EU Compliance,
Sorted.

The EU's digital sovereignty push isn't coming — it's here. GDPR. NIS2. DORA. AI Act. CADA. If your business touches European data, customers, or markets, you need to comply. We make that simple.

Book your free EU exposure check → See EU Shield products
5
Active EU Regulations
(GDPR, NIS2, DORA, AI Act, CADA)
€750K
Average annual compliance cost
for mid-size firms
80%
Of EU cloud infrastructure
controlled by US providers
72hrs
Maximum GDPR breach
notification window

The Stakes

This isn't just a
European problem.

The EU's digital sovereignty push directly targets the dependency on US cloud infrastructure — and it affects any business, anywhere in the world, that processes European data. Including yours.

GDPR
General Data Protection Regulation

The benchmark. Fines up to €20M or 4% of global annual turnover. Applies to any organisation processing EU residents' data — regardless of where you're based.

NIS2
Network & Information Security Directive 2

Mandatory cybersecurity standards for 18 critical sectors. Penalties up to €10M or 2% of global turnover. Took effect October 2024.

DORA
Digital Operational Resilience Act

Financial sector specific. Requires a 4-hour incident classification and 24-hour initial report for major incidents. Applies to your ICT providers too.

AI Act
EU Artificial Intelligence Act

The world's first comprehensive AI regulation. Risk-tiered compliance obligations for AI systems used by or marketed to EU users. High-risk AI can mean fines of €30M+.

CADA
Cloud Act for Digital Autonomy (June 2026)

Part of the European Technological Sovereignty Package. Introduces a four-tier sovereignty framework. Tier 3+ explicitly excludes US-owned cloud providers for sensitive workloads.

🚨 What's actually at stake

⚖️
€20M or 4% global turnover Maximum GDPR fine — whichever is higher
🔐
€10M or 2% global turnover NIS2 maximum penalty for critical sectors
⏱️
4-hour window DORA incident classification (financial sector)
🤖
€30M or 6% global turnover AI Act maximum for prohibited AI practice violations
⚠️ The US CLOUD Act problem: US law enforcement can demand access to data stored anywhere in the world — if a US company operates the infrastructure. Using AWS, Azure, or Google Cloud for EU data? That's potential GDPR exposure, right now. CADA Level 3+ closes that loophole by excluding US-owned providers entirely.

CADA — June 2026

The Four Sovereignty Tiers

Europe's new Cloud Act for Digital Autonomy defines exactly which cloud providers can be used for which workloads. As of June 2026, Tier 3+ prohibits US-owned providers for sensitive and critical data. Where does your stack sit?

Tier 1 — Preferred
EU-Sovereign Cloud
Fully EU-owned, EU-operated, EU-governed. Data stays under European jurisdiction. No foreign government access risk. Required for highest sensitivity workloads.
Tier 2 — Permitted
EU-Controlled Operators
Foreign-owned but EU-incorporated with contractual sovereignty guarantees and technical isolation. Allowed for most regulated workloads.
Tier 3 — Restricted
Conditional Use Only
Non-EU providers with standard contractual protections. Permitted for non-sensitive workloads only. Excluded from sensitive and critical data categories.
Tier 4 — Excluded
US Hyperscalers
AWS, Azure, Google Cloud — excluded for all sensitive and critical workloads under CADA. CLOUD Act exposure makes GDPR compliance impossible for covered data categories.

EU Shield — Product Line

Everything you need.
Nothing you don't.

From a quick compliance scan to fully managed EU regulatory oversight — start where you are, scale as you need.

🔍 Standalone Engagements — One-Off Deliverables

EU Readiness Scan
$990
One-off · Fixed price

Not sure where you stand? Start here. Our AI-powered audit examines your entire tech stack against all five EU regulatory frameworks and tells you exactly what needs fixing — and in what order.

  • AI-powered audit of your full tech stack vs. 5 EU frameworks
  • Current-state assessment with traffic-light compliance scoring
  • Prioritised remediation roadmap
  • Executive summary + detailed technical report
  • GDPR, NIS2, DORA, AI Act & CADA gap analysis
Delivered in 5 business days
Data Sovereignty Map
$2,490
One-off · Fixed price

Know exactly where your data lives, who can access it, and how exposed you are to foreign government access requests. The definitive map of your organisation's data jurisdiction.

  • Complete data flow mapping across your organisation
  • Jurisdiction analysis — where data lives & who can compel access
  • CLOUD Act exposure assessment for all US-hosted data
  • GDPR Article 30 Records of Processing Activities (ROPA)
  • Vendor sovereignty scoring for all third-party providers
Delivered in 10 business days
EU Migration Blueprint
$3,990
One-off · Fixed price

Ready to move to EU-sovereign infrastructure? This is your roadmap. We'll architect the transition, compare providers, model the costs, and hand you a timeline you can actually execute.

  • Architecture plan for EU-sovereign infrastructure transition
  • Provider comparison & recommendation (cloud, email, productivity)
  • Migration timeline with phased risk assessment
  • Cost-benefit analysis: current stack vs. sovereign stack
  • CADA Level 2+ compatibility certification
Delivered in 15 business days
Compliance Playbook Pack
$1,990
One-off · Fixed price

When an incident hits, you need to know exactly what to do — across three reporting tracks simultaneously. These playbooks ensure your team responds correctly under pressure.

  • Custom incident response playbooks for GDPR, NIS2 & DORA
  • Multi-regulation triage workflow (one event → three report tracks)
  • Board notification templates
  • Regulatory authority reporting templates (DPA, ENISA, etc.)
  • Staff training materials & tabletop exercise guide
Delivered in 10 business days
📊 Managed Compliance — Ongoing Subscriptions
EU Shield
Essentials
$349/month
Billed monthly · Cancel anytime
  • Monthly compliance monitoring dashboard
  • Quarterly compliance health checks
  • Regulatory change alerts (new EU laws, amendments, enforcement)
  • Annual EU Readiness Scan refresh (valued at $990)
  • Email support
Get started
EU Shield
Professional
$599/month
Billed monthly · Cancel anytime
  • Everything in Essentials
  • Bi-annual comprehensive compliance audits
  • Vendor sovereignty assessments (up to 20 vendors)
  • Incident response support — 24-hour response SLA
  • Dedicated compliance dashboard
  • Priority support channel
Get started
EU Shield
Enterprise
$999/month
Billed monthly · Cancel anytime
  • Everything in Professional
  • AI-assisted compliance officer (continuous monitoring)
  • Unlimited vendor sovereignty assessments
  • Incident response support — 4-hour response SLA
  • DORA Register of Information maintenance
  • Board-ready quarterly compliance reports
  • Dedicated account manager
Get started

The Path Forward

Start anywhere.
Grow into full coverage.

Most clients begin with a scan and discover gaps they didn't know existed. The journey from there is straightforward.

1. Readiness Scan
$990 one-off.
See where you stand in 5 days.
2. Gaps Found
Traffic-light report.
Prioritised remediation plan.
3. Fix & Document
Blueprint + Playbook Pack.
Architecture & process sorted.
4. Stay Compliant
EU Shield subscription.
Continuous monitoring & alerts.
5. Full IT + Compliance
Bundle with BoB.
One provider. Complete coverage.
Already a BoB subscriber?

EU Shield add-ons integrate directly with your existing managed IT environment — compliance monitoring feeds into your BoB dashboard, incidents trigger joint IT + compliance response, and your DORA register is maintained alongside your standard IT asset register. One provider, complete coverage.

Who needs this

If your business touches
Europe, this applies to you.

EU regulations don't care where your company is incorporated. They care where your customers are, and where their data goes.

Australian Businesses with EU Customers
If a person in Germany or France buys from you or uses your service, GDPR applies to you — full stop. Location of your company is irrelevant.
SaaS Companies in the EU Market
Software businesses serving European users face the full stack: GDPR data handling, AI Act if you use ML, NIS2 if you're in a critical sector. All at once.
Financial Services Firms
DORA is mandatory for EU financial entities and their ICT service providers — including Australian firms providing technology services to EU banks, insurers, or investment firms.
Healthcare & Critical Infrastructure
NIS2 covers 18 critical sectors including health, energy, transport, and digital infrastructure. If you operate or supply these sectors in Europe, you're in scope.
Businesses Using US Cloud for EU Data
AWS, Azure, Google Cloud storing EU personal data? Post-CADA, this is active GDPR exposure. You need a Data Sovereignty Map now, before regulators come calling.
AI Product Companies
Building AI products used by EU customers? The AI Act's risk-tiered framework applies from the moment of market access. High-risk AI means €30M+ exposure if unregistered.
🟢 Free · No obligation · 15 minutes

Find out where you stand.
Today. For free.

Book a free 15-minute EU exposure check. We'll tell you which of the five EU regulations actually apply to your business, your biggest risk areas, and which product to start with. No jargon. No hard sell.

Book Your Free Exposure Check →
No contract required
Australian owned & operated
Fixed prices, no hourly surprises
Results in business days, not months