01
Cross-border data and sub-processor sprawl
US clouds, India dev shops, EU data residency. Schrems II transfer impact assessments multiply with each vendor.
IMPACTCustomer audits stall on the third sub-processor query.
SECTOR PRACTICE · TECHNOLOGY & AI
EU compliance for technology & AI
Advisory on EU AI Act, GDPR for AI systems, NIS2 and cybersecurity
REGULATIONS.STACK · TECH+AI● 09
GDPRPersonal data, transfers, DPO
NIS2Cyber for digital infra & cloud
AI ACTRisk classification + conformity
DSAOnline intermediaries & platforms
DMAGatekeeper obligations
DATA ACTData sharing & cloud switching
CRACyber-resilience for products
EPRIVACYCookies, marketing, metadata
DORAIf you serve financial entities
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHO WE SERVE
Tech Sectors We Support
The applicable laws change with the business model. We sequence the obligations that bind your business specifically.
B2B SAAS
Enterprise SaaS & API platforms
Multi-tenant data, sub-processor stacks, customer audits.
GDPRNIS2CRADORA*
AI / ML
AI vendors & ML platforms
Annex III classification, training-data provenance, GPAI.
AI ACTGDPRDATA ACT
PLATFORMS
Marketplaces & online intermediaries
Trader verification, transparency, T&Cs, illegal content.
DSADMAGDPR
CLOUD / INFRA
Cloud, hosting, IaaS & PaaS
Essential-entity NIS2, switching, customer transfers.
NIS2DATA ACTGDPR
HARDWARE / IOT
Connected products & embedded
Cyber-resilience essential requirements, vulnerability handling.
CRANIS2GDPR
FINTECH
Payments, lending, neobanks
ICT third-party risk, resilience testing, supervisory reporting.
DORAGDPRAMLNIS2
§ 02 / LANDSCAPE
The regulatory clock for tech.
Eight regimes interlock. We sequence them around your release cadence.
LIVEGDPR
IN FORCE
Personal data, transfers, DPO
Lawful basis, Art. 28 sub-processor stack, Schrems II transfer impact assessments, breach reporting (72h), data subject rights at scale.
LIVENIS2
IN FORCE
Cyber for digital infrastructure
Essential and important entity classification. Risk management, 24h and 72h CERT reporting, supply-chain assurance, board accountability.
LIVEAI ACT
IN FORCE
Prohibited and GPAI obligations live
Prohibited practices banned (Feb 2025). GPAI obligations from Aug 2025. Annex III high-risk gates open Aug 2026.
LIVEDSA
IN FORCE
Platforms and intermediaries
Notice-and-action, T&Cs transparency, trader traceability for marketplaces. Annual reporting. VLOPs face additional risk-assessment duties.
NEXTDATA ACT
SEP 2025
Data sharing and cloud switching
Connected-product data access for users. Cloud-switching obligations: portability windows, fee phase-out by 2027.
CRITICALAI ACT
AUG 2026
High-risk system obligations
Annex III conformity, technical file (Annex IV), post-market monitoring, fundamental-rights impact assessments for deployers.
CRITICALCRA
DEC 2027
Cyber-resilience for products
Connected products (hardware + software) must meet essential cybersecurity requirements, vulnerability handling, conformity and CE marking.
PLANNEDEPRIVACY
TBD 2026+
ePrivacy Regulation
Replaces national cookie laws with a single regime. Stricter consent, communications confidentiality, marketing.
§ 03 / WHAT TO SOLVE
Where tech and AI businesses get stuck.
02
NIS2 scope creep into digital infrastructure
Cloud providers, managed services, data-centre operators classified essential. Important-entity SaaS in scope from 250 staff or €50M turnover.
IMPACTPersonal liability for boards. €10M or 2% turnover ceiling.
03
AI Act risk classification across the portfolio
Recruitment, credit scoring, biometric ID, education, critical infra controls all caught. Most teams under-scope.
IMPACTMis-classified deployment means market withdrawal.
04
CRA cyber-resilience for connected products
Hardware-plus-software products need conformity, CE marking, vulnerability handling, 5-year support window.
IMPACTNo CE means no EU shelf space from Dec 2027.
05
Cookies, ePrivacy and marketing under one regime
National cookie law fragmentation. Server-side tracking. Consent-or-pay debates. Marketing automation auditability.
IMPACTMember-state DPAs are issuing six-figure fines monthly.
06
Customer audits as a recurring sales blocker
Enterprise procurement asks for SOC 2, ISO 27001, GDPR Art. 28, sub-processor lists, DPIAs, transfer mechanisms.
IMPACTDeal cycles stretch 6 to 12 weeks per audit pack.
§ 04 / OFFERING
Our Services for Technology Sector
TX-01
GDPR programme for SaaS and platforms
Records of processing, sub-processor stack, transfer impact assessments, customer audit pack, DPO function or co-DPO model.
DROPADTIA libraryDAudit pack
TX-02
NIS2 readiness and ISMS
Entity classification, gap assessment, ISMS build (ISO 27001-aligned), incident reporting playbook, supply-chain due diligence.
DGap reportDISMSDIncident SOP
TX-03
AI Act classification and conformity
System inventory, Annex III mapping, risk-management system, technical file (Annex IV), human oversight, post-market monitoring.
DClassificationDAnnex IV fileDPMM
TX-04
DSA and DMA programme for platforms
Notice-and-action, trader verification, T&Cs transparency, statement-of-reasons, annual transparency report. VLOP risk assessments.
DDSA toolkitDNA workflowDReports
TX-05
CRA conformity for connected products
Essential-requirements assessment, secure-by-design review, vulnerability handling process, conformity route, technical documentation.
DCRA gapDConformityDCE pack
TX-06
Vendor and sub-processor due diligence
Foundation-model providers, MLaaS, data labellers, infra. Art. 28 GDPR plus AI Act value chain plus DORA ICT third-party register.
DVendor registerDDPA stackDRisk score
TX-07
Cookies, consent and ePrivacy
Consent management platform review, server-side tracking audit, marketing automation legality, DPA enforcement defence.
DCMP auditDCookie registerDNotices
TX-08
Incident response and breach handling
CERT reporting (NIS2 24h/72h), GDPR 72h notification, customer comms, authority liaison, post-incident regulatory hygiene.
DIR runbookDNotificationDLiaison
TX-09
Outsourced DPO or co-DPO
Senior privacy advisor named to the supervisory authority, data subject request handling, DPIA reviews, board-level reporting cadence.
DDPO contractDDSAR opsDBoard memos
§ 05 / SELECTED WORK
All case studies →Tech and AI engagements.
CASE 01Series-C Enterprise SaaS
GDPR and NIS2 programme for a 600-customer EU SaaS. Customer audits dropped from 8 weeks to 5 days.
600+
CUSTOMERS COVERED
5 days
AUDIT CYCLE
34
SUB-PROCESSORS MAPPED
SCOPEGDPR · NIS2 · ISO 27001 · Sub-processor governance
CASE 02B2B AI vendor (HR-tech)
Annex III high-risk recruitment AI: conformity, CE marking, post-market monitoring live.
Internal
CONFORMITY ROUTE
11/11
CUSTOMER AUDITS
€8.4M
ARR RETAINED
SCOPEAI Act high-risk · Deployer support · ISO 42001
CASE 03Online marketplace (DSA)
DSA toolkit deployed pre-deadline. Notice-and-action, trader verification, statement-of-reasons live in 14 weeks.
Yes
ON-TIME
< 24h
NA WORKFLOW LATENCY
Filed
ANNUAL REPORT
SCOPEDSA · GDPR · Consumer rights · Content moderation
§ 06 / FREE TOOL
Map your stack to the EU rulebook.
Eight questions about your business model, scale and data flows. Get an indicative obligations map across GDPR, NIS2, AI Act, DSA, CRA, DORA and ePrivacy. No email gate.
Run obligations mapper~ 4 MINMAPPER.PREVIEWSTEP 4 / 8
Does your platform host third-party content, listings, or trader offerings to EU users?
Yes, marketplace or intermediaryA
Yes, UGC at scale (more than 45M EU users)B
No, first-party content onlyC
Not sureD
INDICATIVE → DSA INTERMEDIARY · ART. 16 + ART. 30
§ 07 / FAQ
Frequently Asked Questions
01Are we in scope for NIS2 if we are a SaaS company?+
Likely yes if you operate as digital infrastructure, a managed service provider, a data centre, or a cloud-computing service, and if you exceed 50 staff or €10M turnover. Important entities are the typical bracket. Essential entities apply to top-of-market cloud and DNS.
02We use AI from third-party vendors. Are we still in scope for the AI Act?+
Yes. Deployers carry their own duties under Art. 26: human oversight, monitoring, and (for some systems) Fundamental Rights Impact Assessments. Procurement contracts need updating to evidence the provider's conformity.
03Does the AI Act apply to internal-only tools?+
It applies whenever the output is used in the Union, regardless of where the system is developed or deployed. Internal HR or productivity AI affecting EU staff is in scope.
04How does DSA apply to a B2B SaaS?+
Pure B2B SaaS without third-party content hosting is generally outside DSA scope. The moment you host user-generated listings, comments, or trader offerings to EU consumers, DSA intermediary duties trigger.
05What does the Cyber Resilience Act mean for our hardware product?+
CRA covers connected products with digital elements placed on the EU market from December 2027. Conformity assessment, CE marking, vulnerability handling, security updates for at least five years. We help you assess essential requirements and pick a conformity route.
06Can the same documentation cover GDPR DPIA and AI Act conformity?+
Substantially yes. We produce a combined evidence pack so you do not maintain two parallel programmes. Article-mapping is included.
07How do you handle our SOC 2 and ISO 27001 work alongside EU compliance?+
We mesh the EU-specific controls into your existing certification programme, mapping clauses across frameworks so a single evidence base satisfies SOC 2, ISO 27001, GDPR Art. 32, NIS2 Art. 21 and CRA essential requirements.
08Do you work with our existing engineering and ML teams?+
Yes. We embed compliance into your SDLC and MLOps rather than running it parallel. Your engineers stay in their tools. We instrument the evidence.
§ 08 / RELATED
Related practices.
Data Protection (DPO)
GDPR programme, DPIA library, customer audit pack and supervisory authority liaison.
Open practice →AI Compliance
AI Act conformity, ISO 42001 implementation and AI risk-management for providers and deployers.
Open practice →Cybersecurity
ISMS, ISO 27001, NIS2 controls, vulnerability programme and customer-audit readiness.
Open practice →09 / GET STARTED
Prepare your tech company for EU regulations
Typical outcomes: AI risk classification, required controls implemented, documentation prepared.