Skip to content
EU Compliance

Software
that passes the audit.

WCAG, NIS2, AI Act, GDPR, MDR. We work with these regulations at the technical layer. From the first commit your system has RLS, audit logs, retention controls and subprocessor management. Formal opinions and certification we leave to auditors and law firms we partner with.

Talk about your projectSee how we work

Regulations we work with

Five EU regulations that genuinely shape system architecture for regulated industries. Not all of them at once, not all of them for everyone. We tailor the scope to your company.

WCAG 2.2 / EAA

European Accessibility Act

Digital accessibility for websites and applications. Mandatory for most commercial services in the EU since June 2025. We run a technical review of existing systems and design new ones to the standard from day one.

  • WCAG 2.2 AA technical scan with a fix list
  • Components compliant with ARIA and keyboard navigation
  • Contrast, focus, prefers-reduced-motion
  • Technical report for your auditor or compliance team

NIS2

Cybersecurity Directive

IT infrastructure protection, risk management, incident reporting. We implement the technical controls the directive requires. Organizational and legal obligations stay with you or your NIS2 consultant.

  • IT system inventory and dependency map
  • Technical incident runbook and restore plan (RTO / RPO)
  • Security logs, MFA, application access controls
  • Technical support for the incident reporting process your compliance team runs

AI Act

Artificial Intelligence Regulation

AI risk classification, technical documentation, model oversight. We help on the technical side: how to document the system, what safety layers to add. Formal classification is owned by your compliance team or a law firm.

  • Technical support for the risk classification your compliance team runs
  • Technical system documentation and model card
  • Template of FRIA technical sections, for your compliance team to approve
  • Template of an in-application AI usage policy

GDPR

General Data Protection Regulation

Privacy by design at the code and database layer. Especially for special category data (Article 9): health, biometrics, ethnicity. Legal opinions and DPO decisions stay outside our scope.

  • Encryption at rest and in transit
  • Row-Level Security in the database
  • Audit log for every access to sensitive data
  • DPIA template for your DPO to approve, retention mechanics, subprocessor control

MDR 2017/745

Medical Device Regulation

Medical software (SaMD), technical documentation, validation. We support projects at the technical layer. Classification, clinical evaluation and regulatory decisions stay with your regulatory affairs team or consultant.

  • Technical support for the SaMD classification your regulatory affairs runs
  • Technical sections of the Annex II file (for your RA to complete)
  • Technical support for the risk management plan (ISO 14971)
  • Validation, testing, version control

What it looks like in code

Compliance is not a paragraph in a privacy policy. It is concrete architectural decisions we make on every project.

DPIA and risk assessment as a template

Every project with sensitive data starts with a DPIA. We have our own template that has passed DPO review. The client gets a ready document to approve.

Audit log in every system

Who accessed what and when. Immutable, timestamped, ready for a regulatory request. Standard, not an upsell.

RLS and data isolation in the database

Row-Level Security in PostgreSQL. One patient's data will not leak through an application bug because the database itself refuses to return it to an unauthorized context.

Incident runbook in the contract

Who calls whom, by when, what steps. RTO and RPO defined in the SLA. Business continuity plan (BCP), backups, escalation.

What we do not promise

  • We are not a law firm. We do not issue legal opinions.
  • We do not sell "GDPR certificates". We sell architecture and documentation that holds up to a regulator.
  • We do not run a 24/7 SOC. We have a defined response time in business hours, a runbook and escalation.

Will your system stand up to inspection in 6 months?

Book a call. In 30 minutes we will check where you are, what is missing and what it costs.

Book a consultation