EU regulatory compliance tools

Structured assessments for EU financial and AI regulation

Two purpose-built compliance workbenches. One for DORA. One for EU AI Act + NIS2. Browser-based, no cloud, no installation — from €399/year.

RegVanta DORA  → RegVanta EUAI-NIS2  → Try demo  ↗
DORA · Reg. (EU) 2022/2554 EU AI Act · Reg. (EU) 2024/1689 NIS2 · Dir. (EU) 2022/2555 Aligned March 2026
📁
Single file. No cloud.
One HTML file per tool. Open in any browser — no installation, no account, no data leaving your device. Works offline. Your assessment data stays with you.
⚖️
Dual-role verification.
Provider self-declares. Independent Assessor verifies. Each answer is scored separately and the delta is surfaced — so gaps found by the assessor are immediately visible.
🔒
Audit-ready output.
Every change is logged with role, timestamp and action. The compliance report is exportable. The audit trail is tamper-evident. Ready to share with regulators or internal audit.
Our tools

Two regulations. Two tools.

Each tool is built for a specific regulatory audience and maps the full obligation set — not a simplified checklist.

DORA · Reg. (EU) 2022/2554
RegVanta DORA
For financial entities subject to the Digital Operational Resilience Act — banks, insurers, investment firms, payment institutions, crypto-asset service providers and their ICT third-party providers. Available in Light and Complete editions.
14Control areas
60Questions
5DORA pillars
Mar '26Aligned
Covers all 5 DORA pillars
ICT risk management framework (Arts. 5–16)
ICT incident management & reporting (Arts. 17–23)
Digital operational resilience testing + TLPT (Arts. 24–27)
ICT third-party risk + contracts (Arts. 28–44)
Governance, BCP, info sharing & register (Arts. 5, 11, 28, 45)
RTS 2025/532 ✓ ITS 2024/2956 ✓ CTPP list Nov 2025 ✓ TIBER-EU Feb 2025 ✓
Complete · €1,299 → Light · €499 →
EU AI Act + NIS2
RegVanta EUAI-NIS2
For organisations deploying or operating AI systems in regulated sectors — mapping EU AI Act obligations, NIS2 cybersecurity requirements, and the six control areas where both apply simultaneously.
14Control areas
58Questions
6Shared areas
Mar '26Aligned
14 control areas across both regulations
6 shared areas — risk, logging, supply chain, incident, monitoring, data governance
4 EU AI Act areas — conformity, human oversight, accuracy, transparency
4 NIS2 areas — cryptography & MFA, BCP, access control, management accountability
Shared evidence field — one entry satisfies both regulations
EU AI Act Arts. 9–15 ✓ NIS2 Art. 21 ✓ Two editions ✓
Complete · €1,299 → Light · €399 →
Who uses RegVanta tools

Different tools for different audiences

Each tool is targeted — choose the one that matches your regulatory obligation.

RegVanta DORA — for
Financial entities & ICT providers
  • Credit institutions, banks and savings banks
  • Investment firms and asset managers
  • Insurance and reinsurance undertakings
  • Payment institutions and e-money institutions
  • Crypto-asset service providers (CASPs)
  • ICT third-party service providers to the above
  • Compliance consultancies conducting DORA gap assessments
RegVanta EUAI-NIS2 — for
AI-deploying organisations in regulated sectors
  • Healthcare, energy, transport and financial organisations deploying AI
  • Public sector entities using AI for administrative decisions
  • Essential and important entities under NIS2
  • AI system providers bringing high-risk systems to market
  • DPOs and CISOs at the intersection of AI and cybersecurity
  • Legal and compliance consultancies advising on EU AI Act readiness
How it works

From download to compliance report in one session

No setup. No training. Open the file and start assessing.

01
Purchase & download
You receive a single HTML file by email. Save it anywhere — desktop, shared drive, USB. No installation, no account creation.
02
Provider completes assessment
The financial entity or AI-deploying organisation fills in the project details, then works through each control area — answering Yes / Partial / No / N/A with evidence notes.
03
Assessor independently verifies
An independent assessor — internal audit, external consultant, or peer reviewer — logs in separately and provides their own answers. Gaps are scored automatically.
04
Report & action register
Instant weighted compliance score. Prioritised action register with owner and due date fields. Exportable report. Tamper-evident audit trail. Save progress as JSON, reload at any time.
Editions

Choose the right edition

All editions include the full question set, weighted scoring, and compliance report. The difference is access control and audit depth.

Feature Light Complete Pro
Access & roles
Role-based access (Provider / Assessor / Admin)
Open access, no login
Password protection with recovery keys
Admin panel & user management
Assessment & scoring
Full question set (all sections)
Weighted compliance scoring
Provider vs Assessor delta scoring
Action register with owner & due date
Audit & export
Audit trail Activity log
Not role-attributed
 ✓ Tamper-evident
Role + timestamp on every change
 ✓ Tamper-evident
Save & reload (JSON)
Exportable compliance report
Licence & deployment
Organisations covered 1 organisation 1 organisation Unlimited
Deploy to all clients
7-day evaluation available
Priority support
RegVanta EUAI-NIS2 €399
per organisation / year
 €1,299
per organisation / year
 €3,499
flat / year
RegVanta DORA €499
per organisation / year
 €1,299
per organisation / year
 €3,999
flat / year
Bundle offer
Both tools. One price.
Get RegVanta EUAI-NIS2 and RegVanta DORA together. Ideal for compliance consultancies covering the full EU regulatory landscape for financial sector clients.
Complete × 2
€2,199
Pro × 2
€6,499
Enquire about bundle →
Get started

Download, evaluate, or purchase

Every product is available as a 7-day evaluation before purchase. No credit card required for a trial.

RegVanta DORA — Complete
DORA
Full DORA workbench. 14 sections, 60 questions, 5 pillars. Role-based access (Provider / Assessor / Admin), tamper-evident audit trail. Aligned March 2026 RTS/ITS.
€1,299 / organisation / year
Purchase Complete →
RegVanta EUAI-NIS2 — Complete
EUAI-NIS2
Full EU AI Act + NIS2 assessment workbench. 14 sections, 58 questions. Role-based access, shared evidence mapping, tamper-evident audit trail.
€1,299 / organisation / year
Purchase Complete →
RegVanta DORA — Light
DORA
Open-access DORA edition — no passwords or roles. Full 60-question set, weighted scoring across all 5 pillars, compliance report. Ideal for smaller financial entities or solo assessors.
€499 / organisation / year
Purchase Light →
RegVanta EUAI-NIS2 — Light
EUAI-NIS2
Open-access edition — no passwords or roles. Full question set, weighted scoring, and compliance report. Ideal for smaller teams or individual assessors.
€399 / organisation / year
Purchase Light →
7-day evaluation
Free trial
Request a time-limited evaluation copy of any edition — DORA or EU AI Act + NIS2. Sent by email within 1 business day. Full functionality, expires after 7 days.
Free · no credit card required
Request evaluation →
Regulatory context

Three regulations. One compliance landscape.

EU digital regulation has converged in a short window — DORA, the EU AI Act, and NIS2 all apply now or within months. RegVanta tools are built specifically for this landscape.

N2
October 2024 — deadline passed
NIS2 Directive — national transposition
EU member states were required to transpose NIS2 (Dir. 2022/2555) into national law by 17 October 2024. Essential and important entities across 18 sectors are now subject to national NIS2 obligations — cybersecurity risk management, incident reporting, and supply chain security.
Dir. (EU) 2022/2555
DO
17 January 2025 — in force
DORA — Digital Operational Resilience Act
DORA (Reg. 2022/2554) applies directly across all EU member states — no national transposition required. Financial entities must comply with all five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and governance. The subcontracting RTS (2025/532) added further obligations from 22 July 2025. First ICT provider register submission deadline: 30 April 2025.
Reg. (EU) 2022/2554 · RTS/ITS in force
AI
August 2026 — enforcement for high-risk AI
EU AI Act — high-risk obligations
The EU AI Act (Reg. 2024/1689) entered into force in August 2024. Prohibited AI practices applied from February 2025. High-risk AI system obligations — including conformity assessment, human oversight, risk management, and transparency — apply from August 2026. For any organisation deploying AI in healthcare, finance, HR, education or public services, preparation should be underway now.
Reg. (EU) 2024/1689 · High-risk deadline Aug 2026
Overlap

Financial entities face DORA and potentially EU AI Act simultaneously

A bank deploying AI for credit scoring is subject to DORA (ICT risk, third-party, resilience) and the EU AI Act (high-risk system, conformity assessment, human oversight) at the same time. RegVanta DORA and RegVanta EUAI-NIS2 are designed to be used together — covering the full obligation map for this growing category of entity.

🏦
Bank using AI for credit decisions — subject to DORA (ICT risk) + EU AI Act (high-risk system, Art. 10 data governance, Art. 14 human oversight)
🛡️
Insurer using AI for underwriting — DORA (incident reporting, TPRM) + EU AI Act (conformity assessment) + NIS2 (if essential entity)
💳
Payment institution — DORA (full scope, ICT third-party register) + NIS2 (if important entity) + EU AI Act if AI used in fraud detection
📋
Article-referenced
Every question maps to a specific regulatory article. Not simplified checklists — direct obligation mapping.
🔄
Aligned March 2026
Questions updated to reflect RTS 2025/532, ITS 2024/2956, CTPP designations (Nov 2025) and TIBER-EU (Feb 2025).
💾
No data exposure
All data stays in your browser. Nothing is sent to any server. Save to JSON, reload anytime. Works fully offline.
Instant deployment
One HTML file. Open in any browser — Chrome, Firefox, Safari, Edge. No IT department required. Ready in 60 seconds.
Frequently asked

Common questions

Which tool do I need — DORA or EU AI Act + NIS2?
If you are a financial entity (bank, insurer, investment firm, payment institution, CASP), you need RegVanta DORA. If you are deploying AI systems in a regulated sector, you need RegVanta EUAI-NIS2. If you are a financial entity also deploying AI, you likely need both — ask about the bundle.
Does completing an assessment mean we are compliant?
No. RegVanta tools are structured workbenches that helps you assess and document your compliance posture. It does not constitute legal advice and does not guarantee regulatory compliance. Organisations should engage qualified legal counsel and auditors to establish formal compliance.
What is the difference between Light and Complete?
Light edition is open access — anyone who opens the file can fill in any field. Complete edition requires role-based login (Provider, Assessor, Admin), provides password protection with recovery keys, and generates a tamper-evident audit trail attributing every change to a role and timestamp.
How is RegVanta DORA aligned to March 2026?
The question set reflects the base DORA regulation plus all RTS/ITS published and in force as of March 2026 — including the subcontracting RTS (2025/532, in force July 2025), the register of information ITS (2024/2956), and the November 2025 CTPP designations. The regulatory alignment date is shown in the tool's about page and in every exported report.
Can the tool be used by a compliance consultant for multiple clients?
Yes — the Pro licence covers unlimited client deployments for a flat annual fee. A Pro licensee can deliver pre-configured tool files to each client, each with a unique password setup. The tool is entirely self-contained so no shared infrastructure is involved.
Is my assessment data sent anywhere?
No. The tool runs entirely in your browser with no server communication. Assessment data is saved as a JSON file on your own device. Nothing is transmitted to any server or third party. There is no telemetry, no analytics, no cloud sync.
Can I try before purchasing?
Yes — request a 7-day evaluation copy from the Get Started section. For the EU AI Act + NIS2 tool, an interactive demo with six sections pre-filled is also available as a free download below.
What happens to my data when the evaluation expires?
The evaluation file stops opening after the expiry date. Any JSON files you saved during the evaluation remain fully intact — load them into a purchased copy to continue your assessment with no data loss.
Free demo
Try the interactive demo — RegVanta EUAI-NIS2
6 of 14 sections fully interactive. Pre-filled with sample data. No purchase required.
Download free demo →

Questions? Get in touch.

For licence enquiries, bundle pricing, evaluation requests, or questions about regulatory coverage — reach out directly.

regvanta.ai@gmail.com
🌐
regvanta-ai.com
Evaluation request
Send an email to regvanta.ai@gmail.com with your name, organisation, and which edition you need. You will receive a 7-day trial file within 1 business day.
Bundle & Pro enquiries
Compliance consultancies needing both tools or unlimited deployment licences — email with subject "Bundle enquiry" or "Pro licence". Invoice payment available for EU organisations.
Regulatory coverage questions
Questions about which articles are covered, how specific obligations are mapped, or the RTS/ITS alignment date — email with your question and we will respond directly.
RegVanta tools are provided for informational and assessment purposes only. They do not constitute legal, regulatory, or professional compliance advice. Completing an assessment does not guarantee compliance with DORA, the EU AI Act, NIS2, or any other regulation. Financial entities and AI-deploying organisations should engage qualified legal counsel and accredited auditors to establish formal compliance. All regulatory article references are for navigation purposes only — consult the Official Journal of the European Union for authoritative text. © 2025–2026 Subrat Panda. All rights reserved.