That's usually the first question small and medium businesses ask when they hear about CSRD, GDPR, the EU AI Act, or NIS2. It's also the hardest one to answer.
EU regulations don't come with a simple checklist.
They overlap, they have thresholds, and they carry different obligations depending on your industry, your size, and what your business does with data, AI, or suppliers.
By the time most companies figure out what applies to them, they're already behind — and the ones with the least capacity to catch up are often the ones most exposed.
Verdaio's tools are designed to answer that question — and everything that follows it.
Each one maps your situation against a specific regulation's actual requirements and tells you exactly where you stand and what to do next.
No consultants. No retainers. No guesswork.
Select any tool below to see what it covers, what you'll receive, and how to get started. Not sure where to begin? Try the Compliance Diagnostic →
A structured assessment that scores your business against the key areas of the Corporate Sustainability Reporting Directive, covering ESG strategy, climate disclosures, governance, and social practices across 5 ESRS areas.
CSRD now applies to large companies and listed SMEs across Europe, with first reporting deadlines already in effect. Non-compliance means regulatory penalties and reputational exposure, but most companies still don't know where their gaps are.
A comprehensive gap analysis mapped against all 12 European Sustainability Reporting Standards, the mandatory disclosure framework under CSRD, identifying exactly where your reporting falls short.
ESRS sets out precisely what companies must disclose, topic by topic. Without a structured gap analysis, companies risk incomplete filings, regulator scrutiny, and investor pushback. Knowing your gaps is the first step to closing them.
A guided DMA covering both financial materiality (how sustainability risks affect your business) and impact materiality (how your business affects people and the environment), following the mandatory ESRS 2 methodology.
The Double Materiality Assessment is the mandatory starting point for CSRD reporting. Without it, you cannot determine which ESRS topics you're required to report on. It's the foundation every other CSRD disclosure is built on.
A screening tool that evaluates your economic activities against the EU Taxonomy Regulation — the EU's official classification system for environmentally sustainable activities — across all 6 environmental objectives.
If your company reports under CSRD or seeks green financing, you must disclose what proportion of your activities are Taxonomy-eligible and aligned. Getting this wrong exposes you to greenwashing claims and regulatory challenge.
An assessment of your supply chain readiness for the Corporate Sustainability Due Diligence Directive, which requires companies to identify and address human rights and environmental risks across their entire value chain, not just their own operations.
CS3D extends legal obligations beyond your own business to your suppliers and business partners. Companies that fail to conduct adequate due diligence face fines of up to 5% of global turnover, and reputational risk that follows.
A structured tool to estimate your Scope 1, 2, and 3 greenhouse gas emissions based on your business activity data, aligned with the ESRS E1 climate standard, the most scrutinised area of CSRD reporting.
Climate disclosure is mandatory under CSRD for most companies in scope, and it's what auditors, investors, and regulators examine first. Most companies don't have a structured emissions baseline — which means they can't report, and they can't improve.
A guided classifier that categorises your AI systems by risk level under the EU AI Act: prohibited, high-risk, limited-risk, or minimal, based on use case, deployment context, and the people it affects.
Every company using, developing, or deploying AI in the EU now has legal obligations under the EU AI Act. Most don't know which risk tier their systems fall into — and that classification determines everything: what documentation is required, what oversight is mandatory, and what conformity assessments must be completed.
A structured tool to build and maintain an inventory of your AI systems, as required under the EU AI Act. Log each system's purpose, risk classification, data inputs, responsible team, and compliance status in one place.
The EU AI Act requires organisations to document their AI systems, and regulators can ask to see that documentation at any time. Without a register, demonstrating compliance is impossible. Most companies are surprised by how many AI tools they're already using.
A full compliance roadmap for high-risk AI systems, mapping all obligations under Articles 9–15 of the EU AI Act and generating your technical documentation framework and conformity assessment plan.
High-risk AI systems face the strictest obligations: risk management systems, data governance, technical documentation, human oversight, accuracy, and robustness. Full enforcement begins August 2026, and the window to prepare is closing. Companies that start late face rushed compliance and elevated risk of non-conformity.
A compliance checker for products with digital elements (connected hardware and software) against the Cyber Resilience Act, which introduces mandatory cybersecurity requirements for products sold in the EU market.
The CRA affects any manufacturer or importer of connected products in the EU. It requires security-by-design, ongoing vulnerability management, and CE marking. Non-compliance can result in products being banned from the EU market — a severe commercial and legal risk for product companies.
A 24-question assessment covering the 6 core areas of GDPR compliance: lawful basis, data subject rights, data transfers, security measures, records management, and breach procedures — giving you a structured gap score across each area.
GDPR has been enforceable since 2018, but enforcement is accelerating. In 2025 alone, over 360 fines were issued across Europe. Most companies have gaps they haven't identified — and regulators are actively looking for them. Not knowing where you stand is no longer a defence.
A step-by-step response checklist for personal data breaches, with a built-in 72-hour countdown timer, severity scoring, and a structured notification decision guide covering both supervisory authority and data subject notification.
GDPR requires organisations to notify their supervisory authority within 72 hours of becoming aware of a breach. Most companies don't have a clear process when it happens — and making the wrong call on notification, or missing the window, carries serious legal and financial risk.
A structured LIA tool to document your legitimate interest basis for specific data processing activities under GDPR Article 6(1)(f), producing a formal record suitable for your Data Protection Authority.
Legitimate interest is one of the most commonly relied-upon lawful bases for processing personal data — and one of the most frequently challenged by regulators. Without a properly documented three-part LIA, relying on it is legally indefensible. Many companies use it without documentation they could produce on request.
A 6-step intake form that generates four tailored GDPR compliance documents: a Privacy Policy, Record of Processing Activities (Art. 30 RoPA), Technical and Organisational Measures (TOMs), and a Data Retention Policy, all based on your specific company profile.
GDPR requires organisations to maintain a RoPA, publish a compliant privacy notice, and document their security measures. Most companies either don't have these documents, or have generic templates that don't reflect their actual processing activities. A supervisory authority can request any of these at any time.
A 20-question assessment across the 5 core NIS2 compliance areas: risk management, incident handling, supply chain security, access control, and business continuity — giving you a readiness score and gap analysis.
NIS2 has been mandatory for over 160,000 EU entities since October 2024, covering essential and important sectors across 18 industries. Boards are now personally liable for non-compliance. Many companies in scope don't yet know it — or haven't assessed where they stand.
A structured assessment of your ICT risk framework against the 5 pillars of the Digital Operational Resilience Act: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing — for financial sector entities.
DORA applies to banks, insurance companies, investment firms, payment institutions, and their critical ICT providers — and has been enforceable since January 2025. National competent authorities are actively supervising compliance. Financial entities that haven't assessed their ICT resilience are operating with unknown exposure.
A tailored supplier due diligence questionnaire generator covering up to 6 EU regulations: GDPR, NIS2, DORA, EU AI Act, CS3D, and CRA — based on your supplier's profile, data access, and criticality to your operations. Includes risk level, DPA requirement flag, and recommended review frequency.
NIS2, DORA, CS3D, and GDPR all impose supply chain obligations. You are responsible for your suppliers' security and compliance posture. Most companies use generic supplier questionnaires that miss regulation-specific requirements, or ask every supplier the same questions regardless of what they actually do.
The Compliance Diagnostic maps your business against all 4 tracks in 2 minutes and tells you which tools apply to you first.