WorkWayWorkWay
Get Started
Stripe logo
Stripe

IT Governance, Risk & Compliance (GRC) Analyst, Luxembourg

LuxembourgFull-TimeMid-levelAnalyst

Skills

AWSSecurityDocumentation

You will be redirected to the company career page

This role is the control and risk right hand of the Luxembourg Head of IT. While our global teams build the tech, you ensure it is compliant, resilient, and audit-ready. You will translate requirements like DORA and MiCA into tangible IT controls, oversee third-party risks, and maintain the integrity of our governance framework.

  • This is not a "tick-the-box" compliance role. It is a operational position for a professional who understands technology well enough to govern it effectively. You will have high visibility, owning the frameworks that allow us to scale securely.

Key Responsibilities

  • Maintain and evolve the IT Risk Register, ensuring risks are identified, assessed, and treated in line with the company’s risk appetite. Drive the local implementation of the DORA (Digital Operational Resilience Act) framework, including ICT risk management and incident classification. Bridge the gap between technical reality and policy by drafting, reviewing, and updating IT policies and procedures. Perform periodic control testing to ensure global engineering practices align with local regulatory requirements. Act as primary support to the local Head of IT
  • Maintain and evolve the IT Risk Register, ensuring risks are identified, assessed, and treated in line with the company’s risk appetite.
  • Drive the local implementation of the DORA (Digital Operational Resilience Act) framework, including ICT risk management and incident classification.
  • Bridge the gap between technical reality and policy by drafting, reviewing, and updating IT policies and procedures.
  • Perform periodic control testing to ensure global engineering practices align with local regulatory requirements.
  • Act as primary support to the local Head of IT
  • Maintain and evolve the IT Risk Register, ensuring risks are identified, assessed, and treated in line with the company’s risk appetite.
  • Drive the local implementation of the DORA (Digital Operational Resilience Act) framework, including ICT risk management and incident classification.
  • Bridge the gap between technical reality and policy by drafting, reviewing, and updating IT policies and procedures.
  • Perform periodic control testing to ensure global engineering practices align with local regulatory requirements.
  • Act as primary support to the local Head of IT
  • Support ICT due diligence and risk assessments of critical vendors and service providers, while assisting with  Developer / Customer Oversight. Monitor SLAs and KPIs of critical vendors, challenging performance where necessary. Act as the primary support to the Outsourcing Manager regarding technical vendor oversight.
  • Support ICT due diligence and risk assessments of critical vendors and service providers, while assisting with  Developer / Customer Oversight.
  • Monitor SLAs and KPIs of critical vendors, challenging performance where necessary.
  • Act as the primary support to the Outsourcing Manager regarding technical vendor oversight.
  • Support ICT due diligence and risk assessments of critical vendors and service providers, while assisting with  Developer / Customer Oversight.
  • Monitor SLAs and KPIs of critical vendors, challenging performance where necessary.
  • Act as the primary support to the Outsourcing Manager regarding technical vendor oversight.
  • Oversee the Identity & Access Governance strategy, including but not limited to adherence to Segregation of Duties, principle of least privileges and others.. Conduct periodic User Access Reviews for critical systems.
  • Oversee the Identity & Access Governance strategy, including but not limited to adherence to Segregation of Duties, principle of least privileges and others..
  • Conduct periodic User Access Reviews for critical systems.
  • Oversee the Identity & Access Governance strategy, including but not limited to adherence to Segregation of Duties, principle of least privileges and others..
  • Conduct periodic User Access Reviews for critical systems.
  • Act as the primary liaison for Internal Audit regarding IT topics. Prepare technical inputs and evidence for CSSF notifications and regulatory reporting. Monitor compliance with GDPR/Data Privacy controls (e.g., DLP oversight, data residency). Coordinate Business Continuity (BCP) and Disaster Recovery (DR) testing documentation and reporting.
  • Act as the primary liaison for Internal Audit regarding IT topics.
  • Prepare technical inputs and evidence for CSSF notifications and regulatory reporting.
  • Monitor compliance with GDPR/Data Privacy controls (e.g., DLP oversight, data residency).
  • Coordinate Business Continuity (BCP) and Disaster Recovery (DR) testing documentation and reporting.
  • Act as the primary liaison for Internal Audit regarding IT topics.
  • Prepare technical inputs and evidence for CSSF notifications and regulatory reporting.
  • Monitor compliance with GDPR/Data Privacy controls (e.g., DLP oversight, data residency).
  • Coordinate Business Continuity (BCP) and Disaster Recovery (DR) testing documentation and reporting.
  • Oversee the IT incident management process to ensure proper classification, reporting, and root cause analysis (RCA). Ensure major incidents are reported to regulators within mandated timeframes (in collaboration with Compliance).
  • Oversee the IT incident management process to ensure proper classification, reporting, and root cause analysis (RCA).
  • Ensure major incidents are reported to regulators within mandated timeframes (in collaboration with Compliance).
  • Oversee the IT incident management process to ensure proper classification, reporting, and root cause analysis (RCA).
  • Ensure major incidents are reported to regulators within mandated timeframes (in collaboration with Compliance).

Education

  • Bachelor’s or Master’s degree in Information Systems, Cybersecurity, or Business Administration (with a strong IT focus).

Experience

  • 3–6 years of experience in IT Audit, IT Risk, GRC, or Information Security.
  • Experience in a regulated sector (Banking, Fintech, Insurance) or Big 4 Audit (IT Risk advisory) is highly preferred.
  • Experience dealing with CSSF circulars, EBA guidelines, or DORA is a strong asset.

Core Competencies

  • Framework Knowledge: Strong understanding of ISO 27001, NIST, or COBIT.
  • Tech Literacy: You don't need to code, but you must understand Cloud fundamentals (AWS), SaaS models, and modern infrastructure to audit them effectively.
  • Risk Mindset: Ability to distinguish between theoretical risk and actual business risk.
  • Communication: Ability to explain "Why we need this control" to engineers without slowing them down.

Languages

  • English: Fluent professional (Mandatory).
  • French: Asset.

Mindset

  • Pragmatic: You value effective controls over bureaucratic paperwork.
  • Resilient: You are comfortable dealing with ambiguity and evolving regulations.
  • Curious: You have a genuine interest in crypto-assets, blockchain, and the future of payments.

Job Summary

CompanyStripe
LocationLuxembourg
TypeFull-Time
LevelMid-level
DomainAnalyst

Similar roles you might like

More roles at Stripe