Role Description:
At Booking.com, our mission is to make it easier for everyone to experience the world. As our technology landscape, regulatory environment, and product ecosystem continue to evolve, we need practical and scalable approaches to risk, controls, and compliance that support the business without slowing it down.
The IT Compliance (TCOM) team helps Booking.com build & maintain a stronger and scalable control environment by translating regulatory, policy, and risk requirements into clear, operational controls and oversight mechanisms. A key focus area for the team today is building a Unified Control Framework that gives leaders a single, self-serve view of the control environment by mapping controls and policy requirements to regulations such as NIST 2.0, NIS2, and DORA, while also connecting Shift Left, SOX, and other control domains into one coherent model.
One of the pain points we are solving is that every time a new framework or regulation impacts Booking.com, a significant amount of effort is spent re-assessing requirements, validating control scope, refining control wording, and checking whether existing controls are sufficient. Our goal is to move away from repeated one-off assessments and towards a more unified, reusable, and audit-ready control framework.
The team is based across Amsterdam, Bucharest, and Bangalore and works closely with Risk Partners supporting different business units, control owners, Security, Legal, and other stakeholders across Central Tech.
We are looking for an experienced IT Risk & Compliance Officer to join the team in Amsterdam. This is an individual contributor role for someone with strong experience in the risk and controls domain and a genuine interest in building, improving, and maintaining control frameworks.
This role is ideal for someone who enjoys making sense of overlapping regulatory and framework requirements, bringing structure to control environments, and working with stakeholders to turn abstract requirements into practical, testable, and sustainable controls. The role will play a key part in evolving the Unified Control Framework(UCF), supporting regulatory initiatives such as NIS2 and DORA, and helping ensure that risk and compliance requirements are addressed earlier in the software development lifecycle (shifting left) In practice, this involves executing the Unified Control Framework (UCF) strategy by contributing to its governance and roadmap definition, driving core regulatory compliance through NIS2 control mapping and refinement, and institutionalizing proactive risk management by designing reports on controls health. Furthermore, this includes identifying and implementing pragmatic automation and AI-assisted improvements to accelerate analysis speed and bolster overall control quality.
Lead and support assessments of new and evolving regulatory or framework requirements, including NIST 2.0, NIS2, DORA, EU AI Act and other relevant cyber or technology compliance requirements, and determine how Booking.com should respond.
Build, maintain, and improve the Unified Control Framework by mapping requirements to internal policies, standards, assets, control objectives, and existing controls, with a strong focus on reuse, coherence, and reducing duplication.
Translate regulatory requirements and external recommendations into clear, practical, testable control descriptions with defined ownership, execution expectations, evidence requirements, and monitoring logic.
Collaborate with Risk Partners, control owners, domain experts, policy owners, and other stakeholders to align on control design, applicability, remediation needs, and implementation priorities.
Support Shift Left and Security NFR initiatives by ensuring that risk and control requirements are considered earlier in the SDLC and reflected in reporting, adoption logic, and risk insights.
Contribute to governance, reporting, and continuous improvement activities that help the business understand compliance posture, risk exposure, and control effectiveness more clearly.
Identify pragmatic automation or AI-enabled opportunities that can reduce manual effort, improve review velocity, and strengthen the consistency of assessments and control maintenance, without needing to be a dedicated automation engineer.
Around 5-7 years of relevant experience in IT Risk, IT Controls, IT Compliance, Governance, IT Audit, or a related domain.
Strong understanding of control design, control effectiveness, control monitoring, and the relationship between risks, policies, standards, and controls.
Experience working with frameworks and regulations such as NIST, NIS2, DORA, or similar, and the ability to interpret requirements in a practical business and technology context.
A genuine interest in building, maintaining, and improving frameworks, control catalogues, or unified control models rather than only operating existing processes.
Ability to understand interdependencies across regulatory and framework requirements and bring coherence to overlapping controls.
Strong stakeholder management, influencing, and negotiation skills, with the confidence to challenge constructively and bring multiple parties together.
Strong written and verbal communication skills, especially the ability to turn complex requirements into clear guidance and actionable outcomes.
A structured, independent, and delivery-focused way of working, with comfort operating in ambiguity and driving progress across multiple workstreams.
Ability to zoom in and out on the details and contextualize IT and cyber regulatory requirements within Booking.com environment
An innovative mindset and the judgment to spot quick-win automation opportunities that improve team velocity and quality.
Success in this role means that new frameworks and regulations can be assessed faster and more consistently because requirements are connected to an evolving Unified Control Framework rather than being treated as standalone exercises each time.
It also means that controls become clearer and more operationally useful: ownership is defined, evidence expectations are explicit, control descriptions are testable, and overlaps across frameworks are handled in a more coherent way.
This person will be successful if they support control requirements, become more actionable earlier in the lifecycle, improve stakeholder alignment, and introduce practical ideas that reduce manual work while increasing confidence in the control environment.
Experience with control framework mapping, regulatory gap assessments, or control standard design.
Experience working with cyber, security, or technology regulations and standards in a complex organization.
Familiarity with ServiceNow GRC, Jira, reporting dashboards, or similar workflow and governance tooling.
Experience working with external assessors, auditors, or advisory partners and translating their recommendations into internal control improvements.
Experience in distributed, cross-functional environments where influencing without direct authority is important.
Exposure to SDLC, engineering controls, Security NFRs, or Shift Left style operating models is a strong plus.
Benefits & Perks - Global Impact, Personal Relevance:
Booking.com’s Total Rewards Philosophy is not only about compensation but also about benefits. We offer a competitive compensation and benefits package, as well unique-to-Booking.com benefits which include:
Annual paid time off and generous paid leave scheme including: parent, grandparent, bereavement, and care leave
Hybrid working including flexible working arrangements, and up to 20 days per year working from abroad (home country)
Industry leading product discounts - up to 1400 per year - for yourself, including automatic Genius Level 3 status and Booking.com wallet credit
Diversity, Equity and Inclusion (DEI) at Booking.com:
Diversity, Equity & Inclusion have been a core part of our company culture since day one. This ongoing journey starts with our very own employees, who represent over 140 nationalities and a wide range of ethnic and social backgrounds, genders and sexual orientations.
Take it from our Chief People Officer, Paulo Pisano: “At Booking.com, the diversity of our people doesn’t just build an outstanding workplace, it also creates a better and more inclusive travel experience for everyone. Inclusion is at the heart of everything we do. It’s a place where you can make your mark and have a real impact in travel and tech.”
We ensure that colleagues with disabilities are provided the adjustments and tools they need to participate in the job application and interview process, to perform crucial job functions, and to receive other benefits and privileges of employment.
Application Process:
Booking.com is proud to be an equal opportunity workplace and is an affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status. We strive to move well beyond traditional equal opportunity and work to create an environment that allows everyone to thrive.
Pre-Employment Screening
If your application is successful, your personal data may be used for a pre-employment screening check by a third party as permitted by applicable law. Depending on the vacancy and applicable law, a pre-employment screening may include employment history, education and other information (such as media information) that may be necessary for determining your qualifications and suitability for the position.