (IT Risk advisory) is highly preferred.</li> <li>Experience dealing with CSSF circulars, EBA guidelines, or DORA is a strong asset.</li> </ul> <p><strong>Core Competencies</strong></p> <ul> <li><strong>Framework Knowledge:</strong> Strong understanding of ISO 27001, NIST, or COBIT.</li> <li><strong>Tech Literacy:</strong> You don't need to code, but you must understand Cloud fundamentals (AWS), SaaS models, and modern infrastructure to audit them effectively.</li> <li><strong>Risk Mindset:</strong> Ability to distinguish between theoretical risk and actual business risk.</li> <li><strong>Communication:</strong> Ability to explain "Why we need this control" to engineers without slowing them down.</li> </ul> <p><strong>Languages</strong></p> <ul> <li><strong>English:</strong> Fluent professional (Mandatory).</li> <li><strong>French:</strong> Asset.</li> </ul> <p><strong>Mindset</strong></p> <ul> <li><strong>Pragmatic:</strong> You value effective controls over bureaucratic paperwork.</li> <li><strong>Resilient:</strong> You are comfortable dealing with ambiguity and evolving regulations.</li> <li><strong>Curious:</strong> You have a genuine interest in crypto-assets, blockchain, and the future of payments.</li> </ul>