EU Compliance for Public Sector & NGOs

EU compliance depends on your specific sector, company size, and activities. Horizontal regulations that apply across most sectors include: GDPR (personal data processing, fines up to €20M or 4% turnover); NIS2 (cybersecurity for essential and important entities in 18+ sectors, fines up to €10M or 2% turnover); EU AI Act (AI systems, phased 2024–2027, fines up to €35M or 7% turnover for prohibited systems); and the CRA (products with digital elements from 2027). Sector-specific regulations — DORA for financial services, MDR for medical devices, EHDS for healthcare — apply in addition.

NIS2 Annex I lists essential entity sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Annex II lists important entity sectors including manufacturing, food, chemicals, postal services, digital providers, and research. Essential entities face proactive ex ante supervision; important entities face reactive ex post supervision. Both are subject to NIS2 Article 21 security measures and incident reporting requirements if they meet the size thresholds (medium: 50+ employees or €10M+ turnover).

The EU AI Act classifies AI systems into four risk levels: prohibited (e.g. social scoring by governments, subliminal manipulation); high-risk (Annex III categories: biometrics, critical infrastructure, employment, education, essential services, law enforcement, migration, justice); limited-risk (chatbots, deepfakes — transparency obligations only); and minimal-risk (most AI systems — no mandatory requirements). High-risk AI systems require conformity assessment, Annex IV technical documentation, registration in the EU AI database, and ongoing post-market monitoring.

GDPR (Regulation (EU) 2016/679) applies to all organisations processing personal data of EU residents, regardless of where the organisation is located. Core obligations include: lawful basis for processing (Article 6); transparency via privacy notices (Articles 13-14); data subject rights (Articles 15-22: access, erasure, portability, objection); technical and organisational security measures (Article 32); 72-hour breach notification to supervisory authority (Article 33); Data Protection Impact Assessments for high-risk processing (Article 35); and DPO appointment for public authorities and organisations processing special-category data at scale (Article 37).

A basic EU compliance exposure scan — identifying which regulations apply to your organisation and where your most significant gaps are — can be completed in 30-60 minutes using EuroComply's regulation checker and workspace tools. A comprehensive compliance programme covering GDPR, NIS2, and the AI Act for a mid-size SaaS company typically takes 3-6 months of structured work including a ROPA, DPIA review, NIS2 Article 21 gap analysis, and AI inventory. Initial evidence exports suitable for investor or client due diligence can be generated within minutes once the workspace assessment is complete.