Regulatory Exports
Regulator-ready submissions. One click.
Pre-built export templates for mandatory regulatory submissions. Generate NIS2 incident reports (Art. 23 format), DORA ICT third-party registers (Art. 28(3)), GDPR breach notifications (Art. 33), ROPA (Art. 30), and DPIAs (Art. 35). Each export pulls live data from your FortisEU workspace — no manual compilation.
What you get
NIS2 Incident Report Templates
Generate incident reports aligned to NIS2 Article 23 notification requirements including the early warning (24h), incident notification (72h), and final report formats. Templates pre-populate from incident management data with affected service descriptions, impact assessments, and cross-border impact indicators required by competent authorities.
DORA ICT Register Export
Produce the DORA Article 28(3) register of information on all contractual arrangements with ICT third-party service providers. The export pulls vendor data, contract details, criticality assessments, and substitution plans from your vendor risk management module, formatted to the technical standard specified by the ESAs.
GDPR Breach Notification
Generate GDPR Article 33 breach notification documents in the format required by national Data Protection Authorities. Templates include all mandatory content per Article 33(3)(a-d): nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed to mitigate effects.
ROPA Generation
Produce Records of Processing Activities as required by GDPR Article 30, pulling processing activity data, purpose specifications, data categories, recipient lists, retention periods, and technical/organisational security measures from your FortisEU workspace. ROPA exports can be generated per controller, per processor, or consolidated.
DPIA Export
Generate Data Protection Impact Assessments as required by GDPR Article 35 for high-risk processing activities. DPIA exports include systematic descriptions of processing operations, necessity and proportionality assessments, risk assessments for data subjects, and planned mitigation measures — all formatted for DPA submission.
Scheduled Export Automation
Configure recurring exports for regularly submitted regulatory documents. DORA ICT registers can be scheduled for quarterly generation, ROPA for annual updates, and compliance status reports for board cycles. Scheduled exports are generated automatically, reviewed by designated approvers, and archived with version history.
How it works
Select Export Type
Choose from the regulatory export catalogue — NIS2 incident reports, DORA ICT registers, GDPR breach notifications, ROPA, DPIAs, or custom regulatory templates. Each export type displays the applicable regulation, required content fields, and data sources that will be used.
System Pulls Live Data
FortisEU automatically populates the export template with live data from your workspace — incident details from incident management, vendor information from TPRM, processing activities from data mapping, and control assessments from compliance automation. No manual data entry required.
Review & Customise
Review the auto-populated export and customise narrative sections, add contextual commentary, and verify data accuracy before finalisation. The review interface highlights any mandatory fields that require attention or data gaps that should be addressed.
Export PDF/CSV
Generate the final export in PDF format for regulatory submissions or CSV for data-oriented registers. Exports include a metadata header with generation timestamp, data freshness indicators, and a unique document identifier for audit trail purposes. Completed exports are archived in the compliance evidence library.
Built for your team
GDPR Regulatory Submissions
The DPO uses regulatory exports to maintain an always-current ROPA per GDPR Article 30, generate DPIA documents per Article 35 for new processing activities, and produce breach notification documents per Article 33 when incidents involve personal data. Rather than manually compiling these documents from scattered data sources, the DPO generates them from live FortisEU data and focuses review time on narrative quality and completeness rather than data gathering.
DORA ICT Third-Party Register Maintenance
The compliance officer generates the DORA Article 28(3) ICT third-party register quarterly, pulling current vendor inventory, contract details, criticality assessments, and exit strategies from the vendor risk management module. The register export is formatted to ESA technical standards and includes all mandatory fields. Version history tracks changes between quarterly submissions, providing regulators with a clear audit trail of ICT third-party relationship evolution.
NIS2 Incident Reporting Compliance
When a significant incident occurs, the CISO generates NIS2 Article 23 incident reports directly from incident management data. The early warning template (24h deadline) is populated immediately with known facts, the incident notification (72h) adds technical details and impact assessment, and the final report incorporates root cause analysis and remediation measures. This structured export workflow ensures the organisation meets mandatory notification timelines without scrambling to compile information under pressure.
Supports your compliance stack
Common questions
What export formats are supported?
Regulatory exports support PDF for formal regulatory submissions with professional formatting, headers, and pagination. CSV/Excel exports are available for data-oriented registers such as the DORA ICT third-party register and GDPR ROPA where regulators or auditors may want to analyse the data programmatically. XML export is supported for submissions to regulatory platforms that accept structured data intake. All exports include metadata headers with generation timestamps, data sources, and version identifiers for audit trail purposes.
How does FortisEU ensure export data freshness?
Every regulatory export pulls live data from your FortisEU workspace at generation time, ensuring the export reflects your current state rather than a stale snapshot. Data freshness indicators in the export header show the last update timestamp for each contributing data source — for example, vendor risk scores may have been refreshed daily while incident data updates in real time. If any contributing data source has not been refreshed within its expected cycle, the export flags this with a data freshness warning, alerting reviewers to verify the affected sections.
How does FortisEU keep regulatory templates current with evolving requirements?
Regulatory export templates are maintained by the FortisEU compliance team and updated when regulatory requirements change — for example, when the ESAs publish updated technical standards for the DORA ICT register format or when a national DPA modifies its breach notification form. Template updates are applied automatically through the platform update cycle. FORTIS LEX (regulatory intelligence) monitors for changes to regulatory reporting requirements and triggers template review when relevant updates are detected. Customers are notified of template changes that may affect their established export workflows.
Are there jurisdiction-specific export variants?
Yes. Several regulatory exports have jurisdiction-specific variants reflecting differences in national transposition and DPA requirements. GDPR Article 33 breach notification templates vary by member state — the CNIL (France), BfDI (Germany), and Garante (Italy) each require slightly different formats and supplementary information. NIS2 incident report templates adapt to the national competent authority's requirements in each operating jurisdiction. FortisEU maintains these variants and maps them to your operating footprint, generating the correct template for each jurisdiction automatically.
How are completed exports tracked for audit purposes?
Every generated export is archived in the compliance evidence library with a unique document identifier, generation timestamp, data sources used, reviewer identity, and approval status. The audit trail records who generated the export, who reviewed it, who approved it, and when it was submitted to the regulatory authority. Version history shows how exports for the same regulatory obligation have evolved over time. This complete chain of custody satisfies ISO 27001 documented information requirements and provides regulators with evidence of systematic, repeatable reporting processes.
Related features
Compliance Automation
Map once. Comply everywhere.
Learn moreIncident Management
From detection to regulatory report. Every deadline tracked.
Learn moreVendor Risk Management
See your supply chain risk. Before regulators do.
Learn moreRegulatory Intelligence
Every EU regulatory change. Analysed before it reaches your inbox.
Learn moreSee Regulatory Exports in Action
Create an account and explore the platform, or talk to our team about enterprise deployment.