Tools Why RegVanta Editions & Pricing Demo FAQ Contact Affiliates ↗
Demo Free Evaluation Buy
EU regulatory compliance assessment

Stop fighting spreadsheet chaos for DORA, EU AI Act & GxP

Run structured gap assessments with dual-role verification. Export auditor-ready reports — no manual formatting, no spreadsheet chaos. Sovereign Data — 100% offline, zero data leaks.

DORA  → EU AI Act + NIS2  → GxP CSV  BETA →
DORA · Reg. (EU) 2022/2554 EU AI Act · Reg. (EU) 2024/1689 NIS2 · Dir. (EU) 2022/2555 EU GMP Annex 11 · ICH Q10 · GAMP 5 FDA 21 CFR Part 11 100% offline · zero telemetry
Where it Fits → Who it's For → How it Works → Editions & Pricing → Get Started → Why RegVanta → Regulations → Contact →
Regulations covered
DORA Arts. 5–45 RTS 2025/532 ITS 2024/2956 AI Act Arts. 9–15 AI Act Arts. 43–49 NIS2 Art. 21 GMP Annex 11 GAMP 5 21 CFR Part 11 ICH Q10
Regulatory landscape
DORA
In force since Jan 2025
All 5 pillars apply: ICT risk management, incident reporting, resilience testing, third-party risk, governance. First register deadline: 30 Apr 2025.
EU AI Act
High-risk: August 2026
Conformity assessment, human oversight, risk management, and transparency for AI systems in healthcare, finance, HR, education and public services.
NIS2
Transposition deadline passed
18 sectors now subject to national NIS2 obligations — cybersecurity risk management, incident reporting, supply chain security. 6 control areas shared with EU AI Act.
GxP / CSV
Ongoing enforcement
EU GMP Annex 11, ICH Q10, GAMP 5, IEC 62304, FDA 21 CFR Part 11. Inspectors expect documented validation evidence at all times.
DORA RTS/ITS
Subcontracting RTS in force Jul 2025
RTS 2025/532 adds subcontracting chain obligations. ITS 2024/2956 mandates ICT provider register. CTPP designated Nov 2025.
AI Act Overlap
Banks face dual obligations
A bank using AI for credit scoring is subject to DORA (ICT risk, third-party, resilience) AND EU AI Act (high-risk system, conformity assessment, human oversight) simultaneously.
Data Integrity
ALCOA+ principles
Attributable, Legible, Contemporaneous, Original, Accurate — plus Complete, Consistent, Enduring, Available. Foundation of CSV compliance.
NIS2 + AI Act
6 shared control areas
Risk management, logging, supply chain, incident reporting, monitoring, data governance — one evidence entry satisfies both regulations in RegVanta EUAI-NIS2.
DORA
In force since Jan 2025
All 5 pillars apply: ICT risk management, incident reporting, resilience testing, third-party risk, governance. First register deadline: 30 Apr 2025.
EU AI Act
High-risk: August 2026
Conformity assessment, human oversight, risk management, and transparency for AI systems in healthcare, finance, HR, education and public services.
NIS2
Transposition deadline passed
18 sectors now subject to national NIS2 obligations — cybersecurity risk management, incident reporting, supply chain security. 6 control areas shared with EU AI Act.
GxP / CSV
Ongoing enforcement
EU GMP Annex 11, ICH Q10, GAMP 5, IEC 62304, FDA 21 CFR Part 11. Inspectors expect documented validation evidence at all times.
Where RegVanta fits

Not a replacement. A complement.

RegVanta is not a GRC platform. It is the structured assessment layer — designed to work before, alongside or instead of your existing compliance infrastructure.

Have a GRC platform
Jump-start your control framework build
ServiceNow, Archer, MetricStream and similar platforms are powerful — but they do not come pre-loaded with DORA or EU AI Act question sets. Building those control frameworks is a 3–6 month project.
Run RegVanta first → identify your gaps → feed structured findings into your GRC platform as the input for your control framework. Assessment layer first. GRC platform second.
No GRC platform yet
Start your compliance programme today
No procurement cycle. No implementation project. No IT involvement. Open and begin a structured gap assessment in minutes — no IT involvement required.
RegVanta gives you structured scoring, an action register and an audit trail from day one — the evidence you need for regulators while you build your longer-term compliance infrastructure.
Compliance consultant
Consistent, auditable output across every client
Replace inconsistent spreadsheet templates with a structured workbench that produces weighted, role-verified assessments with a built-in audit trail.
Dual-role scoring means independent assessor verification is built in — not a separate step. Pro licence available for unlimited client deployments at a flat annual rate.
Our tools

Three tools. One compliance workflow.

Not a GRC platform. Not a checklist. A structured assessment workbench — designed to work before, alongside or instead of your existing compliance infrastructure.

DORA · Reg. (EU) 2022/2554
RegVanta DORA
For financial entities subject to the Digital Operational Resilience Act — banks, insurers, investment firms, payment institutions, crypto-asset service providers and their ICT third-party providers. Free tier available — no signup. Complete edition adds board-ready export.
14Control areas
60Questions
5DORA pillars
Mar '26Aligned
Covers all 5 DORA pillars
ICT risk management framework (Arts. 5–16)
ICT incident management & reporting (Arts. 17–23)
Digital operational resilience testing + TLPT (Arts. 24–27)
ICT third-party risk + contracts (Arts. 28–44)
Governance, BCP, info sharing & register (Arts. 5, 11, 28, 45)
RTS 2025/532 ✓ ITS 2024/2956 ✓ CTPP list Nov 2025 ✓ TIBER-EU Feb 2025 ✓
Buy Now — Get Audit-Ready · €499 → Download Free →
EU AI Act + NIS2
RegVanta EUAI-NIS2
For organisations deploying or operating AI systems in regulated sectors — mapping EU AI Act obligations, NIS2 cybersecurity requirements, and the six control areas where both apply simultaneously.
14Control areas
58Questions
6Shared areas
Mar '26Aligned
14 control areas across both regulations
6 shared areas — risk, logging, supply chain, incident, monitoring, data governance
4 EU AI Act areas — conformity, human oversight, accuracy, transparency
4 NIS2 areas — cryptography & MFA, BCP, access control, management accountability
Shared evidence field — one entry satisfies both regulations
EU AI Act Arts. 9–15 ✓ NIS2 Art. 21 ✓ Two editions ✓
Buy Now — Get Audit-Ready · €499 → Download Free →
GxP · CSV · GAMP 5 · 21 CFR Part 11 BETA
RegVanta GxP
Audit preparation for GxP computer system validation — pharma, biotech, medical device and clinical organisations preparing for EU GMP inspection or FDA audit.
17Sections
78Questions
5Standards
Mar '26Aligned
Full CSV lifecycle coverage
CSV Core — GxP scoping, validation, risk, data integrity (Annex 11 + 21 CFR)
GMP / ICH Q10 — QMS governance, training, documentation, audit readiness
IEC 62304 software lifecycle + ISO 14971 risk management
FDA 21 CFR Part 11 — electronic records and e-signature controls
Audit findings: Compliant / Observation / Major NC / Critical NC
EU GMP Annex 11 ✓ ICH Q10 / GAMP 5 ✓ 21 CFR Part 11 ✓

Beta — built on standard regulatory obligations. Adapt with a qualified assessor.

Buy Complete · €499 → Download Free → Try demo →
Who uses RegVanta tools

Different tools for different audiences

Each tool is targeted — choose the one that matches your regulatory obligation.

RegVanta DORA — for
Financial entities & ICT providers
  • Credit institutions, banks and savings banks
  • Investment firms and asset managers
  • Insurance and reinsurance undertakings
  • Payment institutions and e-money institutions
  • Crypto-asset service providers (CASPs)
  • ICT third-party service providers to the above
  • Compliance consultancies conducting DORA gap assessments
RegVanta EUAI-NIS2 — for
AI-deploying organisations in regulated sectors
  • Healthcare, energy, transport and financial organisations deploying AI
  • Public sector entities using AI for administrative decisions
  • Essential and important entities under NIS2
  • AI system providers bringing high-risk systems to market
  • DPOs and CISOs at the intersection of AI and cybersecurity
  • Legal and compliance consultancies advising on EU AI Act readiness
RegVanta GxP — for
Life sciences & validated systems teams
  • Pharmaceutical and biotech manufacturers (EU GMP / FDA cGMP)
  • Medical device companies subject to EU MDR or IEC 62304
  • Contract manufacturing organisations (CMO/CDMO)
  • Clinical research organisations under ICH GCP
  • QA teams preparing for EU GMP inspection or FDA audit
  • CSV specialists and validation consultants
How it works

From download to compliance report in one session

No setup. No training. Open the file and start assessing.

01
Purchase & download
You receive the tool by email after purchase. Save it anywhere — desktop, shared drive, USB. No installation, no account creation. Opens instantly in any browser.
02
Provider completes assessment
Fill in your project details. For GxP: select classification (GMP/GCP/GLP) and jurisdiction — smart defaults pre-set irrelevant sections to N/A. Then work through each control area with evidence notes.
03
Assessor independently verifies
An independent assessor — internal audit, external consultant, or peer reviewer — logs in separately and provides their own answers. Gaps are scored automatically.
04
Report & action register
Instant weighted compliance score. Prioritised action register with owner and due date fields. Exportable report. Tamper-evident audit trail. Save progress as JSON, reload at any time.
Editions

Choose the right edition

All editions include the full question set, weighted scoring, and compliance report. The difference is access control and audit depth.

Feature Free Complete Pro
Access & roles
Role-based access (Provider / Assessor / Admin)
In-tool view only
Password protection with recovery keys
Admin panel & user management
GxP-specific features
Audit-standard finding taxonomy (Compliant / Observation / Major NC / Critical NC)
DORA & EUAI-NIS2 only
 ✓ GxP editions
Smart defaults by GxP classification (GMP/GCP/GLP/GDP/GVP) ✓ GxP Light ✓ GxP Complete
Assessment & scoring
Full question set (all sections)
Weighted compliance scoring
Provider vs Assessor delta scoring
Action register with owner & due date
Audit & export
Audit trail Activity log
Not role-attributed
 ✓ Tamper-evident
Role + timestamp on every change
 ✓ Tamper-evident
Save & reload (JSON)
Exportable compliance report
Licence & deployment
Organisations covered 1 organisation 1 organisation Unlimited
Deploy to all clients
Free tier is the trial — no expiry ✓ Free
Priority support
RegVanta EUAI-NIS2 €0
no signup required
 €499
per organisation / year
 €3,499
flat / year
RegVanta DORA €0
no signup required
 €499
per organisation / year
 €3,999
flat / year
RegVanta GxP BETA €0 BETA
no signup required
 €499 BETA
per organisation / year
Post-beta: €999/yr
 €999 BETA
flat / year
Post-beta: €2,999/yr
Get started

Download, evaluate, or purchase

Every product has a free tier — no signup, no expiry. Upgrade to Complete when you need to export.

RegVanta DORA — Free
DORA
Full 60-question DORA assessment. Weighted scoring across all 5 pillars. In-tool report view. No signup, no credit card, no expiry. Upgrade to Complete when you need to export.
€0 · no signup required
Download Free →
RegVanta DORA — Complete
DORA
Full DORA workbench. 14 sections, 60 questions, 5 pillars. Role-based access (Provider / Assessor / Admin), tamper-evident audit trail. Aligned March 2026 RTS/ITS.
€499 / organisation / year
Buy Complete — €499 →
RegVanta EUAI-NIS2 — Free
EUAI-NIS2
Full 58-question EU AI Act + NIS2 assessment. Weighted scoring, shared evidence mapping. In-tool report view. No signup, no credit card, no expiry.
€0 · no signup required
Download Free →
RegVanta EUAI-NIS2 — Complete
EUAI-NIS2
Full EU AI Act + NIS2 assessment workbench. 14 sections, 58 questions. Role-based access, shared evidence mapping, tamper-evident audit trail.
€499 / organisation / year
Buy Complete — €499 →
RegVanta GxP — Free BETA
GxP
Full 78-question GxP assessment. Finding taxonomy (Compliant / Observation / Major NC / Critical NC), smart defaults by classification. In-tool report view. No signup, no expiry.
€0 · no signup required
Download Free →
RegVanta GxP — Complete BETA
GxP
Full GxP audit preparation workbench. 17 sections, 78 questions. Role-based access, audit-standard finding taxonomy, smart defaults by GxP classification, regulatory citation on every question.
€499 / org / year BETA PRICE
Post-beta: €999/yr
Buy Complete — €499 →
Regulatory context

Four regulatory domains. One compliance suite.

DORA, EU AI Act, NIS2 and GxP computer system validation obligations all require structured, documented assessments. RegVanta covers all four in a single offline workbench family.

N2
October 2024 — deadline passed
NIS2 Directive — national transposition
EU member states were required to transpose NIS2 (Dir. 2022/2555) into national law by 17 October 2024. Essential and important entities across 18 sectors are now subject to national NIS2 obligations — cybersecurity risk management, incident reporting, and supply chain security.
Dir. (EU) 2022/2555
DO
17 January 2025 — in force
DORA — Digital Operational Resilience Act
DORA (Reg. 2022/2554) applies directly across all EU member states — no national transposition required. Financial entities must comply with all five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and governance. The subcontracting RTS (2025/532) added further obligations from 22 July 2025. First ICT provider register submission deadline: 30 April 2025.
Reg. (EU) 2022/2554 · RTS/ITS in force
AI
August 2026 — enforcement for high-risk AI
EU AI Act — high-risk obligations
The EU AI Act (Reg. 2024/1689) entered into force in August 2024. Prohibited AI practices applied from February 2025. High-risk AI system obligations — including conformity assessment, human oversight, risk management, and transparency — apply from August 2026. For any organisation deploying AI in healthcare, finance, HR, education or public services, preparation should be underway now.
Reg. (EU) 2024/1689 · High-risk deadline Aug 2026
GxP
Ongoing — EU GMP enforced, FDA 21 CFR Part 11 in force since 1997
GxP Computer System Validation — EU GMP Annex 11 & FDA 21 CFR Part 11
EU GMP Annex 11 (2011) and FDA 21 CFR Part 11 (1997, guidance updated 2018) require computerised systems used in GxP-regulated activities to be validated. GAMP 5 (2022 edition) provides the industry framework. ICH Q10 covers the pharmaceutical quality system. IEC 62304 covers medical device software. These obligations apply to any pharma, biotech, medtech or clinical organisation using computer systems in regulated processes — and inspectors expect documented validation evidence at all times.
EU GMP Annex 11 · ICH Q10 · GAMP 5 · FDA 21 CFR Part 11
Overlap

Financial entities face DORA and potentially EU AI Act simultaneously

A bank deploying AI for credit scoring is subject to DORA (ICT risk, third-party, resilience) and the EU AI Act (high-risk system, conformity assessment, human oversight) at the same time. RegVanta DORA and RegVanta EUAI-NIS2 are designed to be used together — covering the full obligation map for this growing category of entity.

🏦
Bank using AI for credit decisions — subject to DORA (ICT risk) + EU AI Act (high-risk system, Art. 10 data governance, Art. 14 human oversight)
🛡️
Insurer using AI for underwriting — DORA (incident reporting, TPRM) + EU AI Act (conformity assessment) + NIS2 (if essential entity)
💳
Payment institution — DORA (full scope, ICT third-party register) + NIS2 (if important entity) + EU AI Act if AI used in fraud detection
Sovereign Data · 100% Offline
Aligned March 2026 RTS/ITS
Article-referenced questions
Dual-role · Provider + Assessor
Tamper-evident audit trail
Board-ready compliance report
📋
Article-referenced
Every question maps to a specific regulatory article — DORA Arts. 5–45, EU AI Act Arts. 9–15, NIS2 Art. 21. Not simplified checklists.
🔄
Aligned March 2026
Updated to reflect RTS 2025/532, ITS 2024/2956, CTPP Nov 2025 designations, TIBER-EU Feb 2025, and EU AI Act implementing acts.
🔒
Zero telemetry
No analytics, no tracking, no cookies. The tool contains no external requests. Your compliance data never leaves your device.
Start in minutes
One downloadable tool. No installation, no account, no IT department — opens instantly. Your first section answered within minutes of opening.
How it compares

RegVanta vs the alternatives — for EU gap assessment

This comparison is scoped to EU regulatory gap assessment specifically — not general GRC. RegVanta is not a replacement for enterprise GRC platforms; it is the structured assessment layer that works before or alongside them.

Capability RegVanta Enterprise GRC
e.g. large platform vendors		 SaaS GRC Tools
e.g. mid-market platforms		 Spreadsheet
DIY templates
Time to first assessment Minutes Avg. 3–6 months Avg. 4–8 weeks Hours–days
Data stays in your network ✓ 100% offline Cloud hosted Cloud hosted Local only
Dual-role verification (Provider + Assessor) ✓ Built-in Custom build needed Rarely native Manual only
DORA + EU AI Act + NIS2 + GxP pre-built ✓ Ready to use Framework build required Partial coverage Manual mapping
Tamper-evident audit trail ✓ Complete edition ✓ Yes ✓ Yes ✗ None
Board-ready compliance report ✓ Instant export Custom build Dashboard / export Manual formatting
Indicative cost — EU / GxP gap assessment Free tier + from €499/yr Avg. €60k–€200k impl. Avg. €15k–€50k/yr Tool-free, but high effort cost
No IT procurement required ✓ Download & go Full procurement cycle Contract + onboarding ✓ None needed

Cost and timeline estimates are indicative averages for EU regulatory gap assessment implementation only, based on publicly available market data. Enterprise GRC and SaaS GRC platforms have broader capabilities beyond gap assessment — RegVanta is not a replacement for them. It is the structured assessment layer that works before, alongside, or instead of them.

Illustrative scenarios

How organisations use RegVanta

These are illustrative use cases based on the typical compliance challenges RegVanta is designed to address.

Financial entity · DORA
Regional bank — DORA gap assessment before supervisor review
A compliance team at a mid-size bank needs to demonstrate DORA readiness ahead of their first supervisor interaction. Their GRC platform is not yet configured for DORA controls. They need a structured, documented assessment within two weeks.
RegVanta DORA Complete → structured assessment completed in 2 days · action register shared with board · audit trail ready for supervisor
Technology company · EU AI Act + NIS2
SaaS provider — EU AI Act conformity gap assessment
A B2B SaaS company deploying an AI-assisted contract analysis tool needs to assess its EU AI Act high-risk classification and identify gaps before the August 2026 obligations apply. Legal team needs board sign-off on the gap report.
RegVanta EUAI-NIS2 Complete → Provider (product team) + Assessor (external counsel) · board-ready report exported · gaps identified and actioned
Consultancy · Multi-client
GRC consultancy — consistent assessment across client portfolio
A compliance consultancy conducting DORA gap assessments for five financial sector clients needs a consistent, auditable methodology that produces comparable outputs across clients without rebuilding templates for each engagement.
RegVanta Pro licence → single methodology · tamper-evident per-client assessment files · independent assessor verification built in · consistent board reports
Life sciences · GxP
Pharma QA team — CSV gap assessment before EU GMP inspection
A QA team at a pharmaceutical manufacturer needs to assess their computerised system portfolio ahead of an EU GMP inspection. Their validation documentation is spread across folders. No structured gap analysis exists. They need a defensible, documented assessment in two weeks.
RegVanta GxP Complete → Provider (QA manager) + Assessor (validation consultant) · Critical NCs identified · action register built · inspection-ready evidence package created
See it in action

Watch the demo

See how a structured gap assessment works — from opening the tool to exporting a board-ready compliance report.

RegVanta Walkthrough Opens on YouTube →
📋
Structured assessment
Article-referenced questions across DORA, EU AI Act, NIS2, and GxP. Every answer maps to a regulatory obligation.
👥
Dual-role verification
Provider completes. Assessor verifies independently. Gaps scored automatically with tamper-evident audit trail.
🔒
Sovereign Data
Downloadable offline tool. No server, no cloud, no login. Your compliance data never leaves your device.
📊
Board-ready export
Weighted compliance score, prioritised action register, exportable report. Ready for the board or the regulator.
Try the free evaluation →
Frequently asked

Common questions

Which tool do I need?
Financial entities (banks, insurers, payment institutions, CASPs) → RegVanta DORA. AI-deploying organisations in regulated sectors → RegVanta EUAI-NIS2. Pharma, biotech, medical device, or clinical organisations with computerised systems → RegVanta GxP. Financial entities deploying AI → DORA + EUAI-NIS2 bundle. If you are a GxP organisation also subject to NIS2 (as an essential entity), you may need both GxP and EUAI-NIS2.
Does completing an assessment mean we are compliant?
No. RegVanta tools are structured workbenches that helps you assess and document your compliance posture. It does not constitute legal advice and does not guarantee regulatory compliance. Organisations should engage qualified legal counsel and auditors to establish formal compliance.
What is the difference between Free and Complete?
Free edition gives you the full assessment, scoring, and in-tool report view — no signup, no credit card, no expiry. Complete edition adds PDF and Word export, role-based login (Provider, Assessor, Admin), password protection, and a tamper-evident audit trail attributing every change to a role and timestamp.
How is RegVanta DORA aligned to March 2026?
The question set reflects the base DORA regulation plus all RTS/ITS published and in force as of March 2026 — including the subcontracting RTS (2025/532, in force July 2025), the register of information ITS (2024/2956), and the November 2025 CTPP designations. The regulatory alignment date is shown in the tool's about page and in every exported report.
Can the tool be used by a compliance consultant for multiple clients?
Yes — the Pro licence covers unlimited client deployments for a flat annual fee. A Pro licensee can deliver pre-configured tool files to each client, each with a unique password setup. The tool is entirely self-contained so no shared infrastructure is involved.
Is my assessment data sent anywhere?
No. The tool runs entirely in your browser with no server communication. Assessment data is saved as a JSON file on your own device. Nothing is transmitted to any server or third party. There is no telemetry, no analytics, no cloud sync.
Can I try before purchasing?
Yes — the free tier is available for all three products with no signup and no expiry. Download from the Get Started section. Interactive demos are also available: EUAI-NIS2 demo (6 sections) and GxP demo (4 sections) — no purchase required.
What is RegVanta GxP and who is it for?
RegVanta GxP is an audit preparation workbench for GxP computer system validation (CSV). It is designed for pharma, biotech, medical device, and clinical organisations preparing for EU GMP inspection or FDA audit. It covers 78 questions across 17 sections — from QMS governance and CSV lifecycle through to FDA 21 CFR Part 11 electronic signatures. It is currently in Beta; the question set is built on standard regulatory obligations and should be adapted to your specific context with a qualified assessor.
What happens to my data when the evaluation expires?
The evaluation file stops opening after the expiry date. Any JSON files you saved during the evaluation remain fully intact — load them into a purchased copy to continue your assessment with no data loss.

Questions? Get in touch.

For licence enquiries, bundle pricing, or questions about regulatory coverage — reach out directly.

info@srivantage.com
🌐
regvanta-ai.com
Evaluation request
Download the free tier directly from this page — no email needed. For Complete or Pro editions, purchase via the tool cards above and your file will be delivered immediately by email.
Bundle & Pro enquiries
Compliance consultancies needing both tools or unlimited deployment licences — email with subject "Bundle enquiry" or "Pro licence". Invoice payment available for EU organisations.
Regulatory coverage questions
Questions about which articles are covered, how specific obligations are mapped, or the RTS/ITS alignment date — email with your question and we will respond directly.
🤖
RegVanta Assistant
Ask anything about our tools
-e