GDPR, NIS2, ePrivacy, Cyber Resilience Act.
Personal data and cybersecurity obligations from the EU privacy and cyber stack. Cross-references with national transpositions.
SERVICE PRACTICE · REGULATORY ADVISORY
Regulatory compliance advisory.
We map your obligations across GDPR, NIS2, AI Act, DORA, AML, MiFID II, ePrivacy, CSRD and adjacent regulations. We design the multi-regulation programme, run the horizon-scanning function, and stand as your contact with supervisory authorities.
REGULATORY.DESK · LAST 30 DAYS● LIVE
Regulations tracked across jurisdictions47
Horizon scan reports issuedmonthly cycle12
Authority consultations attended6
Cross-regulation conflicts flagged14
Programme integration reviews8
Board briefings delivered4
TRUSTED BY 300+ EU ORGANISATIONS
ROCHESIEMENSIKEAASTRAZENECAVODAFONEPHILIPSJUST EAT
FREE 30-MIN CONSULTATION
Talk to a senior advisor.
One business day reply. Clear next steps and indicative pricing.
1 BUSINESS DAY REPLY·NDA ON REQUEST·NO OBLIGATION
§ 01 / WHAT WE COVER
Regulatory load.
DORA, MiFID II, AML, EU AI Act.
Financial services and AI obligations. Sector-specific guidance from EBA, ESMA, EDPB and AI Office.
CSRD, Data Act, DSA, DMA, Whistleblowing.
Adjacent regulations that affect compliance posture: sustainability reporting, data economy, platform liability, internal reporting channels.
TYPICAL OPERATOR FINES
Up to €10M or 2% turnover
Procedural failures across most EU regulations. GDPR Tier 1, NIS2 Article 34, DORA Article 50.
MATERIAL OR CROSS-REG
Up to 7% turnover
AI Act prohibited practices (€35M / 7%), substantive GDPR violations (€20M / 4%), MiFID II major breaches.
§ 02 / SCOPE BY REGULATION
Core obligations.
CORE OBLIGATIONS · BY REGULATION
GDPRPersonal data protectionRecords of processing, DPIAs, DPO, breach notification, transfers.
NIS2CybersecurityArticle 21 measures, Article 23 reporting, management body training.
AI ACTAI conformitySystem classification, technical documentation, conformity assessment, human oversight.
DORAFinancial ICT resilienceICT risk framework, incident reporting, third-party register, resilience testing.
CSRD / AMLSustainability / financial crimeCSRD ESRS reporting, AML risk assessment, KYC, transaction monitoring.
TYPICAL EVIDENCE ARTEFACTS
POLICYPolicy and standards stackSingle policy architecture covering all in-scope regulations.
RECORDSCross-regulation recordsGDPR Art. 30 records extended to AI systems, DORA ICT, NIS2 assets.
RISKRisk registerUnified risk register integrating privacy, cyber, AI, ICT and financial-crime risk.
AUDITInternal audit programmeMulti-regulation audit cycle aligned with supervisory expectations.
BOARDBoard reporting cadenceQuarterly board pack covering material changes across the stack.
§ 03 / ENGAGEMENT MODELS
Engagement models.
FULLMOST POPULAR
Regulatory Advisory Retainer
Ongoing horizon scanning, multi-regulation programme oversight, supervisory liaison, board reporting. Monthly retainer with named partner.
- →Monthly horizon scan
- →Multi-regulation programme oversight
- →Supervisory authority liaison
- →Board reporting cadence
MAP4-6 WK
Regulatory Mapping and Strategy
One-off engagement to map all applicable regulations to your business, design the multi-regulation programme, and prioritise actions.
- →Regulation applicability mapping
- →Cross-regulation gap register
- →Multi-regulation programme design
- →Executive readout and roadmap
BRIEFPAY-AS-YOU-GO
On-Call Regulatory Briefings
Pay-as-you-go senior partner time. Strategic regulatory questions, board prep, supervisor queries, transaction support.
- →Senior partner time
- →Strategic regulatory advice
- →Board prep
- →Transaction support
§ 04 / SCOPE
Scope of work.
01 / 04
Horizon and scanning
- Monthly horizon scan report
- Authority guidance tracking
- Draft legislation impact analysis
- Sector-specific updates
- Quarterly trend briefings
02 / 04
Programme design
- Multi-regulation programme architecture
- Cross-regulation policy stack
- Unified risk register
- Integrated audit plan
- Roles and responsibilities (RACI)
03 / 04
Authority liaison
- Supervisory authority contact
- Consultation responses
- Pre-supervisory readiness reviews
- Authority correspondence
- Investigation support
04 / 04
Board and executive
- Quarterly board reporting
- Material change briefings
- Strategic regulatory advice
- M&A regulatory due diligence
- Annual programme report
§ 05 / HORIZON SCANNINGSee sample horizon scanPDF · 14 PP
How we run the programme.
We run the multi-regulation programme, build the obligation register, schedule the deliverables and brief the board. The supervisor receives a consistent file across every regime.
Briefing cadence
Monthly
Regulations tracked
47
Authority sources
120+
Board distillation
Quarterly
SAMPLE.HORIZON.SCANOCT 2026
EDPB consistency decisions3 material
EBA draft RTS / ITS2 in consultation
AI Office guidance updates1 high-impact
National transpositions changed4 jurisdictions
Court rulings flagged2 CJEU
Sector guidance issued6 across EU
SIGNED. IVANA ŠARIĆ, DIRECTOR. REGULATORY STRATEGY
§ 06 / SELECTED WORK
All case studies →Recent engagements.
CASE 01Tier-2 EU bank
Single regulatory programme covering DORA, AML, GDPR and MiFID II.
4
Regulations
6
Jurisdictions
0
Audit findings
SCOPERegulatory Retainer · Multi-reg programme · Authority liaison
CASE 02Pan-EU AI scale-up
Combined AI Act and GDPR programme mapped to product roadmap.
23
Systems mapped
7
Conformity files
0
Launch delays
SCOPERegulatory Mapping · AI Act · GDPR · DPIA integration
CASE 03Pharma · 4,000 employees
Horizon scanning function stood up across 11 EU jurisdictions.
11
Jurisdictions
12
Monthly reports
8
Surprises avoided
SCOPERegulatory Retainer · Horizon scanning · Board reporting
§ 07 / WHY THIS MATTERS
Regulatory landscape.
300+
New or updated EU regulatory acts since 2020
47
In-scope regulations for a typical mid-market EU group
6
Average supervisory authorities involved per group
4 wk
Typical lag between authority guidance and operational impact
TREND 01
Cross-regulation enforcement is the new normal
Single incidents now trigger parallel investigations under GDPR, NIS2, AI Act and sector regulations. Authorities coordinate; defendants need a single story.
TREND 02
Management body accountability has moved up the stack
NIS2 Article 20, DORA management body obligations, and AI Act human-oversight design all put named individuals on the hook. Board briefings are now operational, not optional.
TREND 03
Sector guidance changes faster than the law
EDPB, EBA, AI Office and national authorities publish guidance monthly. The law text changes annually, but operational obligations shift with each guidance update.
§ 08 / FAQ
Common questions.
01Why not just use our existing law firms?+
Law firms produce excellent legal opinions. They do not run the operational compliance programme. Our retainer covers the operational layer: policy stack, records, risk register, supervisory liaison, board reporting. We coordinate with your law firm on contested matters.
02How do you handle regulations we are not yet subject to?+
The horizon scan tracks draft legislation and national transpositions. We flag the date of likely applicability, the scope test, and the operational impact. You get the runway to plan, not a surprise.
03How do you avoid duplication with our existing compliance teams?+
We integrate. Your internal team owns the day-to-day. We provide oversight, multi-regulation strategy, horizon scanning, and senior cover for complex matters. Engagement letter defines the handoff points.
04Do you cover non-EU regulations?+
We cover EU and EEA regulations directly. For UK, Switzerland, and EU-adjacent jurisdictions, we coordinate with local counsel. US, APAC and other non-EU regulations are out of scope.
05How do you support a supervisory investigation?+
We coordinate the response, prepare evidence, brief executives, and attend meetings. For complex matters involving multiple regulations, we run the cross-regulation defence strategy and coordinate with your law firm.
06Can the retainer cover multiple legal entities?+
Yes. Group structures with multiple entities and jurisdictions are standard. We map entity-by-entity obligations, define group reporting cadence, and coordinate the single point of contact with supervisory authorities.
§ 09 / RESOURCES
Templates and guides.
GUIDEPDF · 28 pages
EU Regulatory Map 2026
Visual map of 47 in-scope EU regulations with application timelines, scope tests and cross-references.
Download ↓EMAIL REQUIRED
GUIDEPDF · 22 pages
Multi-Regulation Programme Blueprint
Reference architecture for a single compliance programme covering GDPR, NIS2, AI Act, DORA and AML.
Download ↓EMAIL REQUIRED
TEMPLATEPDF + DOCX
Board Regulatory Briefing Pack
Quarterly briefing template covering material changes, risk register updates, and supervisory matters.
Download ↓EMAIL REQUIRED
§ 10 / RELATED PRACTICES
Related practices.
Data Protection and GDPR
Personal data is the largest single regulatory exposure. Full programme delivery and DPO.
Open practice →Cybersecurity and NIS2
Article 21 measures, Article 23 reporting, management body training under Article 20.
Open practice →Financial Compliance
DORA, MiFID II, AML and sanctions. Sector-specific delivery.
Open practice →11 / GET STARTED
Talk to a senior advisor.
Free initial meeting. Clear next steps. Indicative pricing within one business day.