⚡ NEW NIS2 enforcement active — EU member states issuing first supervisory decisions. Essential entities must demonstrate Art. 21 compliance.
NIS2 Art. 20(4) — Board members personally liable for NIS2 non-compliance. Management body must approve and oversee cybersecurity measures.
NIS2 Art. 21(2)(a–j) — 10 mandatory cybersecurity measures including risk management, incident handling, supply chain security, and cryptography.
NIS2 Fines up to €10M or 2% of global annual turnover — whichever is higher — for essential entities under Art. 32.
NIS2 24-hour initial notification required for significant incidents under Art. 23. Full report within 72 hours.
DORA DORA fully applicable Jan 2025 — financial entities must have ICT risk management frameworks, incident classification, and TLPT programmes in place.
DORA RTS 2025/532 — technical standards for ICT risk management now in force. Covers policies, procedures, and contractual arrangements.
DORA ICT third-party risk under Arts. 28–44 — register of all ICT providers mandatory. Critical TPPs subject to direct oversight by ESAs.
DORA TLPT — threat-led penetration testing required for significant financial entities under Arts. 26–27. TIBER-EU framework applies.
DORA Fines up to €5M for natural persons, up to 1% of global daily turnover for entities under DORA Art. 50.
EU AI EU AI Act enforcement begins Aug 2026 — high-risk AI systems in regulated sectors require conformity assessments and registration.
EU AI Art. 9 risk management — continuous risk management system mandatory throughout AI system lifecycle for high-risk systems.
EU AI Prohibited AI systems — social scoring, real-time biometric surveillance in public spaces, and manipulative AI banned from Feb 2025.
EU AI Arts. 43–49 conformity — high-risk AI must undergo conformity assessment before market placement. EU database registration required.
GxP EU GMP Annex 11 revision underway — updated guidance on computerised systems validation expected 2026. GAMP 5 (2022) applies now.
GxP FDA 21 CFR Part 11 — electronic records and signatures requirements apply to all regulated pharma and medical device software.
GxP ICH Q10 Pharmaceutical Quality System — lifecycle approach to quality management. CSV audit preparation workbench covers all 5 phases.
ALERT NIS2 ≠ ISO 27001 — ISO certification does not satisfy NIS2 obligations. Specific Art. 21 measures and incident reporting are mandatory additionally.
ALERT NIS2 scope — ~160,000 EU organisations now obligated. Energy, health, banking, transport, digital infrastructure, water, public admin, space.
NIS2 Supply chain security Art. 21(2)(d) — assess and document cybersecurity practices of direct suppliers and service providers.
DORA Business continuity Arts. 11–12 — ICT business continuity policy, response & recovery plans, backup strategies must be documented and tested.
EU AI NIS2 + EU AI Act overlap — 6 shared control areas where both regulations apply simultaneously. One structured assessment covers both.
⚡ NEW NIS2 enforcement active — EU member states issuing first supervisory decisions. Essential entities must demonstrate Art. 21 compliance.
NIS2 Art. 20(4) — Board members personally liable for NIS2 non-compliance. Management body must approve and oversee cybersecurity measures.
NIS2 Art. 21(2)(a–j) — 10 mandatory cybersecurity measures including risk management, incident handling, supply chain security, and cryptography.
NIS2 Fines up to €10M or 2% of global annual turnover — whichever is higher — for essential entities under Art. 32.
NIS2 24-hour initial notification required for significant incidents under Art. 23. Full report within 72 hours.
DORA DORA fully applicable Jan 2025 — financial entities must have ICT risk management frameworks, incident classification, and TLPT programmes in place.
DORA RTS 2025/532 — technical standards for ICT risk management now in force. Covers policies, procedures, and contractual arrangements.
DORA ICT third-party risk under Arts. 28–44 — register of all ICT providers mandatory. Critical TPPs subject to direct oversight by ESAs.
DORA TLPT — threat-led penetration testing required for significant financial entities under Arts. 26–27. TIBER-EU framework applies.
DORA Fines up to €5M for natural persons, up to 1% of global daily turnover for entities under DORA Art. 50.
EU AI EU AI Act enforcement begins Aug 2026 — high-risk AI systems in regulated sectors require conformity assessments and registration.
EU AI Art. 9 risk management — continuous risk management system mandatory throughout AI system lifecycle for high-risk systems.
EU AI Prohibited AI systems — social scoring, real-time biometric surveillance in public spaces, and manipulative AI banned from Feb 2025.
EU AI Arts. 43–49 conformity — high-risk AI must undergo conformity assessment before market placement. EU database registration required.
GxP EU GMP Annex 11 revision underway — updated guidance on computerised systems validation expected 2026. GAMP 5 (2022) applies now.
GxP FDA 21 CFR Part 11 — electronic records and signatures requirements apply to all regulated pharma and medical device software.
GxP ICH Q10 Pharmaceutical Quality System — lifecycle approach to quality management. CSV audit preparation workbench covers all 5 phases.
ALERT NIS2 ≠ ISO 27001 — ISO certification does not satisfy NIS2 obligations. Specific Art. 21 measures and incident reporting are mandatory additionally.
ALERT NIS2 scope — ~160,000 EU organisations now obligated. Energy, health, banking, transport, digital infrastructure, water, public admin, space.
NIS2 Supply chain security Art. 21(2)(d) — assess and document cybersecurity practices of direct suppliers and service providers.
DORA Business continuity Arts. 11–12 — ICT business continuity policy, response & recovery plans, backup strategies must be documented and tested.
EU AI NIS2 + EU AI Act overlap — 6 shared control areas where both regulations apply simultaneously. One structured assessment covers both.
The independent middle layer

Your tools track.
Your regulator judges.
Who tells you the truth
in between?

Between your compliance platforms and the regulator, there is no independent structured layer that tells you honestly where you stand. That gap is where most EU regulatory fines happen. RegVanta fills that gap.

→ Try free — no installation View all tools
NIS2 DORA EU AI Act GxP
🗂
Your tools & platforms
GRC · Excel · Ticketing
Record. Track. Report.
GAP
The Regulator
NCA · CSIRT · Audit
Inspect. Find gaps. Fine.
🎯
RegVanta — the independent middle layer
Dual-role verified · Tamper-evident · Tells your board, auditor, and regulator exactly where you stand — before they ask.
€10M
Max NIS2 fine
Art. 20(4)
Board liability
€499
RegVanta
Where RegVanta fits

Works with what you already have.
Fills what you're missing.

🏢
Already have a GRC platform
RegVanta is the independent dual-role verification layer your GRC platform doesn't provide. Use it to generate the structured evidence that feeds into your existing governance workflow. Complementary — not competitive.
📋
Using spreadsheets / manual process
Your spreadsheet records what you declare. RegVanta adds an independent Assessor who verifies — with a tamper-evident record neither party can quietly edit. That's what holds up under regulatory scrutiny.
🤝
Consultancy or audit practice
Run structured, dual-role verified assessments across all your clients. Each copy is locked to one client organisation. The Pro licence gives you unlimited clients at a flat annual rate. Your clients get audit-ready evidence. You get a repeatable process.
Our tools

Four regulations.
One accountability standard.

Each tool covers a specific EU or life sciences regulatory framework. Same dual-role architecture, same tamper-evident audit trail, same offline-first design.

New
🔒
RegVanta NIS2
Essential & important entities · EU

The independent compliance accountability workbench for NIS2. 13 control areas, 61 weighted questions covering Art. 20, 21(2)(a–j), 23, and 27. Dual-role verified. Tamper-evident. Appendix A documents out-of-scope provisions.

13 control areas 61 questions ~93% Art. 21 coverage Art. 20(4) liability docs
€499
per organisation · one-time · unlimited reports
▶ Watch NIS2 demo Free evaluation Buy €499
🏦
RegVanta DORA
Financial entities & ICT providers · EU

All 5 DORA pillars: ICT risk management, incident reporting, resilience testing (TLPT), third-party risk, and governance. Aligned to RTS 2025/532, ITS 2024/2956, TIBER-EU Feb 2025.

14 control areas 60 questions 5 DORA pillars RTS/ITS aligned
€499
per organisation · per year
▶ Watch demo Free evaluation Buy €499
🤖
RegVanta EUAI-NIS2
AI system operators in regulated sectors · EU

Maps EU AI Act obligations and NIS2 cybersecurity requirements across 6 shared control areas where both regulations apply simultaneously. One assessment, dual compliance evidence.

14 control areas 58 questions 6 shared AI+NIS2 areas AI Act Arts. 9–49
€499
per organisation · per year
▶ Watch demo Free evaluation Buy €499
Beta
🧪
RegVanta GxP
Pharma · Biotech · Medical device · Clinical

CSV audit preparation workbench. EU GMP Annex 11, ICH Q10, GAMP 5 (2022), IEC 62304, ISO 14971, FDA 21 CFR Part 11. Finding taxonomy: Compliant / Observation / Major NC / Critical NC.

17 sections 78 questions GxP standards FDA 21 CFR Part 11
€499
per organisation · per year · beta pricing
▶ Watch demo Free evaluation Buy €499
How it works

From download to
audit-ready report in minutes.

No installation. No cloud account. No IT change request. Open in any browser and go.

1
Download & set up
Two-minute wizard locks your organisation name, sets role passwords, and configures your assessment mode.
2
Provider fills
Work through control questions, attach evidence references. Autosave keeps every answer. Save file and send to Assessor.
3
Assessor verifies
Independent reviewer loads the file. Provider column is locked. Assessor fills their own column. Gaps flag automatically.
4
Report & act
Full report with scores, gap register (Immediate / Urgent / Monitor), action owners, Appendix A. Export PDF or email.
See it in action
Watch the demo — each product has its own
▶ NIS2 demo ▶ DORA demo ▶ EUAI-NIS2 demo ▶ GxP demo
Why RegVanta

Not a GRC platform.
Not a spreadsheet.
Something you've been missing.

Capability Spreadsheet RegVanta Enterprise GRC Consultancy
Independent dual-role verification ✗ None ✓ Built-in ~ Add-on ✓ Manual
Tamper-evident audit trail ✗ None ✓ SHA-256 hash ✓ Cloud log ~ Varies
Offline / data sovereignty ✓ Always offline ✗ Cloud required ~ Varies
Structured regulation coverage ✗ Manual ✓ 58–78 questions ~ Configurable ~ Varies
Setup time ~ Days ✓ < 2 minutes ✗ Weeks–months ✗ Weeks–months
Cost per organisation ~ Hidden cost ✓ €499 ✗ €10K–100K/yr ✗ €20K–200K
🤝 RegVanta is complementary — not competitive. Already using a GRC platform, running a consultancy engagement, or managing NIS2 in your ticketing system? RegVanta is the structured evidence workbench that feeds structured, independently verified, tamper-evident data into all of them. We enable your existing process. We don't replace it.
Frequently asked

Questions we hear
before the download

Which tool do I need?
NIS2 for cybersecurity obligations under Directive 2022/2555. DORA for financial entities (banks, insurers, payment firms). EUAI-NIS2 if you operate AI systems in regulated sectors — it covers both regulations simultaneously. GxP if you're in pharma, biotech, or medical devices preparing for GxP inspection or FDA audit.
Does my data leave my machine?
Never. All assessment data is stored locally in your browser and in the JSON save file on your device. No server receives any data. No cloud account. No analytics from the tools. The application works fully offline after download.
What is dual-role verification?
The Provider (your organisation) declares compliance posture with evidence references. The independent Assessor (external auditor, consultant, or internal reviewer) loads the same file and verifies each control in their own locked column. Provider answers are read-only for the Assessor. The gap between them is your action list.
How long does an assessment take?
Setup takes under 2 minutes. Provider assessment typically takes 2–4 hours for a thorough first pass. Assessor review takes 1–3 hours depending on evidence availability. The tool autosaves so you can complete it in stages.
Can I use this for multiple clients?
Each Complete licence is locked to one organisation. For consultancies running assessments across multiple clients, the Pro licence provides unlimited client organisations at a flat annual rate. Contact us at [email protected] for Pro pricing.
Is this tool sufficient for a NCA inspection?
RegVanta NIS2 provides a structured, tamper-evident, independently verified compliance posture record — exactly what NCA inspections look for. However it is an assessment workbench, not a legal guarantee of compliance. We always recommend qualified legal counsel for regulatory submissions.
What does "tamper-evident" mean?
Every saved assessment file is stamped with a SHA-256 cryptographic hash of the answer state. When loaded, the hash is recomputed and compared. If the file was modified externally — even a single character — the tool detects it and shows a warning. The audit log records every change with timestamp and role.
Can I add controls beyond the standard questions?
Yes. Every section has a "+ Add company-specific control" button. Add questions for sector-specific national transpositions, DORA obligations, internal governance requirements, or any additional controls relevant to your organisation. Custom controls are scored in the Full Scope score, separate from the regulatory baseline.
Is there a refund policy?
We recommend downloading the free evaluation copy before purchasing — it includes the full question set and in-tool scoring with no time limit. If you have an issue with your purchase, contact [email protected] and we will resolve it. Payments are processed by Lemon Squeezy as Merchant of Record.
Does a good RegVanta score mean I am compliant?
No — and this is important to understand. RegVanta gives you a structured, independently verified, tamper-evident picture of your current compliance posture. A high score means your declared controls are verified and evidenced. It does not constitute a legal determination of compliance, a regulatory clearance, or a guarantee that a national competent authority will reach the same conclusion. Regulatory compliance is ultimately determined by your regulator, not by any assessment tool. RegVanta helps you prepare — it does not certify.
What should I do after completing an assessment?
The report gives you a prioritised action list — Immediate, Urgent, and Monitor gaps with owners and due dates. Your next steps: (1) Act on open items — assign owners, set deadlines, address each gap with documented evidence. (2) Engage qualified experts — for legal interpretation of your obligations, sector-specific implementing acts, or anything flagged in Appendix A, consult a cybersecurity lawyer, compliance specialist, or accredited auditor. (3) Re-assess after remediation — run a new cycle once gaps are addressed to track improvement. (4) Board reporting — use the exported report as structured evidence for your management body (Art. 20 accountability). RegVanta is the starting point for a structured compliance programme — not the endpoint.
Get in touch

Questions, partnerships,
or a Pro licence discussion

🌍
📍
Location
Srivantage
Eindhoven, Netherlands
KVK 42027730
💸
Refer & Earn
Earn 10% on every referred sale — no cap, no minimum volume.
Join affiliate programme →
🔒 Offline-first · sovereign data
🔐 SHA-256 tamper detection
NIS2 · DORA · EUAI · GxP
🇪🇺 EU regulation aligned
🏢 Company-locked per instance
No cloud · no account required
Reg·Vanta Assistant
Hi! I can help you find the right RegVanta tool or answer questions. What are you working on?
Quick questions