Sandbox tier is free forever — every framework, every agent, every audit-trail event. Paid tiers add seats, BYOC sovereignty, and a signed SLA.

Which frameworks does ReguNav cover?

24 frameworks including EU AI Act, ISO/IEC 42001:2023, ISO/IEC 27001:2022, ISO/IEC 27701:2019, GDPR, HIPAA Security & Privacy, SOC 2 Type II, SOC 1 Type II, PCI DSS 4.0.1, NIST AI Risk Management Framework, NIST CSF 2.0, DORA, CCPA / CPRA, NIS2 Directive, EU Cyber Resilience Act, India DPDP Act, Brazil LGPD, China PIPL, Japan APPI, Australia Privacy Act, UK GDPR + DPA 2018, HuggingFace Model Card, HAARF — Healthcare AI Agents Regulatory Framework, FedRAMP.

Does ReguNav use LLMs to grade compliance?

No. Verdicts are 100% deterministic — same inputs + framework version produces the same output, replayable by fingerprint. LLMs may help draft remediation but never gate compliance decisions.

🇪🇺 European Union · jurisdiction-aware

Sovereign AI ready for European Union.

ReguNav is built EU-AI-Act-native. Every Annex III high-risk use case ships with a deterministic FRIA flow, every GPAI provider gets Art. 53 + 55 disclosure templates, every DORA-supervised firm gets the Art. 5–24 control programme — all anchored to EDPB, ENISA, EU AI Office, ESMA, EBA, EIOPA sources.

European Union regulator landscape

Every European Union control on the platform is anchored to a named regulator artefact. When the regulator updates their guidance, the framework registry takes the bump and every dependent control inherits it.

European Data Protection Board (EDPB)

GDPR coordination · cross-DPA decisionsofficial ↗

European Union Agency for Cybersecurity (ENISA)

NIS2 · EU CRA · cybersecurity standardsofficial ↗

EU AI Office (DG CNECT)

EU AI Act enforcement · GPAI Code of Practiceofficial ↗

European Securities and Markets Authority

DORA financial-services oversightofficial ↗

European Banking Authority

DORA · ICT third-party riskofficial ↗

European Insurance and Occupational Pensions Authority

DORA insurance · digital resilience testingofficial ↗

European Medicines Agency

Centralised medical-device regulationofficial ↗

Frameworks anchored in European Union

EU AI Act

(EU) 2024/168930 clauses · 16 controls

Risk-based regulation of AI systems and general-purpose AI models in the EU/EEA. Prohibited practices (Art. 5), high-risk requirements (Title III + Annex III), transparency obligations (Art. 50), and GPAI provisions (Title VIII Chapter V). Applies to providers, deployers, importers, distributors and authorised representatives.

GDPR

(EU) 2016/67928 clauses · 15 controls

EU regulation governing the processing of personal data of natural persons in the Union and the cross-border movement of such data. Applies to controllers and processors established in the EU and, under Art. 3(2), to those outside the EU that offer goods/services to or monitor data subjects in the EU. Covers principles (Art. 5), lawful basis (Art. 6+9), data-subject rights (Ch. III), controller/processor duties (Ch. IV), security (Art. 32), breach notification (Art. 33-34), DPIA (Art. 35), DPO (Art. 37-39), international transfers (Ch. V) and supervisory authority cooperation.

DORA

(EU) 2022/255422 clauses · 14 controls

EU regulation establishing uniform requirements for the security of network and information systems supporting business processes of financial entities in the Union, and for the digital operational resilience of those entities. Covers ICT risk management (Chapter II), ICT-related incident reporting (Chapter III), digital operational resilience testing including TLPT (Chapter IV), ICT third-party risk (Chapter V), information-sharing arrangements (Chapter VI) and oversight of critical ICT third-party service providers (Chapter V Section II).

NIS2 Directive

2022/255517 clauses · 14 controls

EU Directive on measures for a high common level of cybersecurity. Applies to medium and large essential and important entities operating in critical sectors (Annexes I + II): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal services, waste management, manufacturing of critical products, food, digital providers, and research. Requires cybersecurity risk-management measures (Art. 21), incident reporting on a 24h early warning + 72h notification + 1-month final report cadence (Art. 23), supply-chain security and management-body accountability for non-compliance (Art. 20).

EU Cyber Resilience Act

202418 clauses · 13 controls

EU horizontal cybersecurity regulation for products with digital elements (hardware + software that can be connected to a device or network). Establishes essential cybersecurity requirements (Annex I), vulnerability handling obligations, conformity-assessment procedures (Annex VIII), CE marking, and 24-hour / 72-hour / 14-day vulnerability + incident reporting. Applies to manufacturers + importers + distributors placing products with digital elements on the EU market. Special categories: important products with digital elements (Annex III) and critical products with digital elements (Annex IV) require stricter conformity assessment routes.

European Union SaaS, fintech, healthcare-AI, or essential-service?

We work with organisations supervised by every regulator listed above. The jurisdiction-aware engine routes incident reports, DSARs, and FRIA submissions to the correct authority + timeline automatically.

Talk to European Union team →

Jurisdiction codes + regulator data are sourced from @regunav/jurisdictions (Apache-2.0, open-source). Adding a new market is a single registry entry — no copy-paste regulator content. See /uk for the bespoke deep-dive template.