Compliance Compass
Your Navigator Through the EU Regulatory Landscape

• The EU is harmonizing cybersecurity, data protection and digital sovereignty EU-wide
• National patchworks are being replaced by binding regulations

• Your customers – especially in B2B – expect demonstrable compliance
• ISO certifications, GDPR conformity and exit capability are becoming standard

• GDPR violations can cost up to 4% of annual turnover
• NIS-2 provides for personal liability of management
• CRA requires continuous vulnerability disclosure

In force since 2018. Protection of personal data, data subject rights, notification obligations. Affects every company processing EU citizens’ data. Fines up to 4% of annual turnover.

More about GDPR

Applicable from October 2024. Extends NIS-1 to 18 sectors. Risk management, incident reporting, supply chain security, management liability. Affects essential/important entities.

More about NIS-2

Applicable from January 2025. Harmonizes ICT risk management, testing, third-party risk. Affects financial institutions and their ICT service providers. Lex specialis to NIS-2.

More about DORA

Applicable from 2027. Product security over entire lifecycle, SBOM, vulnerability disclosure, update obligations. Affects software/hardware manufacturers. CE marking for critical products.

More about CRA

Applicable from September 2025. Data portability, open APIs, prevention of vendor lock-in. Affects cloud providers, IoT manufacturers, software vendors. Functional equivalence and exit runbooks mandatory.

More about Data Act

EU Commission procurement framework. Evaluates cloud services against 8 sovereignty objectives (SOV-1 to SOV-8). SEAL levels as minimum thresholds. EU preference in public procurement.

More about the Framework

Methodology for modern, portable, scalable SaaS applications. Codebase, Dependencies, Config, Services, Build/Release/Run, Processes, Port-Binding, Concurrency, Disposability, Dev/Prod-Parity, Logs, Admin, Security, Telemetry, API-First.

More about 15 Factor App

• For serious violations (e.g. lacking legal basis, insufficient security): up to €20M or 4% of global annual turnover, whichever is higher
• Additionally: reputation damage, customer churn, compensation claims

• Fines up to €10M or 2% of annual turnover
• New: Personal liability for management bodies for breach of duty
• Supervisory authorities can force companies to implement measures
• Worst case: operational prohibition

• Financial supervisory authorities (BaFin, EIOPA, etc.) can identify deficiencies, order measures, restrict activities
• Fines up to €10M or 5% of annual turnover for financial entities
• ICT third-party providers can be “screened” by supervisors and excluded if risky

• Non-compliant products may not enter the EU market
• Market surveillance authorities can order recalls, refuse CE marking
• Fines up to €15M or 2.5% of global annual turnover
• For critical products: EUCC certification mandatory

• Customers can challenge contracts with lock-in clauses
• Fines up to €10M or 2% of annual turnover
• Cloud providers must justify switching fees
• Ensure functional equivalence in porting

• Procurement bodies can set minimum SEAL levels
• Providers who don’t meet these are excluded
• EU preference in tenders
• No direct fine framework, but de facto market exclusion in public sector

• GDPR has been in effect since May 25, 2018
• No more transition period
• Those not yet compliant: immediate action required
• Regular audits, DPIAs, data subject rights processes must be established
• Documentation is mandatory

• EU regulation from 14.12.2022, applicable from 17.10.2024
• Member states had until 17.10.2024 for national implementation
• Germany: implementation ongoing, companies should now identify if affected and implement measures

• DORA applies from 17.01.2025
• Financial entities and ICT third-party providers had since 16.01.2023 to prepare
• Technical standards (RTS/ITS) are being published successively
• Early implementation recommended: ICT risk management framework, testing programs, third-party register

• CRA adopted December 2024, applicable 36 months after entry into force (approx. 2027/2028)
• Manufacturers should start now: SBOM processes, vulnerability disclosure programs, Security by Design in product development
• For critical products: prepare EUCC certification

• Data Act applicable from 12.09.2025 (12 months after entry into force)
• Transition period for existing contracts: 24 months
• Cloud providers must establish exit strategies, open APIs, switching processes
• Contractual lock-in clauses must be revised

• Framework published October 2025, immediately applicable in EU procurement
• Public contracting authorities can set minimum SEAL levels
• Cloud providers should now prepare their sovereignty positioning: EU locations, exit capability, BYOK, open standards, EU-based operations

• EU data residency (Germany), Customer-Managed Keys (BYOK/BYOHSM), encryption at rest/in transit
• ISO 27001-certified ISMS
• DPA/AVV-ready
• Support for DPIAs, data subject rights, incident response
• Audit trails for evidence

• 24/7 monitoring & alerting, structured incident response processes, BCP/DR concepts
• Supply chain transparency (SBOM, CVE scanning)
• EU-based operations, MFA/PAM, vulnerability management
• ISO 27001 certified
• Ideal for essential/important entities

• ICT risk management framework per DORA Art. 6-16
• Documented exit strategies (Art. 28)
• Third-party risk management (Art. 28-30)
• TLPT readiness (Art. 26)
• Structured incident reporting chains (Art. 19)
• Continuous resilience testing
• ISO 27001 certified

• SBOM generation for all platform components
• CVE scanning, vulnerability disclosure processes
• Signed container images, update management
• GitOps-based audit trails
• Transparent supply chain
• Best practice implementation for cloud-native software

• Designed for SEAL-4 (Full Digital Sovereignty) across all 8 sovereignty objectives
• EU-based operations (SOV-1/2/4/7), EU data residency + BYOK (SOV-3)
• Open standards + exit capability (SOV-4/6)
• Transparent supply chains (SOV-5)
• ISO certifications (SOV-7)
• No dependencies on non-EU control

• Open APIs (OpenAPI/Kubernetes standard)
• Standardized formats (YAML/JSON/Helm/OCI)
• Complete exit runbooks, Infrastructure-as-Code porting
• Multi-cloud/multi-provider capable
• No egress fees
• Functional equivalence
• CNCF-certified Kubernetes

• We help you structure your software according to 15 Factor principles: Config externalization, Stateless Processes, Port-Binding, Disposability, Dev/Prod-Parity, Logs, Telemetry, API-First
• Foundation for compliance readiness and lock-in avoidance

• Gap assessment: Where do you stand, what’s missing?
• Roadmap development: Which measures in which order?
• Documentation support: How to build your evidence base?
• We accompany you from analysis through implementation to audit readiness

• We systematically address GDPR, NIS-2, DORA, CRA, Data Act, Cloud Sovereignty Framework, ISO 27001/9001
• Leverage synergies: ISMS as foundation, risk management for all regulations, shared incident response, central audit trails
• Compliance as competitive advantage

• Which regulations affect you?
• Where are the biggest gaps?
• What are the quick wins?

• BYOK, SBOM, exit runbooks, ISO certification – in practice

• ISO certificates, DORA mapping, NIS-2 gap assessment, Cloud Sovereignty self-assessment
• Transparent, auditable, battle-tested