RegulationsOffice logo
RegulationsOffice
Regulatory screening, supplier readiness, and audit-pack support for EU-facing teams.
Checklist library

Start with the evidence questions that reduce uncertainty fastest.

These checklists help teams scope a first review before deeper legal, technical, or evidence-heavy work begins.

Download a starterRequest checklist as brief

Use safely

  • no credentials.
  • no regulated internal files first.
  • no compliance guarantee.

Downloadable checklist starters

AI Act

AI Act readiness starts with risk and role mapping, not a compliance label

  • List public AI claims.
  • Map feature, workflow, and owner.
  • Identify any prohibited-practice or high-risk-screening red flags.
  • Collect AI literacy, governance, logging, and documentation evidence.
  • Separate operational readiness questions from legal classification decisions.
DownloadRead source note
European Accessibility Act

EAA review should begin with customer journeys, not generic accessibility claims

  • Identify covered service or product category.
  • Map the full customer journey, not only the homepage.
  • Collect current accessibility statement, known blockers, and support routes.
  • Separate WCAG-style technical issues from service-scope and national-implementation questions.
  • Prepare a remediation owner map before publishing accessibility claims.
DownloadRead source note
NIS2

NIS2 scope reads should split direct entity status from supplier evidence pressure

  • Identify direct entity, supplier, or monitoring-only role.
  • List countries, sectors, and digital-service classes touched.
  • Collect existing cyber-risk, incident, continuity, and supplier evidence.
  • Separate direct-scope questions from customer evidence pressure.
  • Prepare country/entity questions for qualified review before any applicability claim.
DownloadRead source note
DORA

DORA makes ICT third-party evidence an ongoing monitoring task, not a one-off file request

  • Map critical ICT services and business owners.
  • Identify third-party, subcontractor, and contract owners.
  • Collect resilience, continuity, testing, and incident evidence.
  • Separate financial-entity obligations from ICT-supplier evidence pressure.
  • Set a recurring monitoring rhythm instead of a one-off file request.
DownloadRead source note
Cyber Resilience Act

Cyber Resilience Act preparation starts with product evidence ownership

  • List software, hardware, IoT, and embedded products with digital elements.
  • Map vulnerability handling, security update, and lifecycle processes.
  • Collect product-security documentation owners.
  • Identify reporting-obligation readiness before the main obligation date.
  • Separate product classification questions from operational evidence preparation.
DownloadRead source note
Data Act

Data Act readiness depends on knowing which data, access paths, and switching claims exist

  • List data-access, portability, export, and switching claims.
  • Map connected-product or cloud-switching paths.
  • Identify contractual, product, support, and operations owners.
  • Separate customer promise language from implementation reality.
  • Prepare evidence for what data exists, who controls access, and where handoffs break.
DownloadRead source note
From article to action

Move from reading to a small, non-sensitive first review.

1. Read the note

Start with a plain-English regulatory note grounded in official sources.

2. Use the checklist

Download a starter checklist and collect only non-sensitive evidence for first-review scoping.

3. Request a clear first review

Turn the update into a small role/sector/country brief reviewed manually before deeper work.

4. Set a monitoring rhythm

If the pressure repeats, convert notes into a watchlist and recurring update rhythm.

5. Prepare an evidence pack

When deadlines or customers require proof, assemble review-ready structure without claiming legal compliance.

View the review pathRequest a scoped brief