EU Compliance for Legal & Professional Services

The EU AI Act classifies AI systems by risk level and imposes obligations on providers and deployers. High-risk systems face mandatory conformity assessments, documentation, and human oversight requirements.

Max fine: €35M or 7% of global turnover

GDPR governs the processing of personal data of EU residents. It requires lawful basis for processing, data subject rights, breach notification, and accountability measures.

Max fine: €20M or 4% of global turnover

NIS2 expands cybersecurity obligations to essential and important entities across critical sectors. It mandates risk management, incident reporting, and supply chain security.

Max fine: €10M or 2% of global turnover

The CRA establishes cybersecurity requirements for products with digital elements sold in the EU. Manufacturers must ensure security by design and provide vulnerability handling.

Max fine: €15M or 2.5% of global turnover

DORA creates a comprehensive framework for ICT risk management in the financial sector. It requires resilience testing, third-party risk management, and incident reporting.

Max fine: Varies by member state (effective, proportionate, dissuasive)

The Data Act ensures fair access to and use of data generated by connected products and related services. It establishes rules for data sharing between businesses and with public bodies.

Max fine: Per member state (effective, proportionate, dissuasive)

The EAA sets accessibility requirements for products and services to ensure people with disabilities can fully participate in the digital economy.

Max fine: Per member state

The ePrivacy Directive governs electronic communications privacy, covering cookies, email marketing, and confidentiality of communications. Its replacement (ePrivacy Regulation) is pending but the Directive remains law.

Max fine: Per member state (typically up to €20M)

The DSA creates obligations for online platforms and search engines to tackle illegal content, protect users, and ensure algorithmic transparency. Very large platforms face enhanced obligations.

Max fine: €20M or 6% of global turnover

The DMA designates large online platforms as 'gatekeepers' and imposes obligations to ensure contestable and fair digital markets. Targets the largest tech platforms operating in the EU.

Max fine: €20M or 10% of global turnover; 20% for repeat infringements

The Pay Transparency Directive requires employers to disclose salary ranges in job postings, report on gender pay gaps, and enable employees to compare pay. Targets the gender pay gap across the EU.

Max fine: Per member state (compensation + penalties)

The Whistleblower Directive protects persons who report breaches of EU law. It requires organisations with 50+ employees to establish internal reporting channels and prohibits retaliation.

Max fine: Per member state

MiCA creates a comprehensive regulatory framework for crypto-assets in the EU, covering issuers of asset-referenced tokens and e-money tokens, and crypto-asset service providers (CASPs).

Max fine: €5M or 3% of annual turnover (CASPs)

eIDAS 2.0 updates the framework for electronic identification and trust services, introducing the EU Digital Identity Wallet. It enables cross-border digital identity verification and expands recognised trust services.

Max fine: Per member state

The revised PLD modernises liability rules for defective products, extending coverage to software, AI systems, and digital services. Shifts some burden of proof to manufacturers for complex cases.

Max fine: No cap — civil liability for all damage caused

CSRD expands mandatory sustainability reporting to large companies and listed SMEs. Companies must report according to European Sustainability Reporting Standards (ESRS) covering environment, social, and governance matters.

Max fine: Per member state (audit-based enforcement)

CS3D requires large companies to conduct due diligence on actual and potential adverse impacts on human rights and the environment in their operations and supply chains.

Max fine: At least 5% of net worldwide turnover

The Green Claims Directive requires companies to substantiate and verify environmental claims before using them in marketing, combating greenwashing across the EU market.

Max fine: 4% of annual turnover per member state

The EAA sets harmonised accessibility requirements across the EU for key products and services, ensuring people with disabilities have equal access to the digital economy and essential services.

Max fine: Per member state

The EU Machinery Regulation updates safety requirements for machinery and related products, with new provisions for autonomous and collaborative robots, AI-integrated machinery, and cybersecurity.

Max fine: Per member state