Three steps to decide if ReguNav fits European Union.
For CFOs, COOs, Heads of Risk supervised under European Union authority. Skip the architecture diagrams — see the regulator, the deliverable, and the ROI you'll quote to the board.
Sovereign AI ready for European Union.
ReguNav is built EU-AI-Act-native. Every Annex III high-risk use case ships with a deterministic FRIA flow, every GPAI provider gets Art. 53 + 55 disclosure templates, every DORA-supervised firm gets the Art. 5–24 control programme — all anchored to EDPB, ENISA, EU AI Office, ESMA, EBA, EIOPA sources.
European Union regulator landscape
Every European Union control on the platform is anchored to a named regulator artefact. When the regulator updates their guidance, the framework registry takes the bump and every dependent control inherits it.
European Insurance and Occupational Pensions Authority
DORA insurance · digital resilience testingofficial ↗Frameworks anchored in European Union
EU AI Act
(EU) 2024/168930 clauses · 16 controlsRisk-based regulation of AI systems and general-purpose AI models in the EU/EEA. Prohibited practices (Art. 5), high-risk requirements (Title III + Annex III), transparency obligations (Art. 50), and GPAI provisions (Title VIII Chapter V). Applies to providers, deployers, importers, distributors and authorised representatives.
GDPR
(EU) 2016/67928 clauses · 15 controlsEU regulation governing the processing of personal data of natural persons in the Union and the cross-border movement of such data. Applies to controllers and processors established in the EU and, under Art. 3(2), to those outside the EU that offer goods/services to or monitor data subjects in the EU. Covers principles (Art. 5), lawful basis (Art. 6+9), data-subject rights (Ch. III), controller/processor duties (Ch. IV), security (Art. 32), breach notification (Art. 33-34), DPIA (Art. 35), DPO (Art. 37-39), international transfers (Ch. V) and supervisory authority cooperation.
DORA
(EU) 2022/255422 clauses · 14 controlsEU regulation establishing uniform requirements for the security of network and information systems supporting business processes of financial entities in the Union, and for the digital operational resilience of those entities. Covers ICT risk management (Chapter II), ICT-related incident reporting (Chapter III), digital operational resilience testing including TLPT (Chapter IV), ICT third-party risk (Chapter V), information-sharing arrangements (Chapter VI) and oversight of critical ICT third-party service providers (Chapter V Section II).
NIS2 Directive
2022/255517 clauses · 14 controlsEU Directive on measures for a high common level of cybersecurity. Applies to medium and large essential and important entities operating in critical sectors (Annexes I + II): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal services, waste management, manufacturing of critical products, food, digital providers, and research. Requires cybersecurity risk-management measures (Art. 21), incident reporting on a 24h early warning + 72h notification + 1-month final report cadence (Art. 23), supply-chain security and management-body accountability for non-compliance (Art. 20).
EU Cyber Resilience Act
202418 clauses · 13 controlsEU horizontal cybersecurity regulation for products with digital elements (hardware + software that can be connected to a device or network). Establishes essential cybersecurity requirements (Annex I), vulnerability handling obligations, conformity-assessment procedures (Annex VIII), CE marking, and 24-hour / 72-hour / 14-day vulnerability + incident reporting. Applies to manufacturers + importers + distributors placing products with digital elements on the EU market. Special categories: important products with digital elements (Annex III) and critical products with digital elements (Annex IV) require stricter conformity assessment routes.
Connected components for European Union.
Derived from @regunav/taxonomy at request time — add a new regulator / agent / framework to its source registry and it surfaces here automatically, no copy edits required.
What you get in European Union.
Honest status on every capability — live means wired end-to-end in production. Pick the ones your driver requires; we'll quote a date for anything not yet live.
Framework rule packs
- What you get
- 24 framework rule packs ship populated — SOC 2, ISO 27001, PCI DSS, GDPR, HIPAA, EU AI Act, FedRAMP and more — no empty schemas to fill in.
- Problem solved
- Buying a compliance tool and finding the rule library empty. Six weeks lost to copy-pasting control text from PDFs before the platform produces anything useful.
- ROI
- 6 weeks saved on first-control-to-evidence onboarding.Assumes: compared to building one control library per framework in-house.
Evidence ranker
- What you get
- Ranks every artefact you upload against the control it best satisfies — across 24 frameworks at once.
- Problem solved
- GRC manager spends 8h/week mapping evidence to controls by hand. Most artefacts satisfy 4–7 controls; manual mapping captures one.
- ROIinteractive
- 8h/wk of compliance-manager time reclaimedAssumes: team of 50, 3 frameworks in scope, monthly evidence refresh.
Sealed evidence packs
- What you get
- Content-addressed (sha256) evidence bundle the auditor pulls via URL. Replayable byte-for-byte from any timestamp.
- Problem solved
- Auditor email chain: 'send me the December evidence again, this time with the policy header'. Three round-trips per request.
- ROIinteractive
- $120k audit-prep cost avoidedAssumes: 3 framework audit, $250/h loaded GRC rate, baseline ~480h of prep.
WORM hash-chained audit trail
- What you get
- Every action against your tenant logged immutably with a per-row hash chain. Tampering with one row breaks verification of every later row.
- Problem solved
- Regulator asks 'who approved that change on March 4?' and the answer is a Slack search and a memory.
- ROI
- Zero regulator findings on access-control evidence.Assumes: banking-grade auditor sample (typically 25 events) verified against hash chain.
Regulator + auditor report packs
- What you get
- Seven stakeholder-shaped report packs (board, regulator, auditor, customer DPA, internal audit, …) generated from your live D1 records.
- Problem solved
- Four days re-formatting the same data for the board pack, the regulator submission, and the customer security questionnaire.
- ROIinteractive
- $96k of GRC time saved annually on report assemblyAssumes: 48 stakeholder-days/yr of report formatting at $250/h.
Code Constitution™ GitHub App
- What you get
- Compliance checks run inline on every PR (≤90s). Findings appear as line+column annotations in the review UI.
- Problem solved
- Compliance review happens quarterly. By the time the auditor flags a missing model card, it has been in production for 60 days.
- ROIinteractive
- $110k of audit-prep + remediation time saved annuallyAssumes: ~20 engineers × 220 working days × 5% PR finding rate × 2h post-hoc cost at $250/h.
European Union maximum exposure — live calculator.
Set your annual revenue. We'll show the maximum statutory penalty per regime, capped at either the percentage-of-turnover formula or the statutory floor — whichever binds. Cite shown for every line so legal can verify.
Max = min(7% of turnover = $3.5M, statutory cap = $38.0M) → capped by % of turnover. Prohibited-AI use, or non-compliance with high-risk system requirements.
Max = min(4% of turnover = $2.0M, statutory cap = $22.0M) → capped by % of turnover. Lawful-basis failure, cross-border-transfer violation, or DSAR non-response.
Max = min(2% of turnover = $1.0M, statutory cap = $12.0M) → capped by % of turnover. ICT third-party concentration risk; major incident reporting failures.
Max = min(2% of turnover = $1.0M, statutory cap = $11.0M) → capped by % of turnover. Essential / important entity reporting + risk-management failures.
Max = min(2.5% of turnover = $1.3M, statutory cap = $17.0M) → capped by % of turnover. Product with digital elements placed on market without conformity.
ReguNav addresses every regime above with a single tenant. The fine isn't hypothetical — DPA / FCA / AI Office decisions are public; we cite priors in the POC walkthrough.
How to decide for European Union.
- 1. Identify your supervisor. European Data Protection Board (EDPB) (+ 6 more on this page).
- 2. Pick the framework that closes your audit. EU AI Act · GDPR · DORA (+2).
- 3. Run the ROI math. Each card above shows the assumption behind the number. Plug in your team size and audit cost — if it doesn't close, neither should the deal.
- 4. Book a 30-min walk-through. We demo against a synthetic European Union tenant — same engine that runs your production tenancy. No slide deck.
European Union SaaS, fintech, healthcare-AI, or essential-service?
We work with organisations supervised by every regulator listed above. The jurisdiction-aware engine routes incident reports, DSARs, and FRIA submissions to the correct authority + timeline automatically.
Talk to European Union team →Jurisdiction codes + regulator data are sourced from @regunav/jurisdictions (Apache-2.0, open-source). Adding a new market is a single registry entry — no copy-paste regulator content. See /uk for the bespoke deep-dive template.