Skip to content
A software house specializing in EU regulations

We build software
you can trust.

WCAG, GDPR, NIS2, EAA and MDR built in from day one, not bolted on at the end. For clinics, law firms, foundations and companies in regulated industries. Start with a free quick-scan.

WCAG 2.1 AAGDPRNIS2 ReadyEU Accessibility ActMDR (medical)
Start with a quick-scanServices

Makers of Medova — our own SaaS for healthcare, GDPR- and WCAG-compliant. We also work with clinics, law firms and foundations.

5EU regulations in our stack
AAWCAG 2.1 in every project
24hResponse time
48hQuick-scan results
What you lose if you fall short

EU regulations are already in force. So are the penalties.

We collected the maximum sanctions written directly into EU legislation. No scare tactics. Just what is actually at stake when you do nothing.

EAA / Accessibility ActIn force since 28 June 2025
up to 10% of revenue

The Polish implementation of EAA allows penalties up to 10% of annual turnover for inaccessible digital products.

GDPRIn force since 2018
up to €20M or 4% of revenue

Maximum GDPR fine. The Polish DPA regularly issues six-figure penalties to Polish companies.

NIS2Implementation in progress
up to €10M or 2% of revenue

NIS2 covers a much broader scope of companies than NIS1. Penalties extend to management personally.

AI ActPartially in force since Feb 2025
up to €35M or 7% of revenue

The highest penalties of the EU regulatory package. They cover prohibited AI practices and high-risk systems.

MDR 2017/745In force since 2021
withdrawal from the market

An MDR breach means not only a financial penalty but withdrawal of the medical device from the entire EU market.

Fines are an extreme scenario. More often you face audits, service-suspension orders or losing a public tender. Each of these costs more than a well-designed system.

Who we build for

We work with organizations for whom EU compliance is not optional, it is a condition of operating. Each industry has its own specific risks, and we help eliminate them.

Private clinics and medical practices

You are losing patients because of outdated booking and a confusing website. GDPR with medical data carries heavy fines, and the EAA requires that your patient portal be usable by people with disabilities. We build patient portals, online booking and integrations with medical systems.

Law firms

Your website has to build trust and follow GDPR to the letter because clients trust you with sensitive data. Without a client portal and document automation, intake eats time you could spend on cases. We deliver client portals, document automation and lead-generating websites.

Foundations and NGOs

A website that does not collect donations, locks out donors with disabilities and does not meet grant funder requirements. WCAG is now a precondition for public funding. We build accessible platforms with donor systems and grant reporting.

Other regulated industries

HealthTech, fintech, insurance, education, EU-wide e-commerce. Anywhere the EAA, NIS2 or AI Act create real legal risk and a compliance team is waiting for a technology partner who understands what those rules mean in code.

What we build

Two pillars where we do our best work. In both, EU regulatory compliance is built in from day one, not bolted on at the end.

Web applications

Custom apps built around your processes. Patient portals, dashboards for law firms, internal tools.

  • WCAG, GDPR and NIS2 built in from day zero
  • Demos every 1–2 weeks, no surprises
  • Full code ownership, no vendor lock-in
See what we can build

Websites and online services

Fast, accessible, compliant with the European Accessibility Act. For clinics, law firms, foundations and companies in regulated industries.

  • EAA and WCAG 2.1 AA compliance as standard
  • Cookie and GDPR policies without dark patterns
  • Lighthouse 90+ on mobile and desktop
See how we build websites

Why EPKO

4 principles we build every project on.

Accessible to everyone

WCAG 2.1 AA in every project. The European Accessibility Act has been in effect since June 2025. We ship accessibility as a standard, not an upsell.

Secure by law

GDPR, NIS2, OWASP Top 10. Not as add-ons, but as foundations. Data hosted in Finland (EU), not on a cloud in California.

Ethical by principle

Zero dark patterns, zero manipulation. The code is yours: repository, documentation, full intellectual property rights. You stay because you want to, not because you have to.

Close. You talk to the founders

No account managers. Direct line to the CEO/CTO in your contract. A small change by email goes straight to the person delivering it, the same day.

Does your digital product comply with EU law?

EAA, WCAG, GDPR, NIS2. These regulations are already in force. Enter your URL and we'll check EU compliance. Free, results in 48h.

WCAG 2.1 AAGDPR / cookiesNIS2 / securityResults within 48h
Helps us scope the audit and tailor the first recommendations.

What you actually get within 48 hours

A short, concrete document with the most important recommendations. No commitment, no sales pitch in disguise.

What you get

  • A short PDF report (2-3 pages) reviewing the technical aspects of WCAG, GDPR and NIS2
  • The top 3 technical risks worth addressing first
  • A list of quick wins you can implement on your own or with any vendor
  • An optional short online call if you want to discuss the results

Who does it

  • The scan is run by a member of the EPKO team, supported by automated tools (Lighthouse, axe-core, our own checklists)
  • You correspond directly with the person who signed the report, with no account managers in between
  • The report covers the technical layer and does not replace a formal legal or certification audit
  • If you decide to work with us on remediation, Eryk (CTO) or Patryk (CEO) joins the project

In what form

  • PDF sent by email, accessible to screen readers
  • A short summary of the results in the email body
  • Materials stay with you and can be shared with your legal or IT team
  • Turnaround: 48 hours from request confirmation, on business days

Common questions about the audit

Technology stack

We work with battle-tested tools

We do not experiment in production. We choose technologies with mature documentation, long-term support and security that meets EU requirements.

Next.jsReact framework
TypeScriptType-safe code
SupabaseDatabase, auth, storage
SanityHeadless CMS for blogs
Radix UIAccessibility from day one
Tailwind CSSConsistent design system

What you can expect from us

We know choosing a technology partner is a big decision. Here's how we work, so you know what to expect.

Other software houses
Address compliance and regulations late. Leading to rework and extra costs.
Account manager passes things along. Nobody knows the details of your project.
Promise 3 months, it drags on for half a year.
After launch, communication drops off.
Scope creeps, budget grows, results don't.
Your project sits in a queue behind 14 others.
EPKO
We plan for WCAG, GDPR and NIS2 from day one. No rework or surprise costs later.
You talk to the people who design and write the code. They know every detail.
Working MVP in 4–6 weeks, with a timeline we stick to.
We stay after launch. Send us an email and the change is live the same day.
Transparent pricing. You know what you're paying for, no surprises.
We deliberately work with 2-3 projects at a time. Yours gets full attention.

Your project launches faster, without surprises. You get exactly what we agreed on.

See full comparison with freelancer and agency

How we work

Every project follows the same four stages, so you know exactly what to expect at each step.

1

We understand your problem

We start with a conversation, not a quote. We want to understand what you're dealing with, what you're losing and what outcome makes sense. You walk away with a clear plan and a value-based price.

2

A prototype you can click

Before we write a single line of code, you see an interactive prototype. You click, test, give feedback, and only then do we start building. No surprises.

3

We build a working solution

Frontend, backend, integrations. Everything is built in sprints, with your involvement. Every week you see live progress, not a report.

4

We launch and stay

Compliance (WCAG, GDPR, NIS2) is built in from day zero, not bolted on at the end. After launch, we don't disappear. We support, monitor and improve.

Compliance and security built into every project

IT systems in regulated industries must meet specific legal requirements, varying by industry, data type and user group. That's why we start by understanding which regulations apply to your project and build an architecture that supports them from day one.

We help scope your requirements, sign data processing agreements, support internal audits and prepare documentation. The goal is simple: zero surprises before launch and a system ready for inspection.

What we don't promise

We're a software house, not a law firm or a certification body. We name the line where our work ends, openly.

  • We are not a law firm. We do not issue legal opinions or interpret regulations.
  • We do not sell "GDPR certificates". We sell architecture, code and technical documentation that holds up to an auditor.
  • We do not run a 24/7 SOC. We have a defined response time during business hours, a runbook and an escalation path.
  • We do not replace your DPO, regulatory affairs or auditor. We work alongside them. Formal decisions stay with your compliance team or external partner.

Frequently asked questions

Answers to the questions we hear most often.

What makes you different from other software agencies?

We build software with compliance baked in from day one: WCAG, GDPR, NIS2. You talk directly to the people who design and write the code. No account managers. And we deliver in weeks, not months.

How do I know this won't turn into another expensive, never-ending project?

Every project starts with a paid discovery. You get a prototype and a clear price before we start building. We price in phases, so you always know what you're paying for. If something won't work, we'll tell you straight, even if it costs us the deal.

What's the cost?

We don't bill by the hour. We price the value of the solution you're getting. A typical project runs €7–15K, discovery starts at €1.2K. Post-launch retainer: €700–2K/month.

Discuss pricing

Have you worked in my industry?

We specialise in regulated industries: medical clinics, law firms, foundations and NGOs. We also build our own products in healthcare (Medova) and for non-profits (SHL). If your industry requires compliance, let's talk.

See our case studies

What technologies do you use?

Next.js, React, TypeScript, Tailwind CSS, Supabase (PostgreSQL), Radix UI. Everything is hosted on our own server in the EU (Finland), not on Vercel or AWS.

Can you utilise AI in my software?

AI is part of our daily work, from planning to deployment. That's how a small team delivers projects faster. But we don't use AI as a marketing buzzword. It's a tool, not a promise.

What if I'm not satisfied with the results?

That's why we start with discovery and a prototype. You see and click the solution before investing in a full build. You can give feedback at every stage. If something doesn't work, we fix it, not explain it.

How quickly can you start?

Usually within 1–2 weeks of the first conversation. Discovery takes about 2 weeks, and the MVP is ready within 2–4 weeks from the start of development.

Book a call

Do I need to manage your developers?

No. We run the project end to end. You get a weekly update with live progress, not a slide deck. Small changes go live the same day after an email.

Can you work with my existing software or team?

Yes. We run a technical review of existing systems (WCAG, GDPR fundamentals, NIS2 baseline at the code and infrastructure layer) and ship the fixes. If you need a formal legal or certification audit, we work alongside a law firm or auditor — yours or one we recommend. We can also join your team as a technology partner.

Have questions? Let’s talk.

The first conversation is free, no strings attached. Tell us about your project and we’ll advise on what makes sense.

Schedule a free consultation

We respond within 24 hours

Free consultation