Skip to main content
FORTISEU
Framework Collection

EU Compliance Frameworks

13 frameworks. 5 NIS2 transpositions deep-supported.

Authoritative deep-dives into NIS2, DORA, GDPR, and the EU AI Act — plus 9 additional EU regulations, ISO/IEC standards, AICPA SOC 2, and DACH industry schemes mapped at the control level with verbatim regulatory text and SHA-anchored source attribution. NIS2 is enforced through national laws — we ship verbatim member-state transposition catalogs for the jurisdictions our customers operate in (currently 5, growing as customers activate them).

EU REGULATIONApplied

DORA

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector

The Digital Operational Resilience Act (DORA) is an EU regulation establishing uniform requirements for financial entities to manage ICT risk, report ICT-related incidents, test digital operational resilience, and oversee third-party ICT service providers. Unlike directives such as NIS2, DORA applies directly across all 27 EU Member States without national transposition — creating a single, harmonised ICT risk management rulebook for the financial sector. It covers 21 categories of financial entities, from credit institutions and investment firms to crypto-asset service providers, and introduces an unprecedented oversight framework for critical third-party ICT providers designated by the European Supervisory Authorities. FortisEU operationalises DORA compliance with automated ICT risk assessments, incident classification workflows, third-party register management, and TLPT coordination.

21Financial Entity Types
Enforcement
Explore DORA Hub
EU REGULATIONEstablished

GDPR

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data

The General Data Protection Regulation (GDPR) is the European Union's landmark data protection law, governing how organisations collect, process, store, and protect personal data of individuals within the EU and EEA. Adopted in April 2016 and applied since 25 May 2018, GDPR replaced the Data Protection Directive 95/46/EC with a directly applicable regulation that harmonises data protection rules across all 27 Member States. Eight years of enforcement have established GDPR as the global benchmark for privacy regulation, with EUR 4.3 billion in cumulative fines issued by national data protection authorities. GDPR enshrines fundamental rights — including access, rectification, erasure, and data portability — while imposing strict obligations on controllers and processors, mandatory Data Protection Officer appointments, 72-hour breach notification, and penalties of up to 4% of global annual turnover. FortisEU operationalises GDPR compliance with automated data mapping, DSAR workflow management, breach notification tracking, and DPO reporting dashboards — all hosted on sovereign EU infrastructure.

8Years Enforced
Enforcement
Explore GDPR Hub
EU REGULATIONIn Force

EU AI Act

Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence, establishing harmonised rules for AI systems placed on the EU market. It introduces a risk-based classification system with four tiers — unacceptable, high, limited, and minimal risk — each carrying proportionate obligations. Providers and deployers of high-risk AI systems must implement risk management systems, ensure data governance, maintain technical documentation, and enable human oversight. The Act bans certain AI practices outright, including social scoring and real-time remote biometric identification in public spaces (with narrow exceptions). Foundation models and general-purpose AI systems face transparency and systemic risk obligations. Penalties reach up to EUR 35 million or 7% of global annual turnover. The European AI Office coordinates enforcement alongside national market surveillance authorities. FortisEU operationalises EU AI Act compliance with automated risk classification assessments, conformity documentation workflows, AI system inventory management, and cross-framework mapping to GDPR data protection and NIS2 cybersecurity requirements — all hosted on sovereign EU infrastructure.

4Risk Tiers
Enforcement
Explore EU AI Act Hub
NIS2 family

5 national
NIS2 transpositions deep-supported.

NIS2 is one EU directive, but it is enforced through national laws — each with its own competent authority, sectoral scope, and control deviations. FortisEU ships verbatim member-state transposition catalogs (national Official Journal source, SHA-anchored, RAG-grounded) for 5 jurisdictions today; the rest activate when a customer trades in that jurisdiction.

  • DE — BSIG-2025 (NIS2-Umsetzungs- und Cybersicherheitsstärkungsgesetz)
    Germany — BSI
  • HU — 2024. évi LXIX. törvény + key implementing decrees
    Hungary — SZTFH supervision / NBSZ NKI incident route
  • BE — Loi du 26 avril 2024 + Arrêté royal du 9 juin 2024
    Belgium — CCB
  • FR — Loi Résilience (advance preparation, pending adoption)
    France — ANSSI
  • AT — NIS-Gesetz Novelle 2025 (NIS2-Umsetzungsgesetz, draft in legislative process)
    Austria — BMI primary, with sectoral coordination (RTR for telecom, FMA for finance)
Full coverage

9 frameworks
mapped at the control level.

The four deep-dive hubs cover the EU laws our customers face most often. The platform also maps controls to 9 additional EU regulations, ISO/IEC standards, US and international frameworks, and sectoral schemes. One control, one evidence link, every framework that asks for it.

International Standards (ISO / IEC + AICPA)

5 frameworks

Audit-ready ISMS, privacy and continuity standards mapped at the control level. Verbatim chunking is forbidden by ISO/IEC + AICPA copyright; we ship paraphrase + control-ID + title only, with cross-framework mappings drawn from authoritative sources.

  • ISO/IEC 27001:2022
    ISMS — Annex A 93 controls, SoA generation
  • ISO/IEC 42001:2023
    AI management system — EU AI Act crosswalk, Annex A 38 AI controls
  • ISO/IEC 27701:2019
    Privacy information management — GDPR-aligned PIMS
  • ISO 22301:2019
    Business continuity — DORA Art. 11–14 + NIS2 BCP backbone
  • SOC 2 Trust Services Criteria
    AICPA — security, availability, confidentiality, processing integrity, privacy. Required by US/UK procurement.

EU Regulations

1 frameworks

EU laws beyond the four deep-dive hubs that drive procurement questions. Full L1+L2+L3+L4+L5 — verbatim regulatory text with SHA-anchored source attribution.

  • EU Cyber Resilience Act (CRA)
    Cybersecurity for products with digital elements — reporting from Sep 2026, Conformity Dossier export

Payments & Card Industry

1 frameworks

Industry self-regulatory standards for entities that store, process, or transmit cardholder data. Paraphrase-only chunking under PCI SSC license (similar posture to ISO/AICPA). DORA Art. 28 + GDPR Art. 32 cross-pillar mappings shipped — single TPSP entity satisfies both regimes.

  • PCI DSS 4.0.1
    Payment Card Industry — 12 Requirements, 64-row catalog, SAQ-D-Merchant + AOC export, cardholder vendor TPSP register

DACH Industry & Sector

2 frameworks

Sector-specific frameworks with DACH-stronghold buyer pull. BSI Grundschutz is the implementation backbone for DE-ITSIG2; TISAX is mandatory for automotive tier-1/2/3 supply chains.

  • BSI IT-Grundschutz Edition 2022
    BSI — 104 Bausteine across 10 Schichten, KRITIS implementation backbone
  • TISAX (VDA-ISA 6)
    Automotive industry information security — DACH supplier mandate (BMW / Daimler / VW / Audi / Porsche)

Don't see your framework? Tell us which one — we add new mappings continuously.

Operationalise EU Compliance

Turn NIS2, DORA, GDPR, and EU AI Act requirements into automated workflows, evidence collection, and audit-ready outputs. Create an account or schedule a personalised demo.

Create Account Schedule Demo