Written by EU regulatory specialists. Every article reviewed against official regulation texts.
A Data Protection Impact Assessment (DPIA) is mandatory under GDPR Article 35 for high-risk processing. This step-by-step guide walks through when one is required, what it must contain, and how to complete one efficiently.
The Digital Services Act and Digital Markets Act fundamentally reshape obligations for online platforms and gatekeepers. This guide covers who they apply to, what's required, and the enforcement timeline.
The ePrivacy Directive still governs cookies and electronic communications in the EU — and enforcement has intensified. This guide covers what consent is required, what's exempt, and how to build a compliant cookie implementation.
High-risk AI systems must pass a conformity assessment before deployment. The August 2026 deadline is approaching. This checklist walks through every requirement so you know exactly what to prepare.
Launching or scaling in the EU? This checklist covers GDPR, EU AI Act, NIS2, CRA, and DSA obligations by company stage — so you know exactly what to prioritize and when.
Many AI systems process personal data — making both GDPR and the EU AI Act apply simultaneously. This guide maps the overlap, explains where obligations stack, and shows how to comply with both efficiently.
Article 4 of the EU AI Act has been in force since February 2025. This guide shows exactly what 'sufficient AI literacy' means, who it covers, and how to build a compliant training program your team will actually use.
Records of Processing Activities (ROPA) are required under GDPR Article 30 for most organisations. This guide covers what must be recorded, who is exempt, and how to build and maintain a ROPA your DPA will accept.
NIS2 requires a 24-hour early warning for significant incidents. This guide covers the full reporting timeline, what makes an incident 'significant', who to notify, and how to build a response checklist your team can follow under pressure.
Tech companies often face both NIS2 and GDPR simultaneously. This guide explains the key differences in scope, obligations, and enforcement — and where compliance programs can be combined.
The CRA (Regulation 2024/2847) introduces mandatory cybersecurity requirements for all products with digital elements sold in the EU. Reporting obligations apply from September 2026; full enforcement from December 2027.
DORA (Regulation 2022/2554) has applied since January 2025. This guide covers who it applies to, the five pillars of ICT risk management, incident reporting, third-party provider rules, and fines.