RegVanta · Stop Spreadsheet Chaos — DORA · EU AI Act · NIS2

Where RegVanta fits

Not a replacement. A complement.

RegVanta is not a GRC platform. It is the structured assessment layer — designed to work before, alongside or instead of your existing compliance infrastructure.

Have a GRC platform

Jump-start your control framework build

ServiceNow, Archer, MetricStream and similar platforms are powerful — but they do not come pre-loaded with DORA or EU AI Act question sets. Building those control frameworks is a 3–6 month project.

Run RegVanta first → identify your gaps → feed structured findings into your GRC platform as the input for your control framework. Assessment layer first. GRC platform second.

No GRC platform yet

Start your compliance programme today

No procurement cycle. No implementation project. No IT involvement. Open in any browser and begin a structured gap assessment in minutes.

RegVanta gives you structured scoring, an action register and an audit trail from day one — the evidence you need for regulators while you build your longer-term compliance infrastructure.

Compliance consultant

Consistent, auditable output across every client

Replace inconsistent spreadsheet templates with a structured workbench that produces weighted, role-verified assessments with a built-in audit trail.

Dual-role scoring means independent assessor verification is built in — not a separate step. Pro licence available for unlimited client deployments at a flat annual rate.

Our tools

Three tools. One compliance workflow.

Not a GRC platform. Not a checklist. A structured assessment workbench — designed to work before, alongside or instead of your existing compliance infrastructure.

DORA · Reg. (EU) 2022/2554

RegVanta DORA

For financial entities subject to the Digital Operational Resilience Act — banks, insurers, investment firms, payment institutions, crypto-asset service providers and their ICT third-party providers. Free tier available — no signup. Complete edition for board-ready export.

14Control areas

60Questions

5DORA pillars

Mar '26Aligned

Covers all 5 DORA pillars

ICT risk management framework (Arts. 5–16)

ICT incident management & reporting (Arts. 17–23)

Digital operational resilience testing + TLPT (Arts. 24–27)

ICT third-party risk + contracts (Arts. 28–44)

Governance, BCP, info sharing & register (Arts. 5, 11, 28, 45)

RTS 2025/532 ✓ ITS 2024/2956 ✓ CTPP list Nov 2025 ✓ TIBER-EU Feb 2025 ✓

Buy Now — Get Audit-Ready · €1,299 → Download Free →

EU AI Act + NIS2

RegVanta EUAI-NIS2

For organisations deploying or operating AI systems in regulated sectors — mapping EU AI Act obligations, NIS2 cybersecurity requirements, and the six control areas where both apply simultaneously.

14Control areas

58Questions

6Shared areas

Mar '26Aligned

14 control areas across both regulations

6 shared areas — risk, logging, supply chain, incident, monitoring, data governance

4 EU AI Act areas — conformity, human oversight, accuracy, transparency

4 NIS2 areas — cryptography & MFA, BCP, access control, management accountability

Shared evidence field — one entry satisfies both regulations

EU AI Act Arts. 9–15 ✓ NIS2 Art. 21 ✓ Two editions ✓

Buy Now — Get Audit-Ready · €1,299 → Download Free →

GxP · CSV · GAMP 5 · 21 CFR Part 11 BETA

RegVanta GxP

Audit preparation for GxP computer system validation — pharma, biotech, medical device and clinical organisations preparing for EU GMP inspection or FDA audit.

17Sections

78Questions

5Standards

Mar '26Aligned

Full CSV lifecycle coverage

CSV Core — GxP scoping, validation, risk, data integrity (Annex 11 + 21 CFR)

GMP / ICH Q10 — QMS governance, training, documentation, audit readiness

IEC 62304 software lifecycle + ISO 14971 risk management

FDA 21 CFR Part 11 — electronic records and e-signature controls

Audit findings: Compliant / Observation / Major NC / Critical NC

EU GMP Annex 11 ✓ ICH Q10 / GAMP 5 ✓ 21 CFR Part 11 ✓

Beta — built on standard regulatory obligations. Adapt with a qualified assessor.

Buy Complete · €499 → Download Free → Try demo →

Who uses RegVanta tools

Different tools for different audiences

Each tool is targeted — choose the one that matches your regulatory obligation.

RegVanta DORA — for

Financial entities & ICT providers

Credit institutions, banks and savings banks
Investment firms and asset managers
Insurance and reinsurance undertakings
Payment institutions and e-money institutions
Crypto-asset service providers (CASPs)
ICT third-party service providers to the above
Compliance consultancies conducting DORA gap assessments

RegVanta EUAI-NIS2 — for

AI-deploying organisations in regulated sectors

Healthcare, energy, transport and financial organisations deploying AI
Public sector entities using AI for administrative decisions
Essential and important entities under NIS2
AI system providers bringing high-risk systems to market
DPOs and CISOs at the intersection of AI and cybersecurity
Legal and compliance consultancies advising on EU AI Act readiness

RegVanta GxP — for

Life sciences & validated systems teams

Pharmaceutical and biotech manufacturers (EU GMP / FDA cGMP)
Medical device companies subject to EU MDR or IEC 62304
Contract manufacturing organisations (CMO/CDMO)
Clinical research organisations under ICH GCP
QA teams preparing for EU GMP inspection or FDA audit
CSV specialists and validation consultants

Editions

Choose the right edition

All editions include the full question set, weighted scoring, and compliance report. The difference is access control and audit depth.

Feature	Free	Complete	Pro
Access & roles
Role-based access (Provider / Assessor / Admin)	— In-tool view only	✓	✓
Password protection with recovery keys	—	✓	✓
Admin panel & user management	—	✓	✓
GxP-specific features
Audit-standard finding taxonomy (Compliant / Observation / Major NC / Critical NC)	— DORA & EUAI-NIS2 only	✓ GxP editions	✓
Smart defaults by GxP classification (GMP/GCP/GLP/GDP/GVP)	✓ GxP Light	✓ GxP Complete	✓
Assessment & scoring
Full question set (all sections)	✓	✓	✓
Weighted compliance scoring	✓	✓	✓
Provider vs Assessor delta scoring	✓	✓	✓
Action register with owner & due date	✓	✓	✓
Audit & export
Audit trail	Activity log Not role-attributed	✓ Tamper-evident Role + timestamp on every change	✓ Tamper-evident
Save & reload (JSON)	✓	✓	✓
Exportable compliance report	✓	✓	✓
Licence & deployment
Organisations covered	1 organisation	1 organisation	Unlimited Deploy to all clients
Free tier is the trial — no expiry	✓ Free	✓	✓
Priority support	—	—	✓
RegVanta EUAI-NIS2	€0 no signup required	€1,299 per organisation / year	€3,499 flat / year
RegVanta DORA	€499 per organisation / year	€1,299 per organisation / year	€3,999 flat / year
RegVanta GxP BETA	€99 BETA per organisation / year Post-beta: €299/yr	€499 BETA per organisation / year Post-beta: €999/yr	€999 BETA flat / year Post-beta: €2,999/yr

Bundle offer

Both tools. One price.

Get RegVanta EUAI-NIS2 and RegVanta DORA together. Ideal for compliance consultancies covering the full EU regulatory landscape for financial sector clients.

Complete × 2

€2,199

Pro × 2

€6,499

Get started

Download, evaluate, or purchase

Every product has a free tier — no signup, no expiry. Upgrade to Complete when you need to export.

⚡

EU AI ACT DEADLINE

High-risk AI obligations start 2 August 2026 — start your gap assessment today, not the week before.

Try demo now →

RegVanta DORA — Free

DORA

Full 60-question DORA assessment. Weighted scoring across all 5 pillars. In-tool report view. No signup, no credit card, no expiry. Upgrade to Complete when you need to export.

€0 · no signup required

Download Free →

RegVanta DORA — Complete

DORA

Full DORA workbench. 14 sections, 60 questions, 5 pillars. Role-based access (Provider / Assessor / Admin), tamper-evident audit trail. Aligned March 2026 RTS/ITS.

€1,299 / organisation / year

Buy Complete — €1,299 →

RegVanta EUAI-NIS2 — Free

EUAI-NIS2

Full 58-question EU AI Act + NIS2 assessment. Weighted scoring, shared evidence mapping. In-tool report view. No signup, no credit card, no expiry.

€0 · no signup required

Download Free →

RegVanta EUAI-NIS2 — Complete

EUAI-NIS2

Full EU AI Act + NIS2 assessment workbench. 14 sections, 58 questions. Role-based access, shared evidence mapping, tamper-evident audit trail.

€1,299 / organisation / year

Buy Complete — €1,299 →

RegVanta GxP — Free BETA

GxP

Full 78-question GxP assessment. Finding taxonomy (Compliant / Observation / Major NC / Critical NC), smart defaults by classification. In-tool report view. No signup, no expiry.

€0 · no signup required

Download Free →

RegVanta GxP — Complete BETA

GxP

Full GxP audit preparation workbench. 17 sections, 78 questions. Role-based access, audit-standard finding taxonomy, smart defaults by GxP classification, regulatory citation on every question.

€499 / org / year BETA PRICE

Post-beta: €999/yr

Buy Complete — €499 →

Free download

Free — no signup

Download the free tier of any edition — DORA, EU AI Act + NIS2, or GxP. No signup, no credit card, no expiry. Full assessment and scoring in-tool. Upgrade to Complete when you need to export.

€0 · no signup, no expiry

Refer & Earn

Affiliate

Know someone who needs to assess their DORA or EU AI Act + NIS2 compliance? Refer them and earn 10% commission on every sale. No minimum volume, no cap. Compliance consultants and IT risk professionals welcome.

10% commission · per sale · paid via Lemon Squeezy

Become an affiliate →

Regulatory context

Four regulatory domains. One compliance suite.

DORA, EU AI Act, NIS2 and GxP computer system validation obligations all require structured, documented assessments. RegVanta covers all four in a single offline workbench family.

October 2024 — deadline passed

NIS2 Directive — national transposition

EU member states were required to transpose NIS2 (Dir. 2022/2555) into national law by 17 October 2024. Essential and important entities across 18 sectors are now subject to national NIS2 obligations — cybersecurity risk management, incident reporting, and supply chain security.

Dir. (EU) 2022/2555

17 January 2025 — in force

DORA — Digital Operational Resilience Act

DORA (Reg. 2022/2554) applies directly across all EU member states — no national transposition required. Financial entities must comply with all five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and governance. The subcontracting RTS (2025/532) added further obligations from 22 July 2025. First ICT provider register submission deadline: 30 April 2025.

Reg. (EU) 2022/2554 · RTS/ITS in force

August 2026 — enforcement for high-risk AI

EU AI Act — high-risk obligations

The EU AI Act (Reg. 2024/1689) entered into force in August 2024. Prohibited AI practices applied from February 2025. High-risk AI system obligations — including conformity assessment, human oversight, risk management, and transparency — apply from August 2026. For any organisation deploying AI in healthcare, finance, HR, education or public services, preparation should be underway now.

Reg. (EU) 2024/1689 · High-risk deadline Aug 2026

GxP

Ongoing — EU GMP enforced, FDA 21 CFR Part 11 in force since 1997

GxP Computer System Validation — EU GMP Annex 11 & FDA 21 CFR Part 11

EU GMP Annex 11 (2011) and FDA 21 CFR Part 11 (1997, guidance updated 2018) require computerised systems used in GxP-regulated activities to be validated. GAMP 5 (2022 edition) provides the industry framework. ICH Q10 covers the pharmaceutical quality system. IEC 62304 covers medical device software. These obligations apply to any pharma, biotech, medtech or clinical organisation using computer systems in regulated processes — and inspectors expect documented validation evidence at all times.

EU GMP Annex 11 · ICH Q10 · GAMP 5 · FDA 21 CFR Part 11

Overlap

Financial entities face DORA and potentially EU AI Act simultaneously

A bank deploying AI for credit scoring is subject to DORA (ICT risk, third-party, resilience) and the EU AI Act (high-risk system, conformity assessment, human oversight) at the same time. RegVanta DORA and RegVanta EUAI-NIS2 are designed to be used together — covering the full obligation map for this growing category of entity.

🏦

Bank using AI for credit decisions — subject to DORA (ICT risk) + EU AI Act (high-risk system, Art. 10 data governance, Art. 14 human oversight)

🛡️

Insurer using AI for underwriting — DORA (incident reporting, TPRM) + EU AI Act (conformity assessment) + NIS2 (if essential entity)

💳

Payment institution — DORA (full scope, ICT third-party register) + NIS2 (if important entity) + EU AI Act if AI used in fraud detection

How it compares

RegVanta vs the alternatives — for EU gap assessment

This comparison is scoped to EU regulatory gap assessment specifically — not general GRC. RegVanta is not a replacement for enterprise GRC platforms; it is the structured assessment layer that works before or alongside them.

Capability	RegVanta	Enterprise GRC e.g. large platform vendors	SaaS GRC Tools e.g. mid-market platforms	Spreadsheet DIY templates
Time to first assessment	Minutes	Avg. 3–6 months	Avg. 4–8 weeks	Hours–days
Data stays in your network	✓ 100% offline	Cloud hosted	Cloud hosted	Local only
Dual-role verification (Provider + Assessor)	✓ Built-in	Custom build needed	Rarely native	Manual only
DORA + EU AI Act + NIS2 + GxP pre-built	✓ Ready to use	Framework build required	Partial coverage	Manual mapping
Tamper-evident audit trail	✓ Complete edition	✓ Yes	✓ Yes	✗ None
Board-ready compliance report	✓ Instant export	Custom build	Dashboard / export	Manual formatting
Indicative cost — EU / GxP gap assessment	Free tier + from €499/yr	Avg. €60k–€200k impl.	Avg. €15k–€50k/yr	Tool-free, but high effort cost
No IT procurement required	✓ Download & go	Full procurement cycle	Contract + onboarding	✓ None needed

Cost and timeline estimates are indicative averages for EU regulatory gap assessment implementation only, based on publicly available market data. Enterprise GRC and SaaS GRC platforms have broader capabilities beyond gap assessment — RegVanta is not a replacement for them. It is the structured assessment layer that works before, alongside, or instead of them.

Illustrative scenarios

How organisations use RegVanta

These are illustrative use cases based on the typical compliance challenges RegVanta is designed to address.

Financial entity · DORA

Regional bank — DORA gap assessment before supervisor review

A compliance team at a mid-size bank needs to demonstrate DORA readiness ahead of their first supervisor interaction. Their GRC platform is not yet configured for DORA controls. They need a structured, documented assessment within two weeks.

RegVanta DORA Complete → structured assessment completed in 2 days · action register shared with board · audit trail ready for supervisor

Technology company · EU AI Act + NIS2

SaaS provider — EU AI Act conformity gap assessment

A B2B SaaS company deploying an AI-assisted contract analysis tool needs to assess its EU AI Act high-risk classification and identify gaps before the August 2026 obligations apply. Legal team needs board sign-off on the gap report.

RegVanta EUAI-NIS2 Complete → Provider (product team) + Assessor (external counsel) · board-ready report exported · gaps identified and actioned

Consultancy · Multi-client

GRC consultancy — consistent assessment across client portfolio

A compliance consultancy conducting DORA gap assessments for five financial sector clients needs a consistent, auditable methodology that produces comparable outputs across clients without rebuilding templates for each engagement.

RegVanta Pro licence → single methodology · tamper-evident per-client assessment files · independent assessor verification built in · consistent board reports

Life sciences · GxP

Pharma QA team — CSV gap assessment before EU GMP inspection

A QA team at a pharmaceutical manufacturer needs to assess their computerised system portfolio ahead of an EU GMP inspection. Their validation documentation is spread across folders. No structured gap analysis exists. They need a defensible, documented assessment in two weeks.

RegVanta GxP Complete → Provider (QA manager) + Assessor (validation consultant) · Critical NCs identified · action register built · inspection-ready evidence package created

Frequently asked

Common questions

Which tool do I need?

Financial entities (banks, insurers, payment institutions, CASPs) → RegVanta DORA. AI-deploying organisations in regulated sectors → RegVanta EUAI-NIS2. Pharma, biotech, medical device, or clinical organisations with computerised systems → RegVanta GxP. Financial entities deploying AI → DORA + EUAI-NIS2 bundle. If you are a GxP organisation also subject to NIS2 (as an essential entity), you may need both GxP and EUAI-NIS2.

Does completing an assessment mean we are compliant?

No. RegVanta tools are structured workbenches that helps you assess and document your compliance posture. It does not constitute legal advice and does not guarantee regulatory compliance. Organisations should engage qualified legal counsel and auditors to establish formal compliance.

What is the difference between Free and Complete?

Free edition gives you the full assessment, scoring, and in-tool report view — no signup, no credit card, no expiry. Complete edition adds PDF and Word export, role-based login (Provider, Assessor, Admin), password protection, and a tamper-evident audit trail attributing every change to a role and timestamp.

How is RegVanta DORA aligned to March 2026?

The question set reflects the base DORA regulation plus all RTS/ITS published and in force as of March 2026 — including the subcontracting RTS (2025/532, in force July 2025), the register of information ITS (2024/2956), and the November 2025 CTPP designations. The regulatory alignment date is shown in the tool's about page and in every exported report.

Can the tool be used by a compliance consultant for multiple clients?

Yes — the Pro licence covers unlimited client deployments for a flat annual fee. A Pro licensee can deliver pre-configured tool files to each client, each with a unique password setup. The tool is entirely self-contained so no shared infrastructure is involved.

Is my assessment data sent anywhere?

No. The tool runs entirely in your browser with no server communication. Assessment data is saved as a JSON file on your own device. Nothing is transmitted to any server or third party. There is no telemetry, no analytics, no cloud sync.

Can I try before purchasing?

Yes — the free tier is available for all three products with no signup and no expiry. Download from the Get Started section. Interactive demos are also available: EUAI-NIS2 demo (6 sections) and GxP demo (4 sections) — no purchase required.

What is RegVanta GxP and who is it for?

RegVanta GxP is an audit preparation workbench for GxP computer system validation (CSV). It is designed for pharma, biotech, medical device, and clinical organisations preparing for EU GMP inspection or FDA audit. It covers 78 questions across 17 sections — from QMS governance and CSV lifecycle through to FDA 21 CFR Part 11 electronic signatures. It is currently in Beta; the question set is built on standard regulatory obligations and should be adapted to your specific context with a qualified assessor.

What happens to my data when the evaluation expires?

The evaluation file stops opening after the expiry date. Any JSON files you saved during the evaluation remain fully intact — load them into a purchased copy to continue your assessment with no data loss.

Free demo

Try the interactive demos — EUAI-NIS2 & GxP

EUAI-NIS2: 6 of 14 sections. GxP: 4 of 17 sections. Pre-filled with sample data. No purchase required.

EUAI-NIS2 Demo → GxP Demo →

Legal

Terms of Use & Privacy Policy

Applies to all RegVanta products — EUAI-NIS2, DORA and GxP editions

Last updated: March 2026 · Effective immediately · Governing law: Netherlands

1. Licence Grant

RegVanta tools are licensed, not sold, on an annual per-organisation basis. Upon purchase, the licence holder receives the right to download and use the purchased HTML file within their organisation for internal compliance assessment purposes, on any number of devices within the licenced organisation.

2. Restrictions

The licence does not permit redistribution, resale or transfer to any third party without a separate Pro/Consultancy licence. Sublicensing to clients or partner organisations requires a Consultancy licence. Reverse engineering or modification of the tool for commercial purposes is not permitted. Copyright notices and disclaimers within the tool must not be removed or altered.

Compliance consultancies wishing to deploy RegVanta tools across multiple client organisations should enquire about our Pro/Consultancy licence: [email protected]

3. Intellectual Property

All content within RegVanta tools — including the regulatory question sets, scoring methodology, assessment structure and user interface — is the original intellectual property of Subrat Panda and is protected by copyright. The tools are protected by BOIP i-DEPOT filing (March 2026). All rights reserved.

4. No Legal or Regulatory Advice

RegVanta tools are provided for informational and gap assessment purposes only. They do not constitute legal, regulatory or professional compliance advice. Completing an assessment does not guarantee compliance with any regulation. Organisations should engage qualified legal counsel, accredited auditors and where applicable notified bodies for formal compliance activities.

5. Licence Term

Each licence is valid for 12 months from the date of purchase and does not auto-renew. The free tier requires no licence and has no expiry.

6. Limitation of Liability

To the maximum extent permitted by applicable law, Subrat Panda (trading as RegVanta) shall not be liable for indirect, incidental or consequential damages arising from use of RegVanta tools. Total liability shall not exceed the amount paid for the relevant licence in the 12 months preceding any claim.

7. Contact

[email protected] · regvanta-ai.com · Amsterdam, Netherlands

Last updated: March 2026 · Effective immediately · Data controller: Subrat Panda, Amsterdam, Netherlands

1. No Data Collection by the Tools

RegVanta tools are designed with privacy by default. All assessment data entered into a RegVanta tool is stored exclusively on your own device in your browser's local session memory. Data is saved to your local device as a JSON file when you use the Save function — this file never leaves your device unless you choose to share it. We do not operate any server, database or cloud infrastructure that receives data from the tools. The tools function entirely offline after download.

2. Website

The regvanta-ai.com website may use basic privacy-respecting analytics (Cloudflare Web Analytics) to understand aggregate traffic volumes. No personally identifiable information is collected and no tracking cookies are set.

3. Purchase Data

When you purchase a RegVanta product, your payment information is processed by Lemon Squeezy LLC, our Merchant of Record. We receive only the information necessary to fulfil your order (name, email, product purchased). We do not store payment card information. We do not share your contact details with third parties.

4. Your Rights (GDPR)

If you are located in the EU/EEA you have rights under GDPR including the right to access, correct or delete personal data we hold. Given the minimal data we collect, requests can typically be fulfilled by simple email. Contact: [email protected]

Last updated: March 2026 · Effective immediately

1. Digital Products

RegVanta products are digital goods delivered instantly by download. Because the product is delivered immediately upon purchase, all sales are generally final.

2. 7-Day Satisfaction Guarantee

If a RegVanta tool does not function as described, or if you encounter a material technical issue we are unable to resolve within a reasonable timeframe, you may request a full refund within 7 days of purchase by contacting [email protected] with your order number and a description of the issue. Refunds are processed via Lemon Squeezy and typically appear within 5–10 business days.

3. Exclusions

Refunds are not available where the product has been used to conduct and export assessments, or where the issue is caused by the customer's browser or device configuration rather than a defect in the product.

4. EU Consumer Rights

EU-based customers may have additional rights under applicable consumer protection law. Nothing in this policy limits any statutory rights you may have.

5. Contact

For refund requests: [email protected] · Please include your order number and description of the issue.

Stop fighting spreadsheet chaos for DORA, EU AI Act & GxP

Not a replacement. A complement.

Three tools. One compliance workflow.

Different tools for different audiences

From download to compliance report in one session

Choose the right edition

Download, evaluate, or purchase

Four regulatory domains. One compliance suite.

Financial entities face DORA and potentially EU AI Act simultaneously

RegVanta vs the alternatives — for EU gap assessment

How organisations use RegVanta

Common questions

Questions? Get in touch.

Terms of Use & Privacy Policy

1. Licence Grant

2. Restrictions

3. Intellectual Property

4. No Legal or Regulatory Advice

5. Licence Term

6. Limitation of Liability

7. Contact

1. No Data Collection by the Tools

2. Website

3. Purchase Data

4. Your Rights (GDPR)

1. Digital Products

2. 7-Day Satisfaction Guarantee

3. Exclusions

4. EU Consumer Rights

5. Contact