Framework Collection

EU Compliance Frameworks

Your authoritative guide to NIS2, DORA, GDPR, and the EU AI Act

Deep-dive into the requirements, timelines, penalties, and implementation strategies for the EU regulations that define your compliance obligations. Written for CISOs, DPOs, and compliance officers at regulated organisations.

EU DIRECTIVEIn Force

NIS2

Directive (EU) 2022/2555

The NIS2 Directive establishes a high common level of cybersecurity across the European Union. It replaces the original NIS Directive (2016/1148) with expanded scope, stricter supervisory measures, and harmonised enforcement provisions across 27 Member States. FortisEU operationalises NIS2 compliance with automated evidence collection, incident reporting workflows, and supply chain risk management.

DORA

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector

The Digital Operational Resilience Act (DORA) is an EU regulation establishing uniform requirements for financial entities to manage ICT risk, report ICT-related incidents, test digital operational resilience, and oversee third-party ICT service providers. Unlike directives such as NIS2, DORA applies directly across all 27 EU Member States without national transposition — creating a single, harmonised ICT risk management rulebook for the financial sector. It covers 21 categories of financial entities, from credit institutions and investment firms to crypto-asset service providers, and introduces an unprecedented oversight framework for critical third-party ICT providers designated by the European Supervisory Authorities. FortisEU operationalises DORA compliance with automated ICT risk assessments, incident classification workflows, third-party register management, and TLPT coordination.

21Financial Entity Types

Enforcement

Explore DORA Hub

EU REGULATIONEstablished

GDPR

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data

The General Data Protection Regulation (GDPR) is the European Union's landmark data protection law, governing how organisations collect, process, store, and protect personal data of individuals within the EU and EEA. Adopted in April 2016 and applied since 25 May 2018, GDPR replaced the Data Protection Directive 95/46/EC with a directly applicable regulation that harmonises data protection rules across all 27 Member States. Eight years of enforcement have established GDPR as the global benchmark for privacy regulation, with EUR 4.3 billion in cumulative fines issued by national data protection authorities. GDPR enshrines fundamental rights — including access, rectification, erasure, and data portability — while imposing strict obligations on controllers and processors, mandatory Data Protection Officer appointments, 72-hour breach notification, and penalties of up to 4% of global annual turnover. FortisEU operationalises GDPR compliance with automated data mapping, DSAR workflow management, breach notification tracking, and DPO reporting dashboards — all hosted on sovereign EU infrastructure.

8Years Enforced

Enforcement

Explore GDPR Hub

EU REGULATIONIn Force

EU AI Act

Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive legal framework for artificial intelligence, establishing harmonised rules for AI systems placed on the EU market. It introduces a risk-based classification system with four tiers — unacceptable, high, limited, and minimal risk — each carrying proportionate obligations. Providers and deployers of high-risk AI systems must implement risk management systems, ensure data governance, maintain technical documentation, and enable human oversight. The Act bans certain AI practices outright, including social scoring and real-time remote biometric identification in public spaces (with narrow exceptions). Foundation models and general-purpose AI systems face transparency and systemic risk obligations. Penalties reach up to EUR 35 million or 7% of global annual turnover. The European AI Office coordinates enforcement alongside national market surveillance authorities. FortisEU operationalises EU AI Act compliance with automated risk classification assessments, conformity documentation workflows, AI system inventory management, and cross-framework mapping to GDPR data protection and NIS2 cybersecurity requirements — all hosted on sovereign EU infrastructure.

4Risk Tiers

Enforcement

Explore EU AI Act Hub

Operationalise EU Compliance

Turn NIS2, DORA, GDPR, and EU AI Act requirements into automated workflows, evidence collection, and audit-ready outputs. Create an account or schedule a personalised demo.

Create Account Schedule Demo