Frequently Asked
Questions

Verdaio is an AI-powered EU regulatory compliance platform. It provides free and paid tools that help businesses understand their obligations under CSRD, GDPR, the EU AI Act, NIS2, DORA, EU Taxonomy, and other EU regulations. Each tool generates an AI-powered gap analysis report identifying compliance gaps and a prioritised action plan.

Verdaio is built for compliance officers, CFOs, legal teams, sustainability managers, and business owners at companies operating in the EU. It's particularly useful for companies approaching their first CSRD reporting deadline, businesses that use or develop AI, and organisations that need to demonstrate regulatory compliance to clients or investors.

No. Verdaio is a technology platform that uses AI to help you understand regulatory requirements and assess your current compliance posture. The reports are for guidance purposes only and do not constitute legal advice. For complex compliance matters, you should consult a qualified legal or compliance professional.

Verdaio's AI is trained on the official regulation texts, ESRS standards, and regulatory guidance. Reports are accurate for educational and self-assessment purposes. However, regulations are complex and context-specific — always validate findings with your legal or compliance team before making material decisions.

Verdaio is available in English and Portuguese. You can switch language using the EN/PT toggle in the navigation bar.

Free assessments (CSRD Readiness Assessment, GDPR Quick Check, EU AI Act Risk Classifier, NIS2 Readiness Check) are available with a free account. Full Access costs €1,490 per year and includes all paid tools: ESRS Gap Analysis, Double Materiality Assessment, AI Act Compliance Roadmap, EU Taxonomy Screener, DORA ICT Risk Assessment, CRA Product Compliance Checker, Legitimate Interest Assessment, and CS3D Supply Chain Check.

Full Access (€1,490/year (Founder's Price)) includes: ESRS Gap Analysis, Double Materiality Assessment, AI Act Compliance Roadmap, EU Taxonomy Screener, DORA ICT Risk Assessment, CRA Product Compliance Checker, Legitimate Interest Assessment (LIA), and CS3D Supply Chain Check. Each tool generates an AI-powered report. You can run each assessment once per month.

No. Verdaio Full Access is a one-time annual payment of €1,490. There is no subscription, no auto-renewal, and no recurring charges. Access is valid for 12 months from the date of purchase.

A free account gives you access to the free assessments (CSRD Assessment, GDPR Quick Check, AI Act Classifier, NIS2 Check). Full Access (€1,490/year (Founder's Price)) unlocks all paid tools and detailed reports.

A free account gives you access to four assessments at no cost: CSRD Readiness Assessment, GDPR Quick Check, EU AI Act Risk Classifier, and NIS2 Readiness Check. Each generates an AI-powered report delivered to your inbox. You can create a free account in under a minute — no credit card required.

Yes. You need to create a free account before purchasing Full Access. This ensures your subscription is tied to your account and you can access all paid tools immediately after purchase.

Verdaio accepts credit/debit cards, SEPA Direct Debit, and Multibanco (Portugal). Payments are processed securely by Stripe.

Yes. A VAT invoice is automatically generated and sent to the billing email you provide at checkout. The invoice is issued under Portuguese law with the applicable tax exemption.

The Corporate Sustainability Reporting Directive (CSRD) is EU legislation that requires companies to report on their environmental, social and governance (ESG) performance. It replaced the Non-Financial Reporting Directive (NFRD) and significantly expands the number of companies required to report and the level of detail required.

CSRD applies to: large public-interest entities with 500+ employees (reporting for FY2024); other large EU companies meeting 2 of 3 criteria — 250+ employees, €50M+ net turnover, €25M+ balance sheet total (reporting for FY2027); listed SMEs (reporting for FY2028, with opt-out until 2030); and non-EU companies with significant EU activity (€150M+ EU net turnover). Not sure if you're in scope? Try the free CSRD Readiness Assessment.

The European Sustainability Reporting Standards (ESRS) are 12 standards that specify what companies must disclose under CSRD. ESRS 1 sets general principles. ESRS 2 covers general disclosures (mandatory for all). The remaining 10 topical standards cover: climate change, pollution, water and marine resources, biodiversity, circular economy, own workforce, workers in the value chain, affected communities, consumers and end-users, and business conduct.

Double materiality requires companies to assess their sustainability topics from two perspectives: impact materiality (how the company's activities impact people and the environment) and financial materiality (how sustainability issues create financial risks or opportunities for the company). CSRD requires disclosure on all topics that are material from either perspective.

A Double Materiality Assessment is a structured process to identify which sustainability topics are material for your company under CSRD. It involves rating all 10 ESRS topical areas for both financial and impact materiality, producing an audit-ready materiality matrix that determines which ESRS standards you must apply. Verdaio's Double Materiality Assessment tool guides you through the full ESRS methodology.

CSRD deadlines: FY2024 reports (for 500+ employee PIEs) — filed in 2025. FY2027 reports (for large companies with 250+ employees) — filed in 2028. FY2028 reports (for listed SMEs) — filed in 2029. Non-EU parent companies — FY2028, filed in 2029. See the full timeline on our Compliance Deadlines page.

The General Data Protection Regulation (GDPR) is EU law that governs how organisations collect, store, use and share personal data of EU residents. It came into force on 25 May 2018 and applies to any organisation that processes personal data of EU residents, regardless of where the organisation is located.

The six lawful bases are: (1) Consent — freely given, specific, informed and unambiguous; (2) Contract — necessary to perform a contract with the individual; (3) Legal obligation — required by EU or member state law; (4) Vital interests — to protect someone's life; (5) Public task — necessary for official public functions; (6) Legitimate interests — your legitimate interests, balanced against the individual's rights.

A Legitimate Interest Assessment (LIA) is the structured balancing test required before relying on legitimate interests (GDPR Art. 6(1)(f)) as your lawful basis. It involves a three-part test: purpose test (is there a legitimate interest?), necessity test (is processing necessary?), and balancing test (do your interests override the individual's rights?). Verdaio's LIA tool guides you through this process.

A Record of Processing Activities (ROPA) is a documented inventory of all personal data processing activities your organisation carries out. It is required under GDPR Art. 30 for organisations with 250+ employees, or smaller organisations that carry out high-risk processing.

GDPR provides for two tiers of fines: up to €10 million or 2% of global annual turnover for less serious violations (e.g. failure to maintain records, failure to report a breach); up to €20 million or 4% of global annual turnover for more serious violations (e.g. violating the basic principles for processing, violating data subjects' rights).

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive legal framework for artificial intelligence. It entered into force on 1 August 2024 and applies a risk-based approach — classifying AI systems into four tiers and imposing obligations proportional to the risk they pose.

The four risk tiers are: (1) Unacceptable risk — prohibited AI practices including social scoring by public authorities, real-time remote biometric surveillance in public spaces, and AI that exploits vulnerabilities; (2) High risk — AI in critical sectors like health, education, employment, law enforcement; (3) Limited risk — AI systems with transparency obligations, like chatbots that must disclose they are AI; (4) Minimal risk — all other AI applications with no specific obligations.

High-risk AI systems include: AI used in critical infrastructure, educational or vocational training, employment and workers management, essential private and public services, law enforcement, migration and border control, and administration of justice. They face obligations including conformity assessments, technical documentation (Art. 11), human oversight (Art. 14), and accuracy/robustness requirements (Art. 15).

General Purpose AI (GPAI) models are AI models trained on large amounts of data that can perform a wide range of tasks. Examples include large language models like GPT-4 and Claude. Under the EU AI Act, GPAI model providers face transparency and copyright compliance obligations from August 2025, with additional obligations for systemic risk models.

Key dates: 2 February 2025 — prohibited AI practices enforceable. 2 August 2025 — GPAI model obligations apply. 2 August 2026 — high-risk AI system obligations apply. 2 August 2027 — high-risk AI embedded in regulated products. Classify your AI system now with the free EU AI Act Risk Classifier.

NIS2 (Directive 2022/2555) is the EU's updated Network and Information Security directive. It significantly expands the scope of cybersecurity obligations beyond the original NIS Directive, covering more sectors and more companies, and introducing stricter requirements and higher penalties.

NIS2 applies to medium and large organisations in 18 sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Check your obligations with the free NIS2 Readiness Check.

The Digital Operational Resilience Act (DORA) is EU regulation that applies specifically to financial entities — banks, insurance companies, investment firms, payment institutions, and their ICT service providers. It requires comprehensive ICT risk management, incident reporting, resilience testing, and third-party ICT risk oversight.

NIS2 applies broadly across 18 sectors with general cybersecurity requirements. DORA applies specifically to financial sector entities and their ICT providers, with more detailed and prescriptive requirements for ICT risk management and operational resilience. Financial entities must comply with both — DORA takes precedence where requirements overlap.

NIS2 fines: essential entities up to €10M or 2% of global turnover; important entities up to €7M or 1.4% of global turnover. DORA fines: financial entities up to 1% of average daily global turnover for each day of violation (up to 6 months); critical ICT providers up to €5M or 1% of global turnover.

The EU Taxonomy is a classification system that defines which economic activities can be considered environmentally sustainable. It covers six environmental objectives: climate change mitigation, climate change adaptation, water and marine resources, circular economy, pollution prevention, and biodiversity. Companies subject to CSRD must disclose their Taxonomy alignment.

The Corporate Sustainability Due Diligence Directive (CS3D) requires large companies to identify, prevent, mitigate and account for adverse human rights and environmental impacts in their own operations and supply chains. It applies to EU companies with 1,000+ employees and €450M+ global turnover, and non-EU companies with significant EU revenue.

The Cyber Resilience Act (CRA) is EU regulation that introduces mandatory cybersecurity requirements for products with digital elements — including hardware and software sold in the EU. It requires manufacturers to ensure their products are secure by design, provide security updates throughout the product lifecycle, and report actively exploited vulnerabilities.

The Digital Markets Act (DMA) regulates large online platforms designated as 'gatekeepers' — companies like Google, Apple, Meta, Amazon, Microsoft and ByteDance. Gatekeepers face obligations around interoperability, fair access, data use, and self-preferencing. Most businesses are affected as users of gatekeeper platforms rather than as gatekeepers themselves.

All EU regulations are available on EUR-Lex (eur-lex.europa.eu), the official EU law database. You can also find guidance from national supervisory authorities and the European Data Protection Board (EDPB) for GDPR, the AI Office for the EU AI Act, and ENISA for NIS2 and DORA.