Policy Generation
Compliance-ready policies. Written by AI, reviewed by your team.
AI-powered policy creation engine built on Mistral AI (EU-sovereign). Generate information security policies, acceptable use policies, incident response plans, and data processing documentation aligned to NIS2, DORA, GDPR, and ISO 27001 requirements. Every policy includes article-level regulatory traceability.
What you get
Template Library for 30+ Policy Types
Pre-built templates covering information security policies, acceptable use policies, incident response plans, business continuity plans, data classification policies, access control policies, vendor management policies, and more. Each template is pre-mapped to relevant regulatory requirements across NIS2, DORA, GDPR, and ISO 27001.
AI Draft Generation with Mistral
Mistral AI (EU-sovereign, France-hosted) generates policy drafts tailored to your organisation's industry, size, and regulatory obligations. The AI incorporates your existing control framework, risk appetite, and organisational terminology to produce drafts that read as if written by your compliance team rather than a generic template.
Regulatory Traceability
Every policy section is mapped to specific regulatory articles — an incident response plan traces to NIS2 Article 23(1) for initial notification, Article 23(4) for content requirements, and DORA Article 17(3) for ICT-related incident management. This article-level mapping provides auditors with immediate evidence that policy content satisfies regulatory obligations.
Version Control with Approval Workflow
Policies follow a structured lifecycle: draft, review, approve, publish, and retire. Each version is tracked with full change history, reviewer comments, and approval signatures. Approval workflows enforce that policies are reviewed by designated authorities before publication, satisfying ISO 27001 Annex A.5.1 requirements.
Multi-Language Output
Generate policies in any of 24 EU official languages to support organisations operating across multiple member states. A single policy can be published in multiple languages simultaneously, with the AI maintaining legal and technical terminology consistency across translations. Language-specific legal requirements are incorporated during generation.
Gap Analysis Against Framework Requirements
Compare your existing policy library against the requirements of selected compliance frameworks to identify missing or incomplete policies. Gap analysis highlights which framework requirements lack policy coverage and recommends specific policy templates to close gaps, with estimated effort and priority based on regulatory deadlines.
How it works
Select Policy Type
Choose from 30+ policy templates or create a custom policy type. Each template comes with pre-configured regulatory mappings, suggested structure, and industry-specific content guidance tailored to your organisation's profile.
AI Generates Draft
Mistral AI produces a complete policy draft incorporating your organisation's context, existing control framework, industry terminology, and applicable regulatory requirements. The draft includes regulatory traceability annotations linking each section to specific articles.
Team Reviews
Route the draft through your configured approval workflow for review by subject matter experts, legal counsel, and management. Reviewers can comment, suggest edits, and approve or reject sections. All review activity is logged for audit trail purposes.
Approve & Publish
Once all required approvals are obtained, the policy is published and distributed to relevant stakeholders. Published policies are automatically linked to compliance controls and evidence records, closing the loop between policy documentation and operational compliance.
Built for your team
Rapid Policy Framework Creation
A compliance officer tasked with building a complete NIS2-aligned policy framework uses AI generation to produce 15 policies in days rather than months. Each generated policy maps directly to NIS2 Article 21(2) requirements, from risk management (a) through supply chain security (d) to incident handling (e). The compliance officer reviews and customises each draft for organisational specifics, achieving audit-ready policy coverage in a fraction of the traditional timeline.
Privacy Documentation Suite
The Data Protection Officer generates GDPR-required documentation including Records of Processing Activities (Article 30), Data Protection Impact Assessments (Article 35), data breach notification procedures (Article 33), and data subject rights procedures (Articles 15-22). AI generation ensures each document references the correct GDPR articles and includes jurisdiction-specific requirements from applicable national data protection laws.
Security Policy Framework Alignment
The CISO uses policy gap analysis to identify that 8 of 14 ISO 27001 Annex A domains lack formal policy coverage. AI generation produces drafts for access control, cryptography, physical security, and operations security policies, each cross-mapped to NIS2 and DORA requirements as well. The CISO reviews technical accuracy while the approval workflow ensures management sign-off satisfies ISO 27001 Clause 5.2 leadership requirements.
Supports your compliance stack
Common questions
Is the AI policy generation EU-sovereign?
Yes. Policy generation uses Mistral AI, a France-based AI provider whose infrastructure is entirely within EU jurisdiction. Your policy content, organisational context, and regulatory data never leave EU borders during AI processing. This satisfies GDPR Article 44-49 requirements for international data transfers and aligns with the EU's digital sovereignty strategy. Mistral AI is certified under French ANSSI security standards and operates independently of US cloud hyperscaler infrastructure.
How accurate are AI-generated policies and what review process is recommended?
AI-generated policies provide a 80-90% complete first draft that captures regulatory requirements, industry best practices, and your organisational context. However, every AI-generated policy must be reviewed by qualified human experts before publication — AI drafts are a starting point, not a final product. We recommend review by the policy owner for technical accuracy, legal counsel for regulatory compliance, and management for strategic alignment. The built-in approval workflow enforces this multi-stakeholder review process before any policy can be published.
Can policy templates be customised beyond the 30+ built-in types?
Yes. The template editor allows you to create entirely custom policy types with your own structure, sections, and regulatory mappings. You can also clone and modify any built-in template to match your organisation's documentation standards. Custom templates can include mandatory sections, suggested content blocks, and regulatory traceability requirements. Once created, custom templates are available for AI generation with the same contextualisation and regulatory mapping capabilities as built-in templates.
How deep is the regulatory mapping in generated policies?
Regulatory mapping operates at the article and paragraph level, not just the framework level. An incident response policy maps specific sections to NIS2 Article 23(1) for initial notification within 24 hours, Article 23(4)(a-f) for content requirements of each notification stage, DORA Article 17(3)(a-e) for ICT incident management procedures, and GDPR Article 33(3)(a-d) for breach notification content. This granular mapping ensures auditors can trace every policy statement to its regulatory origin without interpretation gaps.
How does policy generation integrate with evidence collection?
Published policies are automatically registered as evidence artefacts in FortisEU's evidence collection module, mapped to the compliance controls they satisfy. When a policy is updated, the evidence record is refreshed and any controls relying on the previous version are flagged for review. Policy review dates are tracked as evidence freshness indicators — when a policy approaches its annual review date per ISO 27001 requirements, evidence drift detection alerts the policy owner. This integration ensures policies remain living compliance documents rather than static files that drift out of date.
Related features
See Policy Generation in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.